Contribution guide Get formatted RBAC roles

Use this script to get the roles for a given Provider Namespace & Resource Type in the format required by either Bicep or ARM/JSON Templates in any RBAC deployment.

Navigation

Location
How it works
How to use it

Location

You can find the script under /utilities/tools/Get-RoleAssignmentsList.ps1

How it works

This script

Fetches all available roles from Azure
Filters them down to any role that include the provided provider namespace & resource type
Goes through all provided role names, matches them with those from the Azure portal to get the matching RoleDefinitionId and provides an output string, formatted like '<roleName>': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','<roleDefinitionId>') for each match
Returns the result as an object with a key for the Bicep & ARM format respectively

How to use it

The script only expects you to provide the Provider Namespace & Resource Type for which you want to fetch the roles for.

Run the script with for example the parameters for the KeyVault: Get-RoleAssignmentsList -ProviderNamespace 'Microsoft.KeyVault' -ResourceType 'vaults'. The output would for example be

VERBOSE: Bicep
VERBOSE: -----
 'Owner':       subscriptionResourceId('Microsoft.Authorization/roleDefinitions','8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b24988ac-6180-42a0-ab88-20f7382dd24c')
 'Reader':      subscriptionResourceId('Microsoft.Authorization/roleDefinitions','acdd72a7-3385-48ef-bd42-f606fba81ae7')
 (...)
VERBOSE:
VERBOSE: ARM
VERBOSE: ---
 "Owner":       "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
 "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b24988ac-6180-42a0-ab88-20f7382dd24c')]",
 "Reader":      "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
 (...)

Copy the output into the RBAC file into the builtInRoleNames variable. For the same example, using Bicep this would be:

var builtInRoleNames = {
   'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
   'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
   'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
}

For further details on how to use the function, please refer to the script's local documentation.

Note: The script must be loaded ('dot-sourced') before the function can be invoked.

This wiki is being actively developed If you discover any documentation bugs or would like to request new content, please raise them as an issue.

Contributions to this wiki are done through the main repo under docs/wiki.

Contribution guide Get formatted RBAC roles

Navigation

Location

How it works

How to use it

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Wiki content

Clone this wiki locally