1. Packages
  2. Azure Classic
  3. API Docs
  4. role
  5. Assignment

We recommend using Azure Native.

Azure Classic v5.70.0 published on Wednesday, Mar 27, 2024 by Pulumi

azure.role.Assignment

Explore with Pulumi AI

azure logo

We recommend using Azure Native.

Azure Classic v5.70.0 published on Wednesday, Mar 27, 2024 by Pulumi
    Deprecated: azure.role.Assignment has been deprecated in favor of azure.authorization.Assignment

    Assigns a given Principal (User or Group) to a given Role.

    Example Usage

    Using A Built-In Role)

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    
    const primary = azure.core.getSubscription({});
    const example = azure.core.getClientConfig({});
    const exampleAssignment = new azure.authorization.Assignment("example", {
        scope: primary.then(primary => primary.id),
        roleDefinitionName: "Reader",
        principalId: example.then(example => example.objectId),
    });
    
    import pulumi
    import pulumi_azure as azure
    
    primary = azure.core.get_subscription()
    example = azure.core.get_client_config()
    example_assignment = azure.authorization.Assignment("example",
        scope=primary.id,
        role_definition_name="Reader",
        principal_id=example.object_id)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		primary, err := core.LookupSubscription(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		example, err := core.GetClientConfig(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
    			Scope:              pulumi.String(primary.Id),
    			RoleDefinitionName: pulumi.String("Reader"),
    			PrincipalId:        pulumi.String(example.ObjectId),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var primary = Azure.Core.GetSubscription.Invoke();
    
        var example = Azure.Core.GetClientConfig.Invoke();
    
        var exampleAssignment = new Azure.Authorization.Assignment("example", new()
        {
            Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
            RoleDefinitionName = "Reader",
            PrincipalId = example.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.CoreFunctions;
    import com.pulumi.azure.core.inputs.GetSubscriptionArgs;
    import com.pulumi.azure.authorization.Assignment;
    import com.pulumi.azure.authorization.AssignmentArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var primary = CoreFunctions.getSubscription();
    
            final var example = CoreFunctions.getClientConfig();
    
            var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
                .scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
                .roleDefinitionName("Reader")
                .principalId(example.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
                .build());
    
        }
    }
    
    resources:
      exampleAssignment:
        type: azure:authorization:Assignment
        name: example
        properties:
          scope: ${primary.id}
          roleDefinitionName: Reader
          principalId: ${example.objectId}
    variables:
      primary:
        fn::invoke:
          Function: azure:core:getSubscription
          Arguments: {}
      example:
        fn::invoke:
          Function: azure:core:getClientConfig
          Arguments: {}
    

    Custom Role & Service Principal)

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    
    const primary = azure.core.getSubscription({});
    const example = azure.core.getClientConfig({});
    const exampleRoleDefinition = new azure.authorization.RoleDefinition("example", {
        roleDefinitionId: "00000000-0000-0000-0000-000000000000",
        name: "my-custom-role-definition",
        scope: primary.then(primary => primary.id),
        permissions: [{
            actions: ["Microsoft.Resources/subscriptions/resourceGroups/read"],
            notActions: [],
        }],
        assignableScopes: [primary.then(primary => primary.id)],
    });
    const exampleAssignment = new azure.authorization.Assignment("example", {
        name: "00000000-0000-0000-0000-000000000000",
        scope: primary.then(primary => primary.id),
        roleDefinitionId: exampleRoleDefinition.roleDefinitionResourceId,
        principalId: example.then(example => example.objectId),
    });
    
    import pulumi
    import pulumi_azure as azure
    
    primary = azure.core.get_subscription()
    example = azure.core.get_client_config()
    example_role_definition = azure.authorization.RoleDefinition("example",
        role_definition_id="00000000-0000-0000-0000-000000000000",
        name="my-custom-role-definition",
        scope=primary.id,
        permissions=[azure.authorization.RoleDefinitionPermissionArgs(
            actions=["Microsoft.Resources/subscriptions/resourceGroups/read"],
            not_actions=[],
        )],
        assignable_scopes=[primary.id])
    example_assignment = azure.authorization.Assignment("example",
        name="00000000-0000-0000-0000-000000000000",
        scope=primary.id,
        role_definition_id=example_role_definition.role_definition_resource_id,
        principal_id=example.object_id)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		primary, err := core.LookupSubscription(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		example, err := core.GetClientConfig(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		exampleRoleDefinition, err := authorization.NewRoleDefinition(ctx, "example", &authorization.RoleDefinitionArgs{
    			RoleDefinitionId: pulumi.String("00000000-0000-0000-0000-000000000000"),
    			Name:             pulumi.String("my-custom-role-definition"),
    			Scope:            pulumi.String(primary.Id),
    			Permissions: authorization.RoleDefinitionPermissionArray{
    				&authorization.RoleDefinitionPermissionArgs{
    					Actions: pulumi.StringArray{
    						pulumi.String("Microsoft.Resources/subscriptions/resourceGroups/read"),
    					},
    					NotActions: pulumi.StringArray{},
    				},
    			},
    			AssignableScopes: pulumi.StringArray{
    				pulumi.String(primary.Id),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
    			Name:             pulumi.String("00000000-0000-0000-0000-000000000000"),
    			Scope:            pulumi.String(primary.Id),
    			RoleDefinitionId: exampleRoleDefinition.RoleDefinitionResourceId,
    			PrincipalId:      pulumi.String(example.ObjectId),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var primary = Azure.Core.GetSubscription.Invoke();
    
        var example = Azure.Core.GetClientConfig.Invoke();
    
        var exampleRoleDefinition = new Azure.Authorization.RoleDefinition("example", new()
        {
            RoleDefinitionId = "00000000-0000-0000-0000-000000000000",
            Name = "my-custom-role-definition",
            Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
            Permissions = new[]
            {
                new Azure.Authorization.Inputs.RoleDefinitionPermissionArgs
                {
                    Actions = new[]
                    {
                        "Microsoft.Resources/subscriptions/resourceGroups/read",
                    },
                    NotActions = new() { },
                },
            },
            AssignableScopes = new[]
            {
                primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
            },
        });
    
        var exampleAssignment = new Azure.Authorization.Assignment("example", new()
        {
            Name = "00000000-0000-0000-0000-000000000000",
            Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
            RoleDefinitionId = exampleRoleDefinition.RoleDefinitionResourceId,
            PrincipalId = example.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.CoreFunctions;
    import com.pulumi.azure.core.inputs.GetSubscriptionArgs;
    import com.pulumi.azure.authorization.RoleDefinition;
    import com.pulumi.azure.authorization.RoleDefinitionArgs;
    import com.pulumi.azure.authorization.inputs.RoleDefinitionPermissionArgs;
    import com.pulumi.azure.authorization.Assignment;
    import com.pulumi.azure.authorization.AssignmentArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var primary = CoreFunctions.getSubscription();
    
            final var example = CoreFunctions.getClientConfig();
    
            var exampleRoleDefinition = new RoleDefinition("exampleRoleDefinition", RoleDefinitionArgs.builder()        
                .roleDefinitionId("00000000-0000-0000-0000-000000000000")
                .name("my-custom-role-definition")
                .scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
                .permissions(RoleDefinitionPermissionArgs.builder()
                    .actions("Microsoft.Resources/subscriptions/resourceGroups/read")
                    .notActions()
                    .build())
                .assignableScopes(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
                .build());
    
            var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
                .name("00000000-0000-0000-0000-000000000000")
                .scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
                .roleDefinitionId(exampleRoleDefinition.roleDefinitionResourceId())
                .principalId(example.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
                .build());
    
        }
    }
    
    resources:
      exampleRoleDefinition:
        type: azure:authorization:RoleDefinition
        name: example
        properties:
          roleDefinitionId: 00000000-0000-0000-0000-000000000000
          name: my-custom-role-definition
          scope: ${primary.id}
          permissions:
            - actions:
                - Microsoft.Resources/subscriptions/resourceGroups/read
              notActions: []
          assignableScopes:
            - ${primary.id}
      exampleAssignment:
        type: azure:authorization:Assignment
        name: example
        properties:
          name: 00000000-0000-0000-0000-000000000000
          scope: ${primary.id}
          roleDefinitionId: ${exampleRoleDefinition.roleDefinitionResourceId}
          principalId: ${example.objectId}
    variables:
      primary:
        fn::invoke:
          Function: azure:core:getSubscription
          Arguments: {}
      example:
        fn::invoke:
          Function: azure:core:getClientConfig
          Arguments: {}
    

    Custom Role & User)

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    
    const primary = azure.core.getSubscription({});
    const example = azure.core.getClientConfig({});
    const exampleRoleDefinition = new azure.authorization.RoleDefinition("example", {
        roleDefinitionId: "00000000-0000-0000-0000-000000000000",
        name: "my-custom-role-definition",
        scope: primary.then(primary => primary.id),
        permissions: [{
            actions: ["Microsoft.Resources/subscriptions/resourceGroups/read"],
            notActions: [],
        }],
        assignableScopes: [primary.then(primary => primary.id)],
    });
    const exampleAssignment = new azure.authorization.Assignment("example", {
        name: "00000000-0000-0000-0000-000000000000",
        scope: primary.then(primary => primary.id),
        roleDefinitionId: exampleRoleDefinition.roleDefinitionResourceId,
        principalId: example.then(example => example.objectId),
    });
    
    import pulumi
    import pulumi_azure as azure
    
    primary = azure.core.get_subscription()
    example = azure.core.get_client_config()
    example_role_definition = azure.authorization.RoleDefinition("example",
        role_definition_id="00000000-0000-0000-0000-000000000000",
        name="my-custom-role-definition",
        scope=primary.id,
        permissions=[azure.authorization.RoleDefinitionPermissionArgs(
            actions=["Microsoft.Resources/subscriptions/resourceGroups/read"],
            not_actions=[],
        )],
        assignable_scopes=[primary.id])
    example_assignment = azure.authorization.Assignment("example",
        name="00000000-0000-0000-0000-000000000000",
        scope=primary.id,
        role_definition_id=example_role_definition.role_definition_resource_id,
        principal_id=example.object_id)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		primary, err := core.LookupSubscription(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		example, err := core.GetClientConfig(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		exampleRoleDefinition, err := authorization.NewRoleDefinition(ctx, "example", &authorization.RoleDefinitionArgs{
    			RoleDefinitionId: pulumi.String("00000000-0000-0000-0000-000000000000"),
    			Name:             pulumi.String("my-custom-role-definition"),
    			Scope:            pulumi.String(primary.Id),
    			Permissions: authorization.RoleDefinitionPermissionArray{
    				&authorization.RoleDefinitionPermissionArgs{
    					Actions: pulumi.StringArray{
    						pulumi.String("Microsoft.Resources/subscriptions/resourceGroups/read"),
    					},
    					NotActions: pulumi.StringArray{},
    				},
    			},
    			AssignableScopes: pulumi.StringArray{
    				pulumi.String(primary.Id),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
    			Name:             pulumi.String("00000000-0000-0000-0000-000000000000"),
    			Scope:            pulumi.String(primary.Id),
    			RoleDefinitionId: exampleRoleDefinition.RoleDefinitionResourceId,
    			PrincipalId:      pulumi.String(example.ObjectId),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var primary = Azure.Core.GetSubscription.Invoke();
    
        var example = Azure.Core.GetClientConfig.Invoke();
    
        var exampleRoleDefinition = new Azure.Authorization.RoleDefinition("example", new()
        {
            RoleDefinitionId = "00000000-0000-0000-0000-000000000000",
            Name = "my-custom-role-definition",
            Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
            Permissions = new[]
            {
                new Azure.Authorization.Inputs.RoleDefinitionPermissionArgs
                {
                    Actions = new[]
                    {
                        "Microsoft.Resources/subscriptions/resourceGroups/read",
                    },
                    NotActions = new() { },
                },
            },
            AssignableScopes = new[]
            {
                primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
            },
        });
    
        var exampleAssignment = new Azure.Authorization.Assignment("example", new()
        {
            Name = "00000000-0000-0000-0000-000000000000",
            Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
            RoleDefinitionId = exampleRoleDefinition.RoleDefinitionResourceId,
            PrincipalId = example.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.CoreFunctions;
    import com.pulumi.azure.core.inputs.GetSubscriptionArgs;
    import com.pulumi.azure.authorization.RoleDefinition;
    import com.pulumi.azure.authorization.RoleDefinitionArgs;
    import com.pulumi.azure.authorization.inputs.RoleDefinitionPermissionArgs;
    import com.pulumi.azure.authorization.Assignment;
    import com.pulumi.azure.authorization.AssignmentArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var primary = CoreFunctions.getSubscription();
    
            final var example = CoreFunctions.getClientConfig();
    
            var exampleRoleDefinition = new RoleDefinition("exampleRoleDefinition", RoleDefinitionArgs.builder()        
                .roleDefinitionId("00000000-0000-0000-0000-000000000000")
                .name("my-custom-role-definition")
                .scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
                .permissions(RoleDefinitionPermissionArgs.builder()
                    .actions("Microsoft.Resources/subscriptions/resourceGroups/read")
                    .notActions()
                    .build())
                .assignableScopes(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
                .build());
    
            var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
                .name("00000000-0000-0000-0000-000000000000")
                .scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
                .roleDefinitionId(exampleRoleDefinition.roleDefinitionResourceId())
                .principalId(example.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
                .build());
    
        }
    }
    
    resources:
      exampleRoleDefinition:
        type: azure:authorization:RoleDefinition
        name: example
        properties:
          roleDefinitionId: 00000000-0000-0000-0000-000000000000
          name: my-custom-role-definition
          scope: ${primary.id}
          permissions:
            - actions:
                - Microsoft.Resources/subscriptions/resourceGroups/read
              notActions: []
          assignableScopes:
            - ${primary.id}
      exampleAssignment:
        type: azure:authorization:Assignment
        name: example
        properties:
          name: 00000000-0000-0000-0000-000000000000
          scope: ${primary.id}
          roleDefinitionId: ${exampleRoleDefinition.roleDefinitionResourceId}
          principalId: ${example.objectId}
    variables:
      primary:
        fn::invoke:
          Function: azure:core:getSubscription
          Arguments: {}
      example:
        fn::invoke:
          Function: azure:core:getClientConfig
          Arguments: {}
    

    Custom Role & Management Group)

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    
    const primary = azure.core.getSubscription({});
    const example = azure.core.getClientConfig({});
    const exampleGetGroup = azure.management.getGroup({
        name: "00000000-0000-0000-0000-000000000000",
    });
    const exampleRoleDefinition = new azure.authorization.RoleDefinition("example", {
        roleDefinitionId: "00000000-0000-0000-0000-000000000000",
        name: "my-custom-role-definition",
        scope: primary.then(primary => primary.id),
        permissions: [{
            actions: ["Microsoft.Resources/subscriptions/resourceGroups/read"],
            notActions: [],
        }],
        assignableScopes: [primary.then(primary => primary.id)],
    });
    const exampleAssignment = new azure.authorization.Assignment("example", {
        name: "00000000-0000-0000-0000-000000000000",
        scope: primaryAzurermManagementGroup.id,
        roleDefinitionId: exampleRoleDefinition.roleDefinitionResourceId,
        principalId: example.then(example => example.objectId),
    });
    
    import pulumi
    import pulumi_azure as azure
    
    primary = azure.core.get_subscription()
    example = azure.core.get_client_config()
    example_get_group = azure.management.get_group(name="00000000-0000-0000-0000-000000000000")
    example_role_definition = azure.authorization.RoleDefinition("example",
        role_definition_id="00000000-0000-0000-0000-000000000000",
        name="my-custom-role-definition",
        scope=primary.id,
        permissions=[azure.authorization.RoleDefinitionPermissionArgs(
            actions=["Microsoft.Resources/subscriptions/resourceGroups/read"],
            not_actions=[],
        )],
        assignable_scopes=[primary.id])
    example_assignment = azure.authorization.Assignment("example",
        name="00000000-0000-0000-0000-000000000000",
        scope=primary_azurerm_management_group["id"],
        role_definition_id=example_role_definition.role_definition_resource_id,
        principal_id=example.object_id)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/management"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		primary, err := core.LookupSubscription(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		example, err := core.GetClientConfig(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		_, err = management.LookupGroup(ctx, &management.LookupGroupArgs{
    			Name: pulumi.StringRef("00000000-0000-0000-0000-000000000000"),
    		}, nil)
    		if err != nil {
    			return err
    		}
    		exampleRoleDefinition, err := authorization.NewRoleDefinition(ctx, "example", &authorization.RoleDefinitionArgs{
    			RoleDefinitionId: pulumi.String("00000000-0000-0000-0000-000000000000"),
    			Name:             pulumi.String("my-custom-role-definition"),
    			Scope:            pulumi.String(primary.Id),
    			Permissions: authorization.RoleDefinitionPermissionArray{
    				&authorization.RoleDefinitionPermissionArgs{
    					Actions: pulumi.StringArray{
    						pulumi.String("Microsoft.Resources/subscriptions/resourceGroups/read"),
    					},
    					NotActions: pulumi.StringArray{},
    				},
    			},
    			AssignableScopes: pulumi.StringArray{
    				pulumi.String(primary.Id),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
    			Name:             pulumi.String("00000000-0000-0000-0000-000000000000"),
    			Scope:            pulumi.Any(primaryAzurermManagementGroup.Id),
    			RoleDefinitionId: exampleRoleDefinition.RoleDefinitionResourceId,
    			PrincipalId:      pulumi.String(example.ObjectId),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var primary = Azure.Core.GetSubscription.Invoke();
    
        var example = Azure.Core.GetClientConfig.Invoke();
    
        var exampleGetGroup = Azure.Management.GetGroup.Invoke(new()
        {
            Name = "00000000-0000-0000-0000-000000000000",
        });
    
        var exampleRoleDefinition = new Azure.Authorization.RoleDefinition("example", new()
        {
            RoleDefinitionId = "00000000-0000-0000-0000-000000000000",
            Name = "my-custom-role-definition",
            Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
            Permissions = new[]
            {
                new Azure.Authorization.Inputs.RoleDefinitionPermissionArgs
                {
                    Actions = new[]
                    {
                        "Microsoft.Resources/subscriptions/resourceGroups/read",
                    },
                    NotActions = new() { },
                },
            },
            AssignableScopes = new[]
            {
                primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
            },
        });
    
        var exampleAssignment = new Azure.Authorization.Assignment("example", new()
        {
            Name = "00000000-0000-0000-0000-000000000000",
            Scope = primaryAzurermManagementGroup.Id,
            RoleDefinitionId = exampleRoleDefinition.RoleDefinitionResourceId,
            PrincipalId = example.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.CoreFunctions;
    import com.pulumi.azure.core.inputs.GetSubscriptionArgs;
    import com.pulumi.azure.management.ManagementFunctions;
    import com.pulumi.azure.management.inputs.GetGroupArgs;
    import com.pulumi.azure.authorization.RoleDefinition;
    import com.pulumi.azure.authorization.RoleDefinitionArgs;
    import com.pulumi.azure.authorization.inputs.RoleDefinitionPermissionArgs;
    import com.pulumi.azure.authorization.Assignment;
    import com.pulumi.azure.authorization.AssignmentArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var primary = CoreFunctions.getSubscription();
    
            final var example = CoreFunctions.getClientConfig();
    
            final var exampleGetGroup = ManagementFunctions.getGroup(GetGroupArgs.builder()
                .name("00000000-0000-0000-0000-000000000000")
                .build());
    
            var exampleRoleDefinition = new RoleDefinition("exampleRoleDefinition", RoleDefinitionArgs.builder()        
                .roleDefinitionId("00000000-0000-0000-0000-000000000000")
                .name("my-custom-role-definition")
                .scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
                .permissions(RoleDefinitionPermissionArgs.builder()
                    .actions("Microsoft.Resources/subscriptions/resourceGroups/read")
                    .notActions()
                    .build())
                .assignableScopes(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
                .build());
    
            var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
                .name("00000000-0000-0000-0000-000000000000")
                .scope(primaryAzurermManagementGroup.id())
                .roleDefinitionId(exampleRoleDefinition.roleDefinitionResourceId())
                .principalId(example.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
                .build());
    
        }
    }
    
    resources:
      exampleRoleDefinition:
        type: azure:authorization:RoleDefinition
        name: example
        properties:
          roleDefinitionId: 00000000-0000-0000-0000-000000000000
          name: my-custom-role-definition
          scope: ${primary.id}
          permissions:
            - actions:
                - Microsoft.Resources/subscriptions/resourceGroups/read
              notActions: []
          assignableScopes:
            - ${primary.id}
      exampleAssignment:
        type: azure:authorization:Assignment
        name: example
        properties:
          name: 00000000-0000-0000-0000-000000000000
          scope: ${primaryAzurermManagementGroup.id}
          roleDefinitionId: ${exampleRoleDefinition.roleDefinitionResourceId}
          principalId: ${example.objectId}
    variables:
      primary:
        fn::invoke:
          Function: azure:core:getSubscription
          Arguments: {}
      example:
        fn::invoke:
          Function: azure:core:getClientConfig
          Arguments: {}
      exampleGetGroup:
        fn::invoke:
          Function: azure:management:getGroup
          Arguments:
            name: 00000000-0000-0000-0000-000000000000
    

    Create Assignment Resource

    new Assignment(name: string, args: AssignmentArgs, opts?: CustomResourceOptions);
    @overload
    def Assignment(resource_name: str,
                   opts: Optional[ResourceOptions] = None,
                   condition: Optional[str] = None,
                   condition_version: Optional[str] = None,
                   delegated_managed_identity_resource_id: Optional[str] = None,
                   description: Optional[str] = None,
                   name: Optional[str] = None,
                   principal_id: Optional[str] = None,
                   principal_type: Optional[str] = None,
                   role_definition_id: Optional[str] = None,
                   role_definition_name: Optional[str] = None,
                   scope: Optional[str] = None,
                   skip_service_principal_aad_check: Optional[bool] = None)
    @overload
    def Assignment(resource_name: str,
                   args: AssignmentArgs,
                   opts: Optional[ResourceOptions] = None)
    func NewAssignment(ctx *Context, name string, args AssignmentArgs, opts ...ResourceOption) (*Assignment, error)
    public Assignment(string name, AssignmentArgs args, CustomResourceOptions? opts = null)
    public Assignment(String name, AssignmentArgs args)
    public Assignment(String name, AssignmentArgs args, CustomResourceOptions options)
    
    type: azure:role:Assignment
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args AssignmentArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args AssignmentArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args AssignmentArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args AssignmentArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args AssignmentArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Assignment Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The Assignment resource accepts the following input properties:

    PrincipalId string

    The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

    NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).

    Scope string
    The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.
    Condition string
    The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
    ConditionVersion string
    The version of the condition. Possible values are 1.0 or 2.0. Changing this forces a new resource to be created.
    DelegatedManagedIdentityResourceId string

    The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.

    NOTE: this field is only used in cross tenant scenario.

    Description string
    The description for this Role Assignment. Changing this forces a new resource to be created.
    Name string
    A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
    PrincipalType string

    The type of the principal_id. Possible values are User, Group and ServicePrincipal. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.

    NOTE: If one of condition or condition_version is set both fields must be present.

    RoleDefinitionId string
    The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.
    RoleDefinitionName string
    The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.
    SkipServicePrincipalAadCheck bool

    If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. Defaults to false.

    NOTE: If it is not a Service Principal identity it will cause the role assignment to fail.

    PrincipalId string

    The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

    NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).

    Scope string
    The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.
    Condition string
    The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
    ConditionVersion string
    The version of the condition. Possible values are 1.0 or 2.0. Changing this forces a new resource to be created.
    DelegatedManagedIdentityResourceId string

    The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.

    NOTE: this field is only used in cross tenant scenario.

    Description string
    The description for this Role Assignment. Changing this forces a new resource to be created.
    Name string
    A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
    PrincipalType string

    The type of the principal_id. Possible values are User, Group and ServicePrincipal. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.

    NOTE: If one of condition or condition_version is set both fields must be present.

    RoleDefinitionId string
    The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.
    RoleDefinitionName string
    The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.
    SkipServicePrincipalAadCheck bool

    If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. Defaults to false.

    NOTE: If it is not a Service Principal identity it will cause the role assignment to fail.

    principalId String

    The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

    NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).

    scope String
    The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.
    condition String
    The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
    conditionVersion String
    The version of the condition. Possible values are 1.0 or 2.0. Changing this forces a new resource to be created.
    delegatedManagedIdentityResourceId String

    The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.

    NOTE: this field is only used in cross tenant scenario.

    description String
    The description for this Role Assignment. Changing this forces a new resource to be created.
    name String
    A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
    principalType String

    The type of the principal_id. Possible values are User, Group and ServicePrincipal. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.

    NOTE: If one of condition or condition_version is set both fields must be present.

    roleDefinitionId String
    The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.
    roleDefinitionName String
    The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.
    skipServicePrincipalAadCheck Boolean

    If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. Defaults to false.

    NOTE: If it is not a Service Principal identity it will cause the role assignment to fail.

    principalId string

    The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

    NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).

    scope string
    The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.
    condition string
    The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
    conditionVersion string
    The version of the condition. Possible values are 1.0 or 2.0. Changing this forces a new resource to be created.
    delegatedManagedIdentityResourceId string

    The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.

    NOTE: this field is only used in cross tenant scenario.

    description string
    The description for this Role Assignment. Changing this forces a new resource to be created.
    name string
    A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
    principalType string

    The type of the principal_id. Possible values are User, Group and ServicePrincipal. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.

    NOTE: If one of condition or condition_version is set both fields must be present.

    roleDefinitionId string
    The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.
    roleDefinitionName string
    The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.
    skipServicePrincipalAadCheck boolean

    If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. Defaults to false.

    NOTE: If it is not a Service Principal identity it will cause the role assignment to fail.

    principal_id str

    The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

    NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).

    scope str
    The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.
    condition str
    The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
    condition_version str
    The version of the condition. Possible values are 1.0 or 2.0. Changing this forces a new resource to be created.
    delegated_managed_identity_resource_id str

    The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.

    NOTE: this field is only used in cross tenant scenario.

    description str
    The description for this Role Assignment. Changing this forces a new resource to be created.
    name str
    A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
    principal_type str

    The type of the principal_id. Possible values are User, Group and ServicePrincipal. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.

    NOTE: If one of condition or condition_version is set both fields must be present.

    role_definition_id str
    The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.
    role_definition_name str
    The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.
    skip_service_principal_aad_check bool

    If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. Defaults to false.

    NOTE: If it is not a Service Principal identity it will cause the role assignment to fail.

    principalId String

    The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

    NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).

    scope String
    The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.
    condition String
    The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
    conditionVersion String
    The version of the condition. Possible values are 1.0 or 2.0. Changing this forces a new resource to be created.
    delegatedManagedIdentityResourceId String

    The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.

    NOTE: this field is only used in cross tenant scenario.

    description String
    The description for this Role Assignment. Changing this forces a new resource to be created.
    name String
    A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
    principalType String

    The type of the principal_id. Possible values are User, Group and ServicePrincipal. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.

    NOTE: If one of condition or condition_version is set both fields must be present.

    roleDefinitionId String
    The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.
    roleDefinitionName String
    The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.
    skipServicePrincipalAadCheck Boolean

    If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. Defaults to false.

    NOTE: If it is not a Service Principal identity it will cause the role assignment to fail.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Assignment resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing Assignment Resource

    Get an existing Assignment resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: AssignmentState, opts?: CustomResourceOptions): Assignment
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            condition: Optional[str] = None,
            condition_version: Optional[str] = None,
            delegated_managed_identity_resource_id: Optional[str] = None,
            description: Optional[str] = None,
            name: Optional[str] = None,
            principal_id: Optional[str] = None,
            principal_type: Optional[str] = None,
            role_definition_id: Optional[str] = None,
            role_definition_name: Optional[str] = None,
            scope: Optional[str] = None,
            skip_service_principal_aad_check: Optional[bool] = None) -> Assignment
    func GetAssignment(ctx *Context, name string, id IDInput, state *AssignmentState, opts ...ResourceOption) (*Assignment, error)
    public static Assignment Get(string name, Input<string> id, AssignmentState? state, CustomResourceOptions? opts = null)
    public static Assignment get(String name, Output<String> id, AssignmentState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Condition string
    The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
    ConditionVersion string
    The version of the condition. Possible values are 1.0 or 2.0. Changing this forces a new resource to be created.
    DelegatedManagedIdentityResourceId string

    The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.

    NOTE: this field is only used in cross tenant scenario.

    Description string
    The description for this Role Assignment. Changing this forces a new resource to be created.
    Name string
    A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
    PrincipalId string

    The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

    NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).

    PrincipalType string

    The type of the principal_id. Possible values are User, Group and ServicePrincipal. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.

    NOTE: If one of condition or condition_version is set both fields must be present.

    RoleDefinitionId string
    The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.
    RoleDefinitionName string
    The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.
    Scope string
    The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.
    SkipServicePrincipalAadCheck bool

    If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. Defaults to false.

    NOTE: If it is not a Service Principal identity it will cause the role assignment to fail.

    Condition string
    The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
    ConditionVersion string
    The version of the condition. Possible values are 1.0 or 2.0. Changing this forces a new resource to be created.
    DelegatedManagedIdentityResourceId string

    The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.

    NOTE: this field is only used in cross tenant scenario.

    Description string
    The description for this Role Assignment. Changing this forces a new resource to be created.
    Name string
    A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
    PrincipalId string

    The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

    NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).

    PrincipalType string

    The type of the principal_id. Possible values are User, Group and ServicePrincipal. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.

    NOTE: If one of condition or condition_version is set both fields must be present.

    RoleDefinitionId string
    The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.
    RoleDefinitionName string
    The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.
    Scope string
    The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.
    SkipServicePrincipalAadCheck bool

    If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. Defaults to false.

    NOTE: If it is not a Service Principal identity it will cause the role assignment to fail.

    condition String
    The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
    conditionVersion String
    The version of the condition. Possible values are 1.0 or 2.0. Changing this forces a new resource to be created.
    delegatedManagedIdentityResourceId String

    The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.

    NOTE: this field is only used in cross tenant scenario.

    description String
    The description for this Role Assignment. Changing this forces a new resource to be created.
    name String
    A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
    principalId String

    The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

    NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).

    principalType String

    The type of the principal_id. Possible values are User, Group and ServicePrincipal. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.

    NOTE: If one of condition or condition_version is set both fields must be present.

    roleDefinitionId String
    The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.
    roleDefinitionName String
    The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.
    scope String
    The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.
    skipServicePrincipalAadCheck Boolean

    If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. Defaults to false.

    NOTE: If it is not a Service Principal identity it will cause the role assignment to fail.

    condition string
    The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
    conditionVersion string
    The version of the condition. Possible values are 1.0 or 2.0. Changing this forces a new resource to be created.
    delegatedManagedIdentityResourceId string

    The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.

    NOTE: this field is only used in cross tenant scenario.

    description string
    The description for this Role Assignment. Changing this forces a new resource to be created.
    name string
    A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
    principalId string

    The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

    NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).

    principalType string

    The type of the principal_id. Possible values are User, Group and ServicePrincipal. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.

    NOTE: If one of condition or condition_version is set both fields must be present.

    roleDefinitionId string
    The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.
    roleDefinitionName string
    The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.
    scope string
    The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.
    skipServicePrincipalAadCheck boolean

    If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. Defaults to false.

    NOTE: If it is not a Service Principal identity it will cause the role assignment to fail.

    condition str
    The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
    condition_version str
    The version of the condition. Possible values are 1.0 or 2.0. Changing this forces a new resource to be created.
    delegated_managed_identity_resource_id str

    The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.

    NOTE: this field is only used in cross tenant scenario.

    description str
    The description for this Role Assignment. Changing this forces a new resource to be created.
    name str
    A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
    principal_id str

    The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

    NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).

    principal_type str

    The type of the principal_id. Possible values are User, Group and ServicePrincipal. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.

    NOTE: If one of condition or condition_version is set both fields must be present.

    role_definition_id str
    The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.
    role_definition_name str
    The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.
    scope str
    The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.
    skip_service_principal_aad_check bool

    If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. Defaults to false.

    NOTE: If it is not a Service Principal identity it will cause the role assignment to fail.

    condition String
    The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
    conditionVersion String
    The version of the condition. Possible values are 1.0 or 2.0. Changing this forces a new resource to be created.
    delegatedManagedIdentityResourceId String

    The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.

    NOTE: this field is only used in cross tenant scenario.

    description String
    The description for this Role Assignment. Changing this forces a new resource to be created.
    name String
    A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
    principalId String

    The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

    NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).

    principalType String

    The type of the principal_id. Possible values are User, Group and ServicePrincipal. Changing this forces a new resource to be created. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.

    NOTE: If one of condition or condition_version is set both fields must be present.

    roleDefinitionId String
    The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.
    roleDefinitionName String
    The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.
    scope String
    The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.
    skipServicePrincipalAadCheck Boolean

    If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. Defaults to false.

    NOTE: If it is not a Service Principal identity it will cause the role assignment to fail.

    Import

    Role Assignments can be imported using the resource id, e.g.

    $ pulumi import azure:role/assignment:Assignment example /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000
    
    • for scope Subscription, the id format is /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000

    • for scope Resource Group, the id format is /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000

    • for scope referencing a Key Vault, the id format is /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.KeyVault/vaults/vaultname/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000

    text

    /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000|00000000-0000-0000-0000-000000000000

    Package Details

    Repository
    Azure Classic pulumi/pulumi-azure
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the azurerm Terraform Provider.
    azure logo

    We recommend using Azure Native.

    Azure Classic v5.70.0 published on Wednesday, Mar 27, 2024 by Pulumi