role

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-azure repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-azurerm repo.

class pulumi_azure.role.Assignment(resource_name, opts=None, name=None, principal_id=None, role_definition_id=None, role_definition_name=None, scope=None, skip_service_principal_aad_check=None, __props__=None, __name__=None, __opts__=None)

Assigns a given Principal (User or Application) to a given Role.

Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • name (pulumi.Input[str]) – A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

  • principal_id (pulumi.Input[str]) – The ID of the Principal (User, Group, Service Principal, or Application) to assign the Role Definition to. Changing this forces a new resource to be created.

  • role_definition_id (pulumi.Input[str]) – The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.

  • role_definition_name (pulumi.Input[str]) – The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.

  • scope (pulumi.Input[str]) – The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.

  • skip_service_principal_aad_check (pulumi.Input[bool]) – If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. If it is not a Service Principal identity it will cause the role assignment to fail. Defaults to false.

name = None

A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

principal_id = None

The ID of the Principal (User, Group, Service Principal, or Application) to assign the Role Definition to. Changing this forces a new resource to be created.

principal_type = None

The type of the principal_id, e.g. User, Group, Service Principal, Application, etc.

role_definition_id = None

The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.

role_definition_name = None

The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.

scope = None

The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.

skip_service_principal_aad_check = None

If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. If it is not a Service Principal identity it will cause the role assignment to fail. Defaults to false.

static get(resource_name, id, opts=None, name=None, principal_id=None, principal_type=None, role_definition_id=None, role_definition_name=None, scope=None, skip_service_principal_aad_check=None)

Get an existing Assignment resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • name (pulumi.Input[str]) – A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

  • principal_id (pulumi.Input[str]) – The ID of the Principal (User, Group, Service Principal, or Application) to assign the Role Definition to. Changing this forces a new resource to be created.

  • principal_type (pulumi.Input[str]) – The type of the principal_id, e.g. User, Group, Service Principal, Application, etc.

  • role_definition_id (pulumi.Input[str]) – The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.

  • role_definition_name (pulumi.Input[str]) – The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.

  • scope (pulumi.Input[str]) – The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.

  • skip_service_principal_aad_check (pulumi.Input[bool]) – If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. If it is not a Service Principal identity it will cause the role assignment to fail. Defaults to false.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_azure.role.AwaitableGetBuiltinRoleDefinitionResult(assignable_scopes=None, description=None, name=None, permissions=None, type=None, id=None)
class pulumi_azure.role.AwaitableGetRoleDefinitionResult(assignable_scopes=None, description=None, name=None, permissions=None, role_definition_id=None, scope=None, type=None, id=None)
class pulumi_azure.role.Definition(resource_name, opts=None, assignable_scopes=None, description=None, name=None, permissions=None, role_definition_id=None, scope=None, __props__=None, __name__=None, __opts__=None)

Manages a custom Role Definition, used to assign Roles to Users/Principals. See ‘Understand role definitions’ in the Azure documentation for more details.

Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • assignable_scopes (pulumi.Input[list]) – One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

  • description (pulumi.Input[str]) – A description of the Role Definition.

  • name (pulumi.Input[str]) – The name of the Role Definition. Changing this forces a new resource to be created.

  • permissions (pulumi.Input[list]) – A permissions block as defined below.

  • role_definition_id (pulumi.Input[str]) – A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.

  • scope (pulumi.Input[str]) – The scope at which the Role Definition applies too, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. Changing this forces a new resource to be created.

The permissions object supports the following:

  • actions (pulumi.Input[list])

  • dataActions (pulumi.Input[list])

  • notActions (pulumi.Input[list])

  • notDataActions (pulumi.Input[list])

assignable_scopes = None

One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

description = None

A description of the Role Definition.

name = None

The name of the Role Definition. Changing this forces a new resource to be created.

permissions = None

A permissions block as defined below.

  • actions (list)

  • dataActions (list)

  • notActions (list)

  • notDataActions (list)

role_definition_id = None

A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.

scope = None

The scope at which the Role Definition applies too, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. Changing this forces a new resource to be created.

static get(resource_name, id, opts=None, assignable_scopes=None, description=None, name=None, permissions=None, role_definition_id=None, scope=None)

Get an existing Definition resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • assignable_scopes (pulumi.Input[list]) – One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

  • description (pulumi.Input[str]) – A description of the Role Definition.

  • name (pulumi.Input[str]) – The name of the Role Definition. Changing this forces a new resource to be created.

  • permissions (pulumi.Input[list]) – A permissions block as defined below.

  • role_definition_id (pulumi.Input[str]) – A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.

  • scope (pulumi.Input[str]) – The scope at which the Role Definition applies too, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. Changing this forces a new resource to be created.

The permissions object supports the following:

  • actions (pulumi.Input[list])

  • dataActions (pulumi.Input[list])

  • notActions (pulumi.Input[list])

  • notDataActions (pulumi.Input[list])

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_azure.role.GetBuiltinRoleDefinitionResult(assignable_scopes=None, description=None, name=None, permissions=None, type=None, id=None)

A collection of values returned by getBuiltinRoleDefinition.

assignable_scopes = None

One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

description = None

the Description of the built-in Role.

permissions = None

a permissions block as documented below.

type = None

the Type of the Role.

id = None

id is the provider-assigned unique ID for this managed resource.

class pulumi_azure.role.GetRoleDefinitionResult(assignable_scopes=None, description=None, name=None, permissions=None, role_definition_id=None, scope=None, type=None, id=None)

A collection of values returned by getRoleDefinition.

assignable_scopes = None

One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

description = None

the Description of the built-in Role.

permissions = None

a permissions block as documented below.

type = None

the Type of the Role.

id = None

id is the provider-assigned unique ID for this managed resource.

pulumi_azure.role.get_builtin_role_definition(name=None, opts=None)

Use this data source to access information about a built-in Role Definition. To access information about a custom Role Definition, please see the authorization.RoleDefinition data source instead.

NOTE: The this datasource has been deprecated in favour of authorization.RoleDefinition that now can look up role definitions by name. As such this data source will be removed in version 2.0 of the AzureRM Provider.

Parameters

name (str) – Specifies the name of the built-in Role Definition. Possible values are: Contributor, Owner, Reader and VirtualMachineContributor.

pulumi_azure.role.get_role_definition(name=None, role_definition_id=None, scope=None, opts=None)

Use this data source to access information about an existing Role Definition.

Parameters
  • name (str) – Specifies the Name of either a built-in or custom Role Definition.

  • role_definition_id (str) – Specifies the ID of the Role Definition as a UUID/GUID.

  • scope (str) – Specifies the Scope at which the Custom Role Definition exists.