This page documents the language specification for the azure package. If you're looking for help working with the inputs, outputs, or functions of azure resources in a Pulumi program, please see the resource documentation for examples and API reference.

role

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-azure repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-azurerm repo.

class pulumi_azure.role.Assignment(resource_name, opts=None, name=None, principal_id=None, role_definition_id=None, role_definition_name=None, scope=None, skip_service_principal_aad_check=None, __props__=None, __name__=None, __opts__=None)

Assigns a given Principal (User or Group) to a given Role.

import pulumi
import pulumi_azure as azure

primary = azure.core.get_subscription()
example_client_config = azure.core.get_client_config()
example_assignment = azure.authorization.Assignment("exampleAssignment",
    scope=primary.id,
    role_definition_name="Reader",
    principal_id=example_client_config.object_id)
import pulumi
import pulumi_azure as azure

primary = azure.core.get_subscription()
example_client_config = azure.core.get_client_config()
example_role_definition = azure.authorization.RoleDefinition("exampleRoleDefinition",
    role_definition_id="00000000-0000-0000-0000-000000000000",
    scope=primary.id,
    permissions=[{
        "actions": ["Microsoft.Resources/subscriptions/resourceGroups/read"],
        "notActions": [],
    }],
    assignable_scopes=[primary.id])
example_assignment = azure.authorization.Assignment("exampleAssignment",
    name="00000000-0000-0000-0000-000000000000",
    scope=primary.id,
    role_definition_id=example_role_definition.id,
    principal_id=example_client_config.object_id)
import pulumi
import pulumi_azure as azure

primary = azure.core.get_subscription()
example_client_config = azure.core.get_client_config()
example_role_definition = azure.authorization.RoleDefinition("exampleRoleDefinition",
    role_definition_id="00000000-0000-0000-0000-000000000000",
    scope=primary.id,
    permissions=[{
        "actions": ["Microsoft.Resources/subscriptions/resourceGroups/read"],
        "notActions": [],
    }],
    assignable_scopes=[primary.id])
example_assignment = azure.authorization.Assignment("exampleAssignment",
    name="00000000-0000-0000-0000-000000000000",
    scope=primary.id,
    role_definition_id=example_role_definition.id,
    principal_id=example_client_config.client_id)
import pulumi
import pulumi_azure as azure

primary = azure.core.get_subscription()
example_client_config = azure.core.get_client_config()
example_group = azure.management.get_group()
example_role_definition = azure.authorization.RoleDefinition("exampleRoleDefinition",
    role_definition_id="00000000-0000-0000-0000-000000000000",
    scope=primary.id,
    permissions=[{
        "actions": ["Microsoft.Resources/subscriptions/resourceGroups/read"],
        "notActions": [],
    }],
    assignable_scopes=[primary.id])
example_assignment = azure.authorization.Assignment("exampleAssignment",
    name="00000000-0000-0000-0000-000000000000",
    scope=data["azurerm_management_group"]["primary"]["id"],
    role_definition_id=example_role_definition.id,
    principal_id=example_client_config.client_id)
Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • name (pulumi.Input[str]) – A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

  • principal_id (pulumi.Input[str]) – The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

  • role_definition_id (pulumi.Input[str]) – The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.

  • role_definition_name (pulumi.Input[str]) – The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.

  • scope (pulumi.Input[str]) – The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.

  • skip_service_principal_aad_check (pulumi.Input[bool]) – If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. If it is not a Service Principal identity it will cause the role assignment to fail. Defaults to false.

name: pulumi.Output[str] = None

A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

principal_id: pulumi.Output[str] = None

The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

principal_type: pulumi.Output[str] = None

The type of the principal_id, e.g. User, Group, Service Principal, Application, etc.

role_definition_id: pulumi.Output[str] = None

The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.

role_definition_name: pulumi.Output[str] = None

The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.

scope: pulumi.Output[str] = None

The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.

skip_service_principal_aad_check: pulumi.Output[bool] = None

If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. If it is not a Service Principal identity it will cause the role assignment to fail. Defaults to false.

static get(resource_name, id, opts=None, name=None, principal_id=None, principal_type=None, role_definition_id=None, role_definition_name=None, scope=None, skip_service_principal_aad_check=None)

Get an existing Assignment resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • name (pulumi.Input[str]) – A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

  • principal_id (pulumi.Input[str]) – The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

  • principal_type (pulumi.Input[str]) – The type of the principal_id, e.g. User, Group, Service Principal, Application, etc.

  • role_definition_id (pulumi.Input[str]) – The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.

  • role_definition_name (pulumi.Input[str]) – The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.

  • scope (pulumi.Input[str]) – The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.

  • skip_service_principal_aad_check (pulumi.Input[bool]) – If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. If it is not a Service Principal identity it will cause the role assignment to fail. Defaults to false.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_azure.role.AwaitableGetRoleDefinitionResult(assignable_scopes=None, description=None, id=None, name=None, permissions=None, role_definition_id=None, scope=None, type=None)
class pulumi_azure.role.Definition(resource_name, opts=None, assignable_scopes=None, description=None, name=None, permissions=None, role_definition_id=None, scope=None, __props__=None, __name__=None, __opts__=None)

Manages a custom Role Definition, used to assign Roles to Users/Principals. See ‘Understand role definitions’ in the Azure documentation for more details.

import pulumi
import pulumi_azure as azure

primary = azure.core.get_subscription()
example = azure.authorization.RoleDefinition("example",
    scope=primary.id,
    description="This is a custom role created",
    permissions=[{
        "actions": ["*"],
        "notActions": [],
    }],
    assignable_scopes=[primary.id])
Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • assignable_scopes (pulumi.Input[list]) – One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

  • description (pulumi.Input[str]) – A description of the Role Definition.

  • name (pulumi.Input[str]) – The name of the Role Definition. Changing this forces a new resource to be created.

  • permissions (pulumi.Input[list]) – A permissions block as defined below.

  • role_definition_id (pulumi.Input[str]) – A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.

  • scope (pulumi.Input[str]) – The scope at which the Role Definition applies too, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. It is recommended to use the first entry of the assignable_scopes. Changing this forces a new resource to be created.

The permissions object supports the following:

assignable_scopes: pulumi.Output[list] = None

One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

description: pulumi.Output[str] = None

A description of the Role Definition.

name: pulumi.Output[str] = None

The name of the Role Definition. Changing this forces a new resource to be created.

permissions: pulumi.Output[list] = None

A permissions block as defined below.

role_definition_id: pulumi.Output[str] = None

A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.

scope: pulumi.Output[str] = None

The scope at which the Role Definition applies too, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. It is recommended to use the first entry of the assignable_scopes. Changing this forces a new resource to be created.

static get(resource_name, id, opts=None, assignable_scopes=None, description=None, name=None, permissions=None, role_definition_id=None, scope=None)

Get an existing Definition resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • assignable_scopes (pulumi.Input[list]) – One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

  • description (pulumi.Input[str]) – A description of the Role Definition.

  • name (pulumi.Input[str]) – The name of the Role Definition. Changing this forces a new resource to be created.

  • permissions (pulumi.Input[list]) – A permissions block as defined below.

  • role_definition_id (pulumi.Input[str]) – A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.

  • scope (pulumi.Input[str]) – The scope at which the Role Definition applies too, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. It is recommended to use the first entry of the assignable_scopes. Changing this forces a new resource to be created.

The permissions object supports the following:

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_azure.role.GetRoleDefinitionResult(assignable_scopes=None, description=None, id=None, name=None, permissions=None, role_definition_id=None, scope=None, type=None)

A collection of values returned by getRoleDefinition.

id = None

The provider-assigned unique ID for this managed resource.

pulumi_azure.role.get_role_definition(name=None, role_definition_id=None, scope=None, opts=None)

Use this data source to access information about an existing resource.