1. Pulumi Registry
  2. Azure Classic
  3. API Docs
  4. authorization
  5. Assignment
azure logo
Azure Classic v5.38.0, Mar 21 23

azure.authorization.Assignment

Assigns a given Principal (User or Group) to a given Role.

Example Usage

Using A Built-In Role)

using System.Collections.Generic;
using Pulumi;
using Azure = Pulumi.Azure;

return await Deployment.RunAsync(() => 
{
    var primary = Azure.Core.GetSubscription.Invoke();

    var exampleClientConfig = Azure.Core.GetClientConfig.Invoke();

    var exampleAssignment = new Azure.Authorization.Assignment("exampleAssignment", new()
    {
        Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
        RoleDefinitionName = "Reader",
        PrincipalId = exampleClientConfig.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
    });

});

package main

import (
	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		primary, err := core.LookupSubscription(ctx, nil, nil)
		if err != nil {
			return err
		}
		exampleClientConfig, err := core.GetClientConfig(ctx, nil, nil)
		if err != nil {
			return err
		}
		_, err = authorization.NewAssignment(ctx, "exampleAssignment", &authorization.AssignmentArgs{
			Scope:              *pulumi.String(primary.Id),
			RoleDefinitionName: pulumi.String("Reader"),
			PrincipalId:        *pulumi.String(exampleClientConfig.ObjectId),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.inputs.GetSubscriptionArgs;
import com.pulumi.azure.authorization.Assignment;
import com.pulumi.azure.authorization.AssignmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var primary = CoreFunctions.getSubscription();

        final var exampleClientConfig = CoreFunctions.getClientConfig();

        var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
            .scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
            .roleDefinitionName("Reader")
            .principalId(exampleClientConfig.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
            .build());

    }
}

import pulumi
import pulumi_azure as azure

primary = azure.core.get_subscription()
example_client_config = azure.core.get_client_config()
example_assignment = azure.authorization.Assignment("exampleAssignment",
    scope=primary.id,
    role_definition_name="Reader",
    principal_id=example_client_config.object_id)

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const primary = azure.core.getSubscription({});
const exampleClientConfig = azure.core.getClientConfig({});
const exampleAssignment = new azure.authorization.Assignment("exampleAssignment", {
    scope: primary.then(primary => primary.id),
    roleDefinitionName: "Reader",
    principalId: exampleClientConfig.then(exampleClientConfig => exampleClientConfig.objectId),
});

resources:
  exampleAssignment:
    type: azure:authorization:Assignment
    properties:
      scope: ${primary.id}
      roleDefinitionName: Reader
      principalId: ${exampleClientConfig.objectId}
variables:
  primary:
    fn::invoke:
      Function: azure:core:getSubscription
      Arguments: {}
  exampleClientConfig:
    fn::invoke:
      Function: azure:core:getClientConfig
      Arguments: {}

Custom Role & Service Principal)

using System.Collections.Generic;
using Pulumi;
using Azure = Pulumi.Azure;

return await Deployment.RunAsync(() => 
{
    var primary = Azure.Core.GetSubscription.Invoke();

    var exampleClientConfig = Azure.Core.GetClientConfig.Invoke();

    var exampleRoleDefinition = new Azure.Authorization.RoleDefinition("exampleRoleDefinition", new()
    {
        RoleDefinitionId = "00000000-0000-0000-0000-000000000000",
        Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
        Permissions = new[]
        {
            new Azure.Authorization.Inputs.RoleDefinitionPermissionArgs
            {
                Actions = new[]
                {
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                },
                NotActions = new[] {},
            },
        },
        AssignableScopes = new[]
        {
            primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
        },
    });

    var exampleAssignment = new Azure.Authorization.Assignment("exampleAssignment", new()
    {
        Name = "00000000-0000-0000-0000-000000000000",
        Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
        RoleDefinitionId = exampleRoleDefinition.RoleDefinitionResourceId,
        PrincipalId = exampleClientConfig.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
    });

});

package main

import (
	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		primary, err := core.LookupSubscription(ctx, nil, nil)
		if err != nil {
			return err
		}
		exampleClientConfig, err := core.GetClientConfig(ctx, nil, nil)
		if err != nil {
			return err
		}
		exampleRoleDefinition, err := authorization.NewRoleDefinition(ctx, "exampleRoleDefinition", &authorization.RoleDefinitionArgs{
			RoleDefinitionId: pulumi.String("00000000-0000-0000-0000-000000000000"),
			Scope:            *pulumi.String(primary.Id),
			Permissions: authorization.RoleDefinitionPermissionArray{
				&authorization.RoleDefinitionPermissionArgs{
					Actions: pulumi.StringArray{
						pulumi.String("Microsoft.Resources/subscriptions/resourceGroups/read"),
					},
					NotActions: pulumi.StringArray{},
				},
			},
			AssignableScopes: pulumi.StringArray{
				*pulumi.String(primary.Id),
			},
		})
		if err != nil {
			return err
		}
		_, err = authorization.NewAssignment(ctx, "exampleAssignment", &authorization.AssignmentArgs{
			Name:             pulumi.String("00000000-0000-0000-0000-000000000000"),
			Scope:            *pulumi.String(primary.Id),
			RoleDefinitionId: exampleRoleDefinition.RoleDefinitionResourceId,
			PrincipalId:      *pulumi.String(exampleClientConfig.ObjectId),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.inputs.GetSubscriptionArgs;
import com.pulumi.azure.authorization.RoleDefinition;
import com.pulumi.azure.authorization.RoleDefinitionArgs;
import com.pulumi.azure.authorization.inputs.RoleDefinitionPermissionArgs;
import com.pulumi.azure.authorization.Assignment;
import com.pulumi.azure.authorization.AssignmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var primary = CoreFunctions.getSubscription();

        final var exampleClientConfig = CoreFunctions.getClientConfig();

        var exampleRoleDefinition = new RoleDefinition("exampleRoleDefinition", RoleDefinitionArgs.builder()        
            .roleDefinitionId("00000000-0000-0000-0000-000000000000")
            .scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
            .permissions(RoleDefinitionPermissionArgs.builder()
                .actions("Microsoft.Resources/subscriptions/resourceGroups/read")
                .notActions()
                .build())
            .assignableScopes(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
            .build());

        var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
            .name("00000000-0000-0000-0000-000000000000")
            .scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
            .roleDefinitionId(exampleRoleDefinition.roleDefinitionResourceId())
            .principalId(exampleClientConfig.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
            .build());

    }
}

import pulumi
import pulumi_azure as azure

primary = azure.core.get_subscription()
example_client_config = azure.core.get_client_config()
example_role_definition = azure.authorization.RoleDefinition("exampleRoleDefinition",
    role_definition_id="00000000-0000-0000-0000-000000000000",
    scope=primary.id,
    permissions=[azure.authorization.RoleDefinitionPermissionArgs(
        actions=["Microsoft.Resources/subscriptions/resourceGroups/read"],
        not_actions=[],
    )],
    assignable_scopes=[primary.id])
example_assignment = azure.authorization.Assignment("exampleAssignment",
    name="00000000-0000-0000-0000-000000000000",
    scope=primary.id,
    role_definition_id=example_role_definition.role_definition_resource_id,
    principal_id=example_client_config.object_id)

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const primary = azure.core.getSubscription({});
const exampleClientConfig = azure.core.getClientConfig({});
const exampleRoleDefinition = new azure.authorization.RoleDefinition("exampleRoleDefinition", {
    roleDefinitionId: "00000000-0000-0000-0000-000000000000",
    scope: primary.then(primary => primary.id),
    permissions: [{
        actions: ["Microsoft.Resources/subscriptions/resourceGroups/read"],
        notActions: [],
    }],
    assignableScopes: [primary.then(primary => primary.id)],
});
const exampleAssignment = new azure.authorization.Assignment("exampleAssignment", {
    name: "00000000-0000-0000-0000-000000000000",
    scope: primary.then(primary => primary.id),
    roleDefinitionId: exampleRoleDefinition.roleDefinitionResourceId,
    principalId: exampleClientConfig.then(exampleClientConfig => exampleClientConfig.objectId),
});

resources:
  exampleRoleDefinition:
    type: azure:authorization:RoleDefinition
    properties:
      roleDefinitionId: 00000000-0000-0000-0000-000000000000
      scope: ${primary.id}
      permissions:
        - actions:
            - Microsoft.Resources/subscriptions/resourceGroups/read
          notActions: []
      assignableScopes:
        - ${primary.id}
  exampleAssignment:
    type: azure:authorization:Assignment
    properties:
      name: 00000000-0000-0000-0000-000000000000
      scope: ${primary.id}
      roleDefinitionId: ${exampleRoleDefinition.roleDefinitionResourceId}
      principalId: ${exampleClientConfig.objectId}
variables:
  primary:
    fn::invoke:
      Function: azure:core:getSubscription
      Arguments: {}
  exampleClientConfig:
    fn::invoke:
      Function: azure:core:getClientConfig
      Arguments: {}

Custom Role & User)

using System.Collections.Generic;
using Pulumi;
using Azure = Pulumi.Azure;

return await Deployment.RunAsync(() => 
{
    var primary = Azure.Core.GetSubscription.Invoke();

    var exampleClientConfig = Azure.Core.GetClientConfig.Invoke();

    var exampleRoleDefinition = new Azure.Authorization.RoleDefinition("exampleRoleDefinition", new()
    {
        RoleDefinitionId = "00000000-0000-0000-0000-000000000000",
        Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
        Permissions = new[]
        {
            new Azure.Authorization.Inputs.RoleDefinitionPermissionArgs
            {
                Actions = new[]
                {
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                },
                NotActions = new[] {},
            },
        },
        AssignableScopes = new[]
        {
            primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
        },
    });

    var exampleAssignment = new Azure.Authorization.Assignment("exampleAssignment", new()
    {
        Name = "00000000-0000-0000-0000-000000000000",
        Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
        RoleDefinitionId = exampleRoleDefinition.RoleDefinitionResourceId,
        PrincipalId = exampleClientConfig.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
    });

});

package main

import (
	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		primary, err := core.LookupSubscription(ctx, nil, nil)
		if err != nil {
			return err
		}
		exampleClientConfig, err := core.GetClientConfig(ctx, nil, nil)
		if err != nil {
			return err
		}
		exampleRoleDefinition, err := authorization.NewRoleDefinition(ctx, "exampleRoleDefinition", &authorization.RoleDefinitionArgs{
			RoleDefinitionId: pulumi.String("00000000-0000-0000-0000-000000000000"),
			Scope:            *pulumi.String(primary.Id),
			Permissions: authorization.RoleDefinitionPermissionArray{
				&authorization.RoleDefinitionPermissionArgs{
					Actions: pulumi.StringArray{
						pulumi.String("Microsoft.Resources/subscriptions/resourceGroups/read"),
					},
					NotActions: pulumi.StringArray{},
				},
			},
			AssignableScopes: pulumi.StringArray{
				*pulumi.String(primary.Id),
			},
		})
		if err != nil {
			return err
		}
		_, err = authorization.NewAssignment(ctx, "exampleAssignment", &authorization.AssignmentArgs{
			Name:             pulumi.String("00000000-0000-0000-0000-000000000000"),
			Scope:            *pulumi.String(primary.Id),
			RoleDefinitionId: exampleRoleDefinition.RoleDefinitionResourceId,
			PrincipalId:      *pulumi.String(exampleClientConfig.ObjectId),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.inputs.GetSubscriptionArgs;
import com.pulumi.azure.authorization.RoleDefinition;
import com.pulumi.azure.authorization.RoleDefinitionArgs;
import com.pulumi.azure.authorization.inputs.RoleDefinitionPermissionArgs;
import com.pulumi.azure.authorization.Assignment;
import com.pulumi.azure.authorization.AssignmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var primary = CoreFunctions.getSubscription();

        final var exampleClientConfig = CoreFunctions.getClientConfig();

        var exampleRoleDefinition = new RoleDefinition("exampleRoleDefinition", RoleDefinitionArgs.builder()        
            .roleDefinitionId("00000000-0000-0000-0000-000000000000")
            .scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
            .permissions(RoleDefinitionPermissionArgs.builder()
                .actions("Microsoft.Resources/subscriptions/resourceGroups/read")
                .notActions()
                .build())
            .assignableScopes(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
            .build());

        var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
            .name("00000000-0000-0000-0000-000000000000")
            .scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
            .roleDefinitionId(exampleRoleDefinition.roleDefinitionResourceId())
            .principalId(exampleClientConfig.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
            .build());

    }
}

import pulumi
import pulumi_azure as azure

primary = azure.core.get_subscription()
example_client_config = azure.core.get_client_config()
example_role_definition = azure.authorization.RoleDefinition("exampleRoleDefinition",
    role_definition_id="00000000-0000-0000-0000-000000000000",
    scope=primary.id,
    permissions=[azure.authorization.RoleDefinitionPermissionArgs(
        actions=["Microsoft.Resources/subscriptions/resourceGroups/read"],
        not_actions=[],
    )],
    assignable_scopes=[primary.id])
example_assignment = azure.authorization.Assignment("exampleAssignment",
    name="00000000-0000-0000-0000-000000000000",
    scope=primary.id,
    role_definition_id=example_role_definition.role_definition_resource_id,
    principal_id=example_client_config.object_id)

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const primary = azure.core.getSubscription({});
const exampleClientConfig = azure.core.getClientConfig({});
const exampleRoleDefinition = new azure.authorization.RoleDefinition("exampleRoleDefinition", {
    roleDefinitionId: "00000000-0000-0000-0000-000000000000",
    scope: primary.then(primary => primary.id),
    permissions: [{
        actions: ["Microsoft.Resources/subscriptions/resourceGroups/read"],
        notActions: [],
    }],
    assignableScopes: [primary.then(primary => primary.id)],
});
const exampleAssignment = new azure.authorization.Assignment("exampleAssignment", {
    name: "00000000-0000-0000-0000-000000000000",
    scope: primary.then(primary => primary.id),
    roleDefinitionId: exampleRoleDefinition.roleDefinitionResourceId,
    principalId: exampleClientConfig.then(exampleClientConfig => exampleClientConfig.objectId),
});

resources:
  exampleRoleDefinition:
    type: azure:authorization:RoleDefinition
    properties:
      roleDefinitionId: 00000000-0000-0000-0000-000000000000
      scope: ${primary.id}
      permissions:
        - actions:
            - Microsoft.Resources/subscriptions/resourceGroups/read
          notActions: []
      assignableScopes:
        - ${primary.id}
  exampleAssignment:
    type: azure:authorization:Assignment
    properties:
      name: 00000000-0000-0000-0000-000000000000
      scope: ${primary.id}
      roleDefinitionId: ${exampleRoleDefinition.roleDefinitionResourceId}
      principalId: ${exampleClientConfig.objectId}
variables:
  primary:
    fn::invoke:
      Function: azure:core:getSubscription
      Arguments: {}
  exampleClientConfig:
    fn::invoke:
      Function: azure:core:getClientConfig
      Arguments: {}

Custom Role & Management Group)

using System.Collections.Generic;
using Pulumi;
using Azure = Pulumi.Azure;

return await Deployment.RunAsync(() => 
{
    var primary = Azure.Core.GetSubscription.Invoke();

    var exampleClientConfig = Azure.Core.GetClientConfig.Invoke();

    var exampleGroup = Azure.Management.GetGroup.Invoke(new()
    {
        Name = "00000000-0000-0000-0000-000000000000",
    });

    var exampleRoleDefinition = new Azure.Authorization.RoleDefinition("exampleRoleDefinition", new()
    {
        RoleDefinitionId = "00000000-0000-0000-0000-000000000000",
        Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
        Permissions = new[]
        {
            new Azure.Authorization.Inputs.RoleDefinitionPermissionArgs
            {
                Actions = new[]
                {
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                },
                NotActions = new[] {},
            },
        },
        AssignableScopes = new[]
        {
            primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
        },
    });

    var exampleAssignment = new Azure.Authorization.Assignment("exampleAssignment", new()
    {
        Name = "00000000-0000-0000-0000-000000000000",
        Scope = data.Azurerm_management_group.Primary.Id,
        RoleDefinitionId = exampleRoleDefinition.RoleDefinitionResourceId,
        PrincipalId = exampleClientConfig.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
    });

});

package main

import (
	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/management"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		primary, err := core.LookupSubscription(ctx, nil, nil)
		if err != nil {
			return err
		}
		exampleClientConfig, err := core.GetClientConfig(ctx, nil, nil)
		if err != nil {
			return err
		}
		_, err = management.LookupGroup(ctx, &management.LookupGroupArgs{
			Name: pulumi.StringRef("00000000-0000-0000-0000-000000000000"),
		}, nil)
		if err != nil {
			return err
		}
		exampleRoleDefinition, err := authorization.NewRoleDefinition(ctx, "exampleRoleDefinition", &authorization.RoleDefinitionArgs{
			RoleDefinitionId: pulumi.String("00000000-0000-0000-0000-000000000000"),
			Scope:            *pulumi.String(primary.Id),
			Permissions: authorization.RoleDefinitionPermissionArray{
				&authorization.RoleDefinitionPermissionArgs{
					Actions: pulumi.StringArray{
						pulumi.String("Microsoft.Resources/subscriptions/resourceGroups/read"),
					},
					NotActions: pulumi.StringArray{},
				},
			},
			AssignableScopes: pulumi.StringArray{
				*pulumi.String(primary.Id),
			},
		})
		if err != nil {
			return err
		}
		_, err = authorization.NewAssignment(ctx, "exampleAssignment", &authorization.AssignmentArgs{
			Name:             pulumi.String("00000000-0000-0000-0000-000000000000"),
			Scope:            pulumi.Any(data.Azurerm_management_group.Primary.Id),
			RoleDefinitionId: exampleRoleDefinition.RoleDefinitionResourceId,
			PrincipalId:      *pulumi.String(exampleClientConfig.ObjectId),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.inputs.GetSubscriptionArgs;
import com.pulumi.azure.management.ManagementFunctions;
import com.pulumi.azure.management.inputs.GetGroupArgs;
import com.pulumi.azure.authorization.RoleDefinition;
import com.pulumi.azure.authorization.RoleDefinitionArgs;
import com.pulumi.azure.authorization.inputs.RoleDefinitionPermissionArgs;
import com.pulumi.azure.authorization.Assignment;
import com.pulumi.azure.authorization.AssignmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var primary = CoreFunctions.getSubscription();

        final var exampleClientConfig = CoreFunctions.getClientConfig();

        final var exampleGroup = ManagementFunctions.getGroup(GetGroupArgs.builder()
            .name("00000000-0000-0000-0000-000000000000")
            .build());

        var exampleRoleDefinition = new RoleDefinition("exampleRoleDefinition", RoleDefinitionArgs.builder()        
            .roleDefinitionId("00000000-0000-0000-0000-000000000000")
            .scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
            .permissions(RoleDefinitionPermissionArgs.builder()
                .actions("Microsoft.Resources/subscriptions/resourceGroups/read")
                .notActions()
                .build())
            .assignableScopes(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
            .build());

        var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
            .name("00000000-0000-0000-0000-000000000000")
            .scope(data.azurerm_management_group().primary().id())
            .roleDefinitionId(exampleRoleDefinition.roleDefinitionResourceId())
            .principalId(exampleClientConfig.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
            .build());

    }
}

import pulumi
import pulumi_azure as azure

primary = azure.core.get_subscription()
example_client_config = azure.core.get_client_config()
example_group = azure.management.get_group(name="00000000-0000-0000-0000-000000000000")
example_role_definition = azure.authorization.RoleDefinition("exampleRoleDefinition",
    role_definition_id="00000000-0000-0000-0000-000000000000",
    scope=primary.id,
    permissions=[azure.authorization.RoleDefinitionPermissionArgs(
        actions=["Microsoft.Resources/subscriptions/resourceGroups/read"],
        not_actions=[],
    )],
    assignable_scopes=[primary.id])
example_assignment = azure.authorization.Assignment("exampleAssignment",
    name="00000000-0000-0000-0000-000000000000",
    scope=data["azurerm_management_group"]["primary"]["id"],
    role_definition_id=example_role_definition.role_definition_resource_id,
    principal_id=example_client_config.object_id)

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const primary = azure.core.getSubscription({});
const exampleClientConfig = azure.core.getClientConfig({});
const exampleGroup = azure.management.getGroup({
    name: "00000000-0000-0000-0000-000000000000",
});
const exampleRoleDefinition = new azure.authorization.RoleDefinition("exampleRoleDefinition", {
    roleDefinitionId: "00000000-0000-0000-0000-000000000000",
    scope: primary.then(primary => primary.id),
    permissions: [{
        actions: ["Microsoft.Resources/subscriptions/resourceGroups/read"],
        notActions: [],
    }],
    assignableScopes: [primary.then(primary => primary.id)],
});
const exampleAssignment = new azure.authorization.Assignment("exampleAssignment", {
    name: "00000000-0000-0000-0000-000000000000",
    scope: data.azurerm_management_group.primary.id,
    roleDefinitionId: exampleRoleDefinition.roleDefinitionResourceId,
    principalId: exampleClientConfig.then(exampleClientConfig => exampleClientConfig.objectId),
});

resources:
  exampleRoleDefinition:
    type: azure:authorization:RoleDefinition
    properties:
      roleDefinitionId: 00000000-0000-0000-0000-000000000000
      scope: ${primary.id}
      permissions:
        - actions:
            - Microsoft.Resources/subscriptions/resourceGroups/read
          notActions: []
      assignableScopes:
        - ${primary.id}
  exampleAssignment:
    type: azure:authorization:Assignment
    properties:
      name: 00000000-0000-0000-0000-000000000000
      scope: ${data.azurerm_management_group.primary.id}
      roleDefinitionId: ${exampleRoleDefinition.roleDefinitionResourceId}
      principalId: ${exampleClientConfig.objectId}
variables:
  primary:
    fn::invoke:
      Function: azure:core:getSubscription
      Arguments: {}
  exampleClientConfig:
    fn::invoke:
      Function: azure:core:getClientConfig
      Arguments: {}
  exampleGroup:
    fn::invoke:
      Function: azure:management:getGroup
      Arguments:
        name: 00000000-0000-0000-0000-000000000000

Create Assignment Resource

new Assignment(name: string, args: AssignmentArgs, opts?: CustomResourceOptions);
@overload
def Assignment(resource_name: str,
               opts: Optional[ResourceOptions] = None,
               condition: Optional[str] = None,
               condition_version: Optional[str] = None,
               delegated_managed_identity_resource_id: Optional[str] = None,
               description: Optional[str] = None,
               name: Optional[str] = None,
               principal_id: Optional[str] = None,
               role_definition_id: Optional[str] = None,
               role_definition_name: Optional[str] = None,
               scope: Optional[str] = None,
               skip_service_principal_aad_check: Optional[bool] = None)
@overload
def Assignment(resource_name: str,
               args: AssignmentArgs,
               opts: Optional[ResourceOptions] = None)
func NewAssignment(ctx *Context, name string, args AssignmentArgs, opts ...ResourceOption) (*Assignment, error)
public Assignment(string name, AssignmentArgs args, CustomResourceOptions? opts = null)
public Assignment(String name, AssignmentArgs args)
public Assignment(String name, AssignmentArgs args, CustomResourceOptions options)

type: azure:authorization:Assignment
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
name string
The unique name of the resource.
args AssignmentArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args AssignmentArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args AssignmentArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args AssignmentArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args AssignmentArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Assignment Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The Assignment resource accepts the following input properties:

PrincipalId string

The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

Scope string

The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.

Condition string

The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.

ConditionVersion string

The version of the condition. Possible values are 1.0 or 2.0. Changing this forces a new resource to be created.

DelegatedManagedIdentityResourceId string

The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.

Description string

The description for this Role Assignment. Changing this forces a new resource to be created.

Name string

A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

RoleDefinitionId string

The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.

RoleDefinitionName string

The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.

SkipServicePrincipalAadCheck bool

If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. Defaults to false.

PrincipalId string

The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

Scope string

The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.

Condition string

The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.

ConditionVersion string

The version of the condition. Possible values are 1.0 or 2.0. Changing this forces a new resource to be created.

DelegatedManagedIdentityResourceId string

The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.

Description string

The description for this Role Assignment. Changing this forces a new resource to be created.

Name string

A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

RoleDefinitionId string

The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.

RoleDefinitionName string

The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.

SkipServicePrincipalAadCheck bool

If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. Defaults to false.

principalId String

The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

scope String

The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.

condition String

The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.

conditionVersion String

The version of the condition. Possible values are 1.0 or 2.0. Changing this forces a new resource to be created.

delegatedManagedIdentityResourceId String

The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.

description String

The description for this Role Assignment. Changing this forces a new resource to be created.

name String

A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

roleDefinitionId String

The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.

roleDefinitionName String

The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.

skipServicePrincipalAadCheck Boolean

If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. Defaults to false.

principalId string

The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

scope string

The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.

condition string

The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.

conditionVersion string

The version of the condition. Possible values are 1.0 or 2.0. Changing this forces a new resource to be created.

delegatedManagedIdentityResourceId string

The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.

description string

The description for this Role Assignment. Changing this forces a new resource to be created.

name string

A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

roleDefinitionId string

The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.

roleDefinitionName string

The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.

skipServicePrincipalAadCheck boolean

If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. Defaults to false.

principal_id str

The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

scope str

The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.

condition str

The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.

condition_version str

The version of the condition. Possible values are 1.0 or 2.0. Changing this forces a new resource to be created.

delegated_managed_identity_resource_id str

The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.

description str

The description for this Role Assignment. Changing this forces a new resource to be created.

name str

A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

role_definition_id str

The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.

role_definition_name str

The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.

skip_service_principal_aad_check bool

If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. Defaults to false.

principalId String

The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

scope String

The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.

condition String

The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.

conditionVersion String

The version of the condition. Possible values are 1.0 or 2.0. Changing this forces a new resource to be created.

delegatedManagedIdentityResourceId String

The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.

description String

The description for this Role Assignment. Changing this forces a new resource to be created.

name String

A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

roleDefinitionId String

The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.

roleDefinitionName String

The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.

skipServicePrincipalAadCheck Boolean

If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. Defaults to false.

Outputs

All input properties are implicitly available as output properties. Additionally, the Assignment resource produces the following output properties:

Id string

The provider-assigned unique ID for this managed resource.

PrincipalType string

The type of the principal_id, e.g. User, Group, Service Principal, Application, etc.

Id string

The provider-assigned unique ID for this managed resource.

PrincipalType string

The type of the principal_id, e.g. User, Group, Service Principal, Application, etc.

id String

The provider-assigned unique ID for this managed resource.

principalType String

The type of the principal_id, e.g. User, Group, Service Principal, Application, etc.

id string

The provider-assigned unique ID for this managed resource.

principalType string

The type of the principal_id, e.g. User, Group, Service Principal, Application, etc.

id str

The provider-assigned unique ID for this managed resource.

principal_type str

The type of the principal_id, e.g. User, Group, Service Principal, Application, etc.

id String

The provider-assigned unique ID for this managed resource.

principalType String

The type of the principal_id, e.g. User, Group, Service Principal, Application, etc.

Look up Existing Assignment Resource

Get an existing Assignment resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AssignmentState, opts?: CustomResourceOptions): Assignment
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        condition: Optional[str] = None,
        condition_version: Optional[str] = None,
        delegated_managed_identity_resource_id: Optional[str] = None,
        description: Optional[str] = None,
        name: Optional[str] = None,
        principal_id: Optional[str] = None,
        principal_type: Optional[str] = None,
        role_definition_id: Optional[str] = None,
        role_definition_name: Optional[str] = None,
        scope: Optional[str] = None,
        skip_service_principal_aad_check: Optional[bool] = None) -> Assignment
func GetAssignment(ctx *Context, name string, id IDInput, state *AssignmentState, opts ...ResourceOption) (*Assignment, error)
public static Assignment Get(string name, Input<string> id, AssignmentState? state, CustomResourceOptions? opts = null)
public static Assignment get(String name, Output<String> id, AssignmentState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
Condition string

The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.

ConditionVersion string

The version of the condition. Possible values are 1.0 or 2.0. Changing this forces a new resource to be created.

DelegatedManagedIdentityResourceId string

The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.

Description string

The description for this Role Assignment. Changing this forces a new resource to be created.

Name string

A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

PrincipalId string

The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

PrincipalType string

The type of the principal_id, e.g. User, Group, Service Principal, Application, etc.

RoleDefinitionId string

The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.

RoleDefinitionName string

The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.

Scope string

The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.

SkipServicePrincipalAadCheck bool

If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. Defaults to false.

Condition string

The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.

ConditionVersion string

The version of the condition. Possible values are 1.0 or 2.0. Changing this forces a new resource to be created.

DelegatedManagedIdentityResourceId string

The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.

Description string

The description for this Role Assignment. Changing this forces a new resource to be created.

Name string

A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

PrincipalId string

The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

PrincipalType string

The type of the principal_id, e.g. User, Group, Service Principal, Application, etc.

RoleDefinitionId string

The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.

RoleDefinitionName string

The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.

Scope string

The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.

SkipServicePrincipalAadCheck bool

If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. Defaults to false.

condition String

The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.

conditionVersion String

The version of the condition. Possible values are 1.0 or 2.0. Changing this forces a new resource to be created.

delegatedManagedIdentityResourceId String

The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.

description String

The description for this Role Assignment. Changing this forces a new resource to be created.

name String

A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

principalId String

The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

principalType String

The type of the principal_id, e.g. User, Group, Service Principal, Application, etc.

roleDefinitionId String

The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.

roleDefinitionName String

The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.

scope String

The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.

skipServicePrincipalAadCheck Boolean

If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. Defaults to false.

condition string

The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.

conditionVersion string

The version of the condition. Possible values are 1.0 or 2.0. Changing this forces a new resource to be created.

delegatedManagedIdentityResourceId string

The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.

description string

The description for this Role Assignment. Changing this forces a new resource to be created.

name string

A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

principalId string

The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

principalType string

The type of the principal_id, e.g. User, Group, Service Principal, Application, etc.

roleDefinitionId string

The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.

roleDefinitionName string

The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.

scope string

The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.

skipServicePrincipalAadCheck boolean

If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. Defaults to false.

condition str

The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.

condition_version str

The version of the condition. Possible values are 1.0 or 2.0. Changing this forces a new resource to be created.

delegated_managed_identity_resource_id str

The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.

description str

The description for this Role Assignment. Changing this forces a new resource to be created.

name str

A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

principal_id str

The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

principal_type str

The type of the principal_id, e.g. User, Group, Service Principal, Application, etc.

role_definition_id str

The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.

role_definition_name str

The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.

scope str

The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.

skip_service_principal_aad_check bool

If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. Defaults to false.

condition String

The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.

conditionVersion String

The version of the condition. Possible values are 1.0 or 2.0. Changing this forces a new resource to be created.

delegatedManagedIdentityResourceId String

The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.

description String

The description for this Role Assignment. Changing this forces a new resource to be created.

name String

A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

principalId String

The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

principalType String

The type of the principal_id, e.g. User, Group, Service Principal, Application, etc.

roleDefinitionId String

The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.

roleDefinitionName String

The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.

scope String

The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.

skipServicePrincipalAadCheck Boolean

If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. Defaults to false.

Import

Role Assignments can be imported using the resource id, e.g.

 $ pulumi import azure:authorization/assignment:Assignment example /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000
  • for scope Subscription, the id format is /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000 * for scope Resource Group, the id format is /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000 text /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000|00000000-0000-0000-0000-000000000000

Package Details

Repository
Azure Classic pulumi/pulumi-azure
License
Apache-2.0
Notes

This Pulumi package is based on the azurerm Terraform Provider.