We recommend using Azure Native.
azure.role.Assignment
Explore with Pulumi AI
Deprecated:
azure.role.Assignment has been deprecated in favor of azure.authorization.Assignment
Assigns a given Principal (User or Group) to a given Role.
Example Usage
Using A Built-In Role)
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var primary = Azure.Core.GetSubscription.Invoke();
var exampleClientConfig = Azure.Core.GetClientConfig.Invoke();
var exampleAssignment = new Azure.Authorization.Assignment("exampleAssignment", new()
{
Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
RoleDefinitionName = "Reader",
PrincipalId = exampleClientConfig.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
});
});
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
primary, err := core.LookupSubscription(ctx, nil, nil)
if err != nil {
return err
}
exampleClientConfig, err := core.GetClientConfig(ctx, nil, nil)
if err != nil {
return err
}
_, err = authorization.NewAssignment(ctx, "exampleAssignment", &authorization.AssignmentArgs{
Scope: *pulumi.String(primary.Id),
RoleDefinitionName: pulumi.String("Reader"),
PrincipalId: *pulumi.String(exampleClientConfig.ObjectId),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.inputs.GetSubscriptionArgs;
import com.pulumi.azure.authorization.Assignment;
import com.pulumi.azure.authorization.AssignmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var primary = CoreFunctions.getSubscription();
final var exampleClientConfig = CoreFunctions.getClientConfig();
var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()
.scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
.roleDefinitionName("Reader")
.principalId(exampleClientConfig.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.build());
}
}
import pulumi
import pulumi_azure as azure
primary = azure.core.get_subscription()
example_client_config = azure.core.get_client_config()
example_assignment = azure.authorization.Assignment("exampleAssignment",
scope=primary.id,
role_definition_name="Reader",
principal_id=example_client_config.object_id)
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const primary = azure.core.getSubscription({});
const exampleClientConfig = azure.core.getClientConfig({});
const exampleAssignment = new azure.authorization.Assignment("exampleAssignment", {
scope: primary.then(primary => primary.id),
roleDefinitionName: "Reader",
principalId: exampleClientConfig.then(exampleClientConfig => exampleClientConfig.objectId),
});
resources:
exampleAssignment:
type: azure:authorization:Assignment
properties:
scope: ${primary.id}
roleDefinitionName: Reader
principalId: ${exampleClientConfig.objectId}
variables:
primary:
fn::invoke:
Function: azure:core:getSubscription
Arguments: {}
exampleClientConfig:
fn::invoke:
Function: azure:core:getClientConfig
Arguments: {}
Custom Role & Service Principal)
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var primary = Azure.Core.GetSubscription.Invoke();
var exampleClientConfig = Azure.Core.GetClientConfig.Invoke();
var exampleRoleDefinition = new Azure.Authorization.RoleDefinition("exampleRoleDefinition", new()
{
RoleDefinitionId = "00000000-0000-0000-0000-000000000000",
Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
Permissions = new[]
{
new Azure.Authorization.Inputs.RoleDefinitionPermissionArgs
{
Actions = new[]
{
"Microsoft.Resources/subscriptions/resourceGroups/read",
},
NotActions = new() { },
},
},
AssignableScopes = new[]
{
primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
},
});
var exampleAssignment = new Azure.Authorization.Assignment("exampleAssignment", new()
{
Name = "00000000-0000-0000-0000-000000000000",
Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
RoleDefinitionId = exampleRoleDefinition.RoleDefinitionResourceId,
PrincipalId = exampleClientConfig.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
});
});
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
primary, err := core.LookupSubscription(ctx, nil, nil)
if err != nil {
return err
}
exampleClientConfig, err := core.GetClientConfig(ctx, nil, nil)
if err != nil {
return err
}
exampleRoleDefinition, err := authorization.NewRoleDefinition(ctx, "exampleRoleDefinition", &authorization.RoleDefinitionArgs{
RoleDefinitionId: pulumi.String("00000000-0000-0000-0000-000000000000"),
Scope: *pulumi.String(primary.Id),
Permissions: authorization.RoleDefinitionPermissionArray{
&authorization.RoleDefinitionPermissionArgs{
Actions: pulumi.StringArray{
pulumi.String("Microsoft.Resources/subscriptions/resourceGroups/read"),
},
NotActions: pulumi.StringArray{},
},
},
AssignableScopes: pulumi.StringArray{
*pulumi.String(primary.Id),
},
})
if err != nil {
return err
}
_, err = authorization.NewAssignment(ctx, "exampleAssignment", &authorization.AssignmentArgs{
Name: pulumi.String("00000000-0000-0000-0000-000000000000"),
Scope: *pulumi.String(primary.Id),
RoleDefinitionId: exampleRoleDefinition.RoleDefinitionResourceId,
PrincipalId: *pulumi.String(exampleClientConfig.ObjectId),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.inputs.GetSubscriptionArgs;
import com.pulumi.azure.authorization.RoleDefinition;
import com.pulumi.azure.authorization.RoleDefinitionArgs;
import com.pulumi.azure.authorization.inputs.RoleDefinitionPermissionArgs;
import com.pulumi.azure.authorization.Assignment;
import com.pulumi.azure.authorization.AssignmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var primary = CoreFunctions.getSubscription();
final var exampleClientConfig = CoreFunctions.getClientConfig();
var exampleRoleDefinition = new RoleDefinition("exampleRoleDefinition", RoleDefinitionArgs.builder()
.roleDefinitionId("00000000-0000-0000-0000-000000000000")
.scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
.permissions(RoleDefinitionPermissionArgs.builder()
.actions("Microsoft.Resources/subscriptions/resourceGroups/read")
.notActions()
.build())
.assignableScopes(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
.build());
var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()
.name("00000000-0000-0000-0000-000000000000")
.scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
.roleDefinitionId(exampleRoleDefinition.roleDefinitionResourceId())
.principalId(exampleClientConfig.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.build());
}
}
import pulumi
import pulumi_azure as azure
primary = azure.core.get_subscription()
example_client_config = azure.core.get_client_config()
example_role_definition = azure.authorization.RoleDefinition("exampleRoleDefinition",
role_definition_id="00000000-0000-0000-0000-000000000000",
scope=primary.id,
permissions=[azure.authorization.RoleDefinitionPermissionArgs(
actions=["Microsoft.Resources/subscriptions/resourceGroups/read"],
not_actions=[],
)],
assignable_scopes=[primary.id])
example_assignment = azure.authorization.Assignment("exampleAssignment",
name="00000000-0000-0000-0000-000000000000",
scope=primary.id,
role_definition_id=example_role_definition.role_definition_resource_id,
principal_id=example_client_config.object_id)
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const primary = azure.core.getSubscription({});
const exampleClientConfig = azure.core.getClientConfig({});
const exampleRoleDefinition = new azure.authorization.RoleDefinition("exampleRoleDefinition", {
roleDefinitionId: "00000000-0000-0000-0000-000000000000",
scope: primary.then(primary => primary.id),
permissions: [{
actions: ["Microsoft.Resources/subscriptions/resourceGroups/read"],
notActions: [],
}],
assignableScopes: [primary.then(primary => primary.id)],
});
const exampleAssignment = new azure.authorization.Assignment("exampleAssignment", {
name: "00000000-0000-0000-0000-000000000000",
scope: primary.then(primary => primary.id),
roleDefinitionId: exampleRoleDefinition.roleDefinitionResourceId,
principalId: exampleClientConfig.then(exampleClientConfig => exampleClientConfig.objectId),
});
resources:
exampleRoleDefinition:
type: azure:authorization:RoleDefinition
properties:
roleDefinitionId: 00000000-0000-0000-0000-000000000000
scope: ${primary.id}
permissions:
- actions:
- Microsoft.Resources/subscriptions/resourceGroups/read
notActions: []
assignableScopes:
- ${primary.id}
exampleAssignment:
type: azure:authorization:Assignment
properties:
name: 00000000-0000-0000-0000-000000000000
scope: ${primary.id}
roleDefinitionId: ${exampleRoleDefinition.roleDefinitionResourceId}
principalId: ${exampleClientConfig.objectId}
variables:
primary:
fn::invoke:
Function: azure:core:getSubscription
Arguments: {}
exampleClientConfig:
fn::invoke:
Function: azure:core:getClientConfig
Arguments: {}
Custom Role & User)
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var primary = Azure.Core.GetSubscription.Invoke();
var exampleClientConfig = Azure.Core.GetClientConfig.Invoke();
var exampleRoleDefinition = new Azure.Authorization.RoleDefinition("exampleRoleDefinition", new()
{
RoleDefinitionId = "00000000-0000-0000-0000-000000000000",
Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
Permissions = new[]
{
new Azure.Authorization.Inputs.RoleDefinitionPermissionArgs
{
Actions = new[]
{
"Microsoft.Resources/subscriptions/resourceGroups/read",
},
NotActions = new() { },
},
},
AssignableScopes = new[]
{
primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
},
});
var exampleAssignment = new Azure.Authorization.Assignment("exampleAssignment", new()
{
Name = "00000000-0000-0000-0000-000000000000",
Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
RoleDefinitionId = exampleRoleDefinition.RoleDefinitionResourceId,
PrincipalId = exampleClientConfig.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
});
});
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
primary, err := core.LookupSubscription(ctx, nil, nil)
if err != nil {
return err
}
exampleClientConfig, err := core.GetClientConfig(ctx, nil, nil)
if err != nil {
return err
}
exampleRoleDefinition, err := authorization.NewRoleDefinition(ctx, "exampleRoleDefinition", &authorization.RoleDefinitionArgs{
RoleDefinitionId: pulumi.String("00000000-0000-0000-0000-000000000000"),
Scope: *pulumi.String(primary.Id),
Permissions: authorization.RoleDefinitionPermissionArray{
&authorization.RoleDefinitionPermissionArgs{
Actions: pulumi.StringArray{
pulumi.String("Microsoft.Resources/subscriptions/resourceGroups/read"),
},
NotActions: pulumi.StringArray{},
},
},
AssignableScopes: pulumi.StringArray{
*pulumi.String(primary.Id),
},
})
if err != nil {
return err
}
_, err = authorization.NewAssignment(ctx, "exampleAssignment", &authorization.AssignmentArgs{
Name: pulumi.String("00000000-0000-0000-0000-000000000000"),
Scope: *pulumi.String(primary.Id),
RoleDefinitionId: exampleRoleDefinition.RoleDefinitionResourceId,
PrincipalId: *pulumi.String(exampleClientConfig.ObjectId),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.inputs.GetSubscriptionArgs;
import com.pulumi.azure.authorization.RoleDefinition;
import com.pulumi.azure.authorization.RoleDefinitionArgs;
import com.pulumi.azure.authorization.inputs.RoleDefinitionPermissionArgs;
import com.pulumi.azure.authorization.Assignment;
import com.pulumi.azure.authorization.AssignmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var primary = CoreFunctions.getSubscription();
final var exampleClientConfig = CoreFunctions.getClientConfig();
var exampleRoleDefinition = new RoleDefinition("exampleRoleDefinition", RoleDefinitionArgs.builder()
.roleDefinitionId("00000000-0000-0000-0000-000000000000")
.scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
.permissions(RoleDefinitionPermissionArgs.builder()
.actions("Microsoft.Resources/subscriptions/resourceGroups/read")
.notActions()
.build())
.assignableScopes(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
.build());
var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()
.name("00000000-0000-0000-0000-000000000000")
.scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
.roleDefinitionId(exampleRoleDefinition.roleDefinitionResourceId())
.principalId(exampleClientConfig.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.build());
}
}
import pulumi
import pulumi_azure as azure
primary = azure.core.get_subscription()
example_client_config = azure.core.get_client_config()
example_role_definition = azure.authorization.RoleDefinition("exampleRoleDefinition",
role_definition_id="00000000-0000-0000-0000-000000000000",
scope=primary.id,
permissions=[azure.authorization.RoleDefinitionPermissionArgs(
actions=["Microsoft.Resources/subscriptions/resourceGroups/read"],
not_actions=[],
)],
assignable_scopes=[primary.id])
example_assignment = azure.authorization.Assignment("exampleAssignment",
name="00000000-0000-0000-0000-000000000000",
scope=primary.id,
role_definition_id=example_role_definition.role_definition_resource_id,
principal_id=example_client_config.object_id)
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const primary = azure.core.getSubscription({});
const exampleClientConfig = azure.core.getClientConfig({});
const exampleRoleDefinition = new azure.authorization.RoleDefinition("exampleRoleDefinition", {
roleDefinitionId: "00000000-0000-0000-0000-000000000000",
scope: primary.then(primary => primary.id),
permissions: [{
actions: ["Microsoft.Resources/subscriptions/resourceGroups/read"],
notActions: [],
}],
assignableScopes: [primary.then(primary => primary.id)],
});
const exampleAssignment = new azure.authorization.Assignment("exampleAssignment", {
name: "00000000-0000-0000-0000-000000000000",
scope: primary.then(primary => primary.id),
roleDefinitionId: exampleRoleDefinition.roleDefinitionResourceId,
principalId: exampleClientConfig.then(exampleClientConfig => exampleClientConfig.objectId),
});
resources:
exampleRoleDefinition:
type: azure:authorization:RoleDefinition
properties:
roleDefinitionId: 00000000-0000-0000-0000-000000000000
scope: ${primary.id}
permissions:
- actions:
- Microsoft.Resources/subscriptions/resourceGroups/read
notActions: []
assignableScopes:
- ${primary.id}
exampleAssignment:
type: azure:authorization:Assignment
properties:
name: 00000000-0000-0000-0000-000000000000
scope: ${primary.id}
roleDefinitionId: ${exampleRoleDefinition.roleDefinitionResourceId}
principalId: ${exampleClientConfig.objectId}
variables:
primary:
fn::invoke:
Function: azure:core:getSubscription
Arguments: {}
exampleClientConfig:
fn::invoke:
Function: azure:core:getClientConfig
Arguments: {}
Custom Role & Management Group)
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var primary = Azure.Core.GetSubscription.Invoke();
var exampleClientConfig = Azure.Core.GetClientConfig.Invoke();
var exampleGroup = Azure.Management.GetGroup.Invoke(new()
{
Name = "00000000-0000-0000-0000-000000000000",
});
var exampleRoleDefinition = new Azure.Authorization.RoleDefinition("exampleRoleDefinition", new()
{
RoleDefinitionId = "00000000-0000-0000-0000-000000000000",
Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
Permissions = new[]
{
new Azure.Authorization.Inputs.RoleDefinitionPermissionArgs
{
Actions = new[]
{
"Microsoft.Resources/subscriptions/resourceGroups/read",
},
NotActions = new() { },
},
},
AssignableScopes = new[]
{
primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
},
});
var exampleAssignment = new Azure.Authorization.Assignment("exampleAssignment", new()
{
Name = "00000000-0000-0000-0000-000000000000",
Scope = data.Azurerm_management_group.Primary.Id,
RoleDefinitionId = exampleRoleDefinition.RoleDefinitionResourceId,
PrincipalId = exampleClientConfig.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
});
});
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/management"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
primary, err := core.LookupSubscription(ctx, nil, nil)
if err != nil {
return err
}
exampleClientConfig, err := core.GetClientConfig(ctx, nil, nil)
if err != nil {
return err
}
_, err = management.LookupGroup(ctx, &management.LookupGroupArgs{
Name: pulumi.StringRef("00000000-0000-0000-0000-000000000000"),
}, nil)
if err != nil {
return err
}
exampleRoleDefinition, err := authorization.NewRoleDefinition(ctx, "exampleRoleDefinition", &authorization.RoleDefinitionArgs{
RoleDefinitionId: pulumi.String("00000000-0000-0000-0000-000000000000"),
Scope: *pulumi.String(primary.Id),
Permissions: authorization.RoleDefinitionPermissionArray{
&authorization.RoleDefinitionPermissionArgs{
Actions: pulumi.StringArray{
pulumi.String("Microsoft.Resources/subscriptions/resourceGroups/read"),
},
NotActions: pulumi.StringArray{},
},
},
AssignableScopes: pulumi.StringArray{
*pulumi.String(primary.Id),
},
})
if err != nil {
return err
}
_, err = authorization.NewAssignment(ctx, "exampleAssignment", &authorization.AssignmentArgs{
Name: pulumi.String("00000000-0000-0000-0000-000000000000"),
Scope: pulumi.Any(data.Azurerm_management_group.Primary.Id),
RoleDefinitionId: exampleRoleDefinition.RoleDefinitionResourceId,
PrincipalId: *pulumi.String(exampleClientConfig.ObjectId),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.inputs.GetSubscriptionArgs;
import com.pulumi.azure.management.ManagementFunctions;
import com.pulumi.azure.management.inputs.GetGroupArgs;
import com.pulumi.azure.authorization.RoleDefinition;
import com.pulumi.azure.authorization.RoleDefinitionArgs;
import com.pulumi.azure.authorization.inputs.RoleDefinitionPermissionArgs;
import com.pulumi.azure.authorization.Assignment;
import com.pulumi.azure.authorization.AssignmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var primary = CoreFunctions.getSubscription();
final var exampleClientConfig = CoreFunctions.getClientConfig();
final var exampleGroup = ManagementFunctions.getGroup(GetGroupArgs.builder()
.name("00000000-0000-0000-0000-000000000000")
.build());
var exampleRoleDefinition = new RoleDefinition("exampleRoleDefinition", RoleDefinitionArgs.builder()
.roleDefinitionId("00000000-0000-0000-0000-000000000000")
.scope(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
.permissions(RoleDefinitionPermissionArgs.builder()
.actions("Microsoft.Resources/subscriptions/resourceGroups/read")
.notActions()
.build())
.assignableScopes(primary.applyValue(getSubscriptionResult -> getSubscriptionResult.id()))
.build());
var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()
.name("00000000-0000-0000-0000-000000000000")
.scope(data.azurerm_management_group().primary().id())
.roleDefinitionId(exampleRoleDefinition.roleDefinitionResourceId())
.principalId(exampleClientConfig.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.build());
}
}
import pulumi
import pulumi_azure as azure
primary = azure.core.get_subscription()
example_client_config = azure.core.get_client_config()
example_group = azure.management.get_group(name="00000000-0000-0000-0000-000000000000")
example_role_definition = azure.authorization.RoleDefinition("exampleRoleDefinition",
role_definition_id="00000000-0000-0000-0000-000000000000",
scope=primary.id,
permissions=[azure.authorization.RoleDefinitionPermissionArgs(
actions=["Microsoft.Resources/subscriptions/resourceGroups/read"],
not_actions=[],
)],
assignable_scopes=[primary.id])
example_assignment = azure.authorization.Assignment("exampleAssignment",
name="00000000-0000-0000-0000-000000000000",
scope=data["azurerm_management_group"]["primary"]["id"],
role_definition_id=example_role_definition.role_definition_resource_id,
principal_id=example_client_config.object_id)
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const primary = azure.core.getSubscription({});
const exampleClientConfig = azure.core.getClientConfig({});
const exampleGroup = azure.management.getGroup({
name: "00000000-0000-0000-0000-000000000000",
});
const exampleRoleDefinition = new azure.authorization.RoleDefinition("exampleRoleDefinition", {
roleDefinitionId: "00000000-0000-0000-0000-000000000000",
scope: primary.then(primary => primary.id),
permissions: [{
actions: ["Microsoft.Resources/subscriptions/resourceGroups/read"],
notActions: [],
}],
assignableScopes: [primary.then(primary => primary.id)],
});
const exampleAssignment = new azure.authorization.Assignment("exampleAssignment", {
name: "00000000-0000-0000-0000-000000000000",
scope: data.azurerm_management_group.primary.id,
roleDefinitionId: exampleRoleDefinition.roleDefinitionResourceId,
principalId: exampleClientConfig.then(exampleClientConfig => exampleClientConfig.objectId),
});
resources:
exampleRoleDefinition:
type: azure:authorization:RoleDefinition
properties:
roleDefinitionId: 00000000-0000-0000-0000-000000000000
scope: ${primary.id}
permissions:
- actions:
- Microsoft.Resources/subscriptions/resourceGroups/read
notActions: []
assignableScopes:
- ${primary.id}
exampleAssignment:
type: azure:authorization:Assignment
properties:
name: 00000000-0000-0000-0000-000000000000
scope: ${data.azurerm_management_group.primary.id}
roleDefinitionId: ${exampleRoleDefinition.roleDefinitionResourceId}
principalId: ${exampleClientConfig.objectId}
variables:
primary:
fn::invoke:
Function: azure:core:getSubscription
Arguments: {}
exampleClientConfig:
fn::invoke:
Function: azure:core:getClientConfig
Arguments: {}
exampleGroup:
fn::invoke:
Function: azure:management:getGroup
Arguments:
name: 00000000-0000-0000-0000-000000000000
Create Assignment Resource
new Assignment(name: string, args: AssignmentArgs, opts?: CustomResourceOptions);
@overload
def Assignment(resource_name: str,
opts: Optional[ResourceOptions] = None,
condition: Optional[str] = None,
condition_version: Optional[str] = None,
delegated_managed_identity_resource_id: Optional[str] = None,
description: Optional[str] = None,
name: Optional[str] = None,
principal_id: Optional[str] = None,
role_definition_id: Optional[str] = None,
role_definition_name: Optional[str] = None,
scope: Optional[str] = None,
skip_service_principal_aad_check: Optional[bool] = None)
@overload
def Assignment(resource_name: str,
args: AssignmentArgs,
opts: Optional[ResourceOptions] = None)
func NewAssignment(ctx *Context, name string, args AssignmentArgs, opts ...ResourceOption) (*Assignment, error)
public Assignment(string name, AssignmentArgs args, CustomResourceOptions? opts = null)
public Assignment(String name, AssignmentArgs args)
public Assignment(String name, AssignmentArgs args, CustomResourceOptions options)
type: azure:role:Assignment
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AssignmentArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args AssignmentArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args AssignmentArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AssignmentArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args AssignmentArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Assignment Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The Assignment resource accepts the following input properties:
- Principal
Id string The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.
NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).
- Scope string
The scope at which the Role Assignment applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
, or/providers/Microsoft.Management/managementGroups/myMG
. Changing this forces a new resource to be created.- Condition string
The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
- Condition
Version string The version of the condition. Possible values are
1.0
or2.0
. Changing this forces a new resource to be created.- Delegated
Managed stringIdentity Resource Id The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.
NOTE: this field is only used in cross tenant scenario.
- Description string
The description for this Role Assignment. Changing this forces a new resource to be created.
- Name string
A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
- Role
Definition stringId The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with
role_definition_name
.- Role
Definition stringName The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with
role_definition_id
.- Skip
Service boolPrincipal Aad Check If the
principal_id
is a newly provisionedService Principal
set this value totrue
to skip theAzure Active Directory
check which may fail due to replication lag. This argument is only valid if theprincipal_id
is aService Principal
identity. Defaults tofalse
.NOTE: If it is not a
Service Principal
identity it will cause the role assignment to fail.
- Principal
Id string The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.
NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).
- Scope string
The scope at which the Role Assignment applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
, or/providers/Microsoft.Management/managementGroups/myMG
. Changing this forces a new resource to be created.- Condition string
The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
- Condition
Version string The version of the condition. Possible values are
1.0
or2.0
. Changing this forces a new resource to be created.- Delegated
Managed stringIdentity Resource Id The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.
NOTE: this field is only used in cross tenant scenario.
- Description string
The description for this Role Assignment. Changing this forces a new resource to be created.
- Name string
A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
- Role
Definition stringId The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with
role_definition_name
.- Role
Definition stringName The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with
role_definition_id
.- Skip
Service boolPrincipal Aad Check If the
principal_id
is a newly provisionedService Principal
set this value totrue
to skip theAzure Active Directory
check which may fail due to replication lag. This argument is only valid if theprincipal_id
is aService Principal
identity. Defaults tofalse
.NOTE: If it is not a
Service Principal
identity it will cause the role assignment to fail.
- principal
Id String The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.
NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).
- scope String
The scope at which the Role Assignment applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
, or/providers/Microsoft.Management/managementGroups/myMG
. Changing this forces a new resource to be created.- condition String
The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
- condition
Version String The version of the condition. Possible values are
1.0
or2.0
. Changing this forces a new resource to be created.- delegated
Managed StringIdentity Resource Id The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.
NOTE: this field is only used in cross tenant scenario.
- description String
The description for this Role Assignment. Changing this forces a new resource to be created.
- name String
A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
- role
Definition StringId The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with
role_definition_name
.- role
Definition StringName The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with
role_definition_id
.- skip
Service BooleanPrincipal Aad Check If the
principal_id
is a newly provisionedService Principal
set this value totrue
to skip theAzure Active Directory
check which may fail due to replication lag. This argument is only valid if theprincipal_id
is aService Principal
identity. Defaults tofalse
.NOTE: If it is not a
Service Principal
identity it will cause the role assignment to fail.
- principal
Id string The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.
NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).
- scope string
The scope at which the Role Assignment applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
, or/providers/Microsoft.Management/managementGroups/myMG
. Changing this forces a new resource to be created.- condition string
The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
- condition
Version string The version of the condition. Possible values are
1.0
or2.0
. Changing this forces a new resource to be created.- delegated
Managed stringIdentity Resource Id The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.
NOTE: this field is only used in cross tenant scenario.
- description string
The description for this Role Assignment. Changing this forces a new resource to be created.
- name string
A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
- role
Definition stringId The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with
role_definition_name
.- role
Definition stringName The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with
role_definition_id
.- skip
Service booleanPrincipal Aad Check If the
principal_id
is a newly provisionedService Principal
set this value totrue
to skip theAzure Active Directory
check which may fail due to replication lag. This argument is only valid if theprincipal_id
is aService Principal
identity. Defaults tofalse
.NOTE: If it is not a
Service Principal
identity it will cause the role assignment to fail.
- principal_
id str The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.
NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).
- scope str
The scope at which the Role Assignment applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
, or/providers/Microsoft.Management/managementGroups/myMG
. Changing this forces a new resource to be created.- condition str
The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
- condition_
version str The version of the condition. Possible values are
1.0
or2.0
. Changing this forces a new resource to be created.- delegated_
managed_ stridentity_ resource_ id The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.
NOTE: this field is only used in cross tenant scenario.
- description str
The description for this Role Assignment. Changing this forces a new resource to be created.
- name str
A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
- role_
definition_ strid The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with
role_definition_name
.- role_
definition_ strname The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with
role_definition_id
.- skip_
service_ boolprincipal_ aad_ check If the
principal_id
is a newly provisionedService Principal
set this value totrue
to skip theAzure Active Directory
check which may fail due to replication lag. This argument is only valid if theprincipal_id
is aService Principal
identity. Defaults tofalse
.NOTE: If it is not a
Service Principal
identity it will cause the role assignment to fail.
- principal
Id String The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.
NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).
- scope String
The scope at which the Role Assignment applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
, or/providers/Microsoft.Management/managementGroups/myMG
. Changing this forces a new resource to be created.- condition String
The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
- condition
Version String The version of the condition. Possible values are
1.0
or2.0
. Changing this forces a new resource to be created.- delegated
Managed StringIdentity Resource Id The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.
NOTE: this field is only used in cross tenant scenario.
- description String
The description for this Role Assignment. Changing this forces a new resource to be created.
- name String
A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
- role
Definition StringId The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with
role_definition_name
.- role
Definition StringName The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with
role_definition_id
.- skip
Service BooleanPrincipal Aad Check If the
principal_id
is a newly provisionedService Principal
set this value totrue
to skip theAzure Active Directory
check which may fail due to replication lag. This argument is only valid if theprincipal_id
is aService Principal
identity. Defaults tofalse
.NOTE: If it is not a
Service Principal
identity it will cause the role assignment to fail.
Outputs
All input properties are implicitly available as output properties. Additionally, the Assignment resource produces the following output properties:
- Id string
The provider-assigned unique ID for this managed resource.
- Principal
Type string The type of the
principal_id
, e.g. User, Group, Service Principal, Application, etc.
- Id string
The provider-assigned unique ID for this managed resource.
- Principal
Type string The type of the
principal_id
, e.g. User, Group, Service Principal, Application, etc.
- id String
The provider-assigned unique ID for this managed resource.
- principal
Type String The type of the
principal_id
, e.g. User, Group, Service Principal, Application, etc.
- id string
The provider-assigned unique ID for this managed resource.
- principal
Type string The type of the
principal_id
, e.g. User, Group, Service Principal, Application, etc.
- id str
The provider-assigned unique ID for this managed resource.
- principal_
type str The type of the
principal_id
, e.g. User, Group, Service Principal, Application, etc.
- id String
The provider-assigned unique ID for this managed resource.
- principal
Type String The type of the
principal_id
, e.g. User, Group, Service Principal, Application, etc.
Look up Existing Assignment Resource
Get an existing Assignment resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: AssignmentState, opts?: CustomResourceOptions): Assignment
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
condition: Optional[str] = None,
condition_version: Optional[str] = None,
delegated_managed_identity_resource_id: Optional[str] = None,
description: Optional[str] = None,
name: Optional[str] = None,
principal_id: Optional[str] = None,
principal_type: Optional[str] = None,
role_definition_id: Optional[str] = None,
role_definition_name: Optional[str] = None,
scope: Optional[str] = None,
skip_service_principal_aad_check: Optional[bool] = None) -> Assignment
func GetAssignment(ctx *Context, name string, id IDInput, state *AssignmentState, opts ...ResourceOption) (*Assignment, error)
public static Assignment Get(string name, Input<string> id, AssignmentState? state, CustomResourceOptions? opts = null)
public static Assignment get(String name, Output<String> id, AssignmentState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Condition string
The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
- Condition
Version string The version of the condition. Possible values are
1.0
or2.0
. Changing this forces a new resource to be created.- Delegated
Managed stringIdentity Resource Id The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.
NOTE: this field is only used in cross tenant scenario.
- Description string
The description for this Role Assignment. Changing this forces a new resource to be created.
- Name string
A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
- Principal
Id string The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.
NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).
- Principal
Type string The type of the
principal_id
, e.g. User, Group, Service Principal, Application, etc.- Role
Definition stringId The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with
role_definition_name
.- Role
Definition stringName The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with
role_definition_id
.- Scope string
The scope at which the Role Assignment applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
, or/providers/Microsoft.Management/managementGroups/myMG
. Changing this forces a new resource to be created.- Skip
Service boolPrincipal Aad Check If the
principal_id
is a newly provisionedService Principal
set this value totrue
to skip theAzure Active Directory
check which may fail due to replication lag. This argument is only valid if theprincipal_id
is aService Principal
identity. Defaults tofalse
.NOTE: If it is not a
Service Principal
identity it will cause the role assignment to fail.
- Condition string
The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
- Condition
Version string The version of the condition. Possible values are
1.0
or2.0
. Changing this forces a new resource to be created.- Delegated
Managed stringIdentity Resource Id The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.
NOTE: this field is only used in cross tenant scenario.
- Description string
The description for this Role Assignment. Changing this forces a new resource to be created.
- Name string
A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
- Principal
Id string The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.
NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).
- Principal
Type string The type of the
principal_id
, e.g. User, Group, Service Principal, Application, etc.- Role
Definition stringId The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with
role_definition_name
.- Role
Definition stringName The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with
role_definition_id
.- Scope string
The scope at which the Role Assignment applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
, or/providers/Microsoft.Management/managementGroups/myMG
. Changing this forces a new resource to be created.- Skip
Service boolPrincipal Aad Check If the
principal_id
is a newly provisionedService Principal
set this value totrue
to skip theAzure Active Directory
check which may fail due to replication lag. This argument is only valid if theprincipal_id
is aService Principal
identity. Defaults tofalse
.NOTE: If it is not a
Service Principal
identity it will cause the role assignment to fail.
- condition String
The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
- condition
Version String The version of the condition. Possible values are
1.0
or2.0
. Changing this forces a new resource to be created.- delegated
Managed StringIdentity Resource Id The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.
NOTE: this field is only used in cross tenant scenario.
- description String
The description for this Role Assignment. Changing this forces a new resource to be created.
- name String
A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
- principal
Id String The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.
NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).
- principal
Type String The type of the
principal_id
, e.g. User, Group, Service Principal, Application, etc.- role
Definition StringId The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with
role_definition_name
.- role
Definition StringName The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with
role_definition_id
.- scope String
The scope at which the Role Assignment applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
, or/providers/Microsoft.Management/managementGroups/myMG
. Changing this forces a new resource to be created.- skip
Service BooleanPrincipal Aad Check If the
principal_id
is a newly provisionedService Principal
set this value totrue
to skip theAzure Active Directory
check which may fail due to replication lag. This argument is only valid if theprincipal_id
is aService Principal
identity. Defaults tofalse
.NOTE: If it is not a
Service Principal
identity it will cause the role assignment to fail.
- condition string
The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
- condition
Version string The version of the condition. Possible values are
1.0
or2.0
. Changing this forces a new resource to be created.- delegated
Managed stringIdentity Resource Id The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.
NOTE: this field is only used in cross tenant scenario.
- description string
The description for this Role Assignment. Changing this forces a new resource to be created.
- name string
A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
- principal
Id string The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.
NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).
- principal
Type string The type of the
principal_id
, e.g. User, Group, Service Principal, Application, etc.- role
Definition stringId The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with
role_definition_name
.- role
Definition stringName The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with
role_definition_id
.- scope string
The scope at which the Role Assignment applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
, or/providers/Microsoft.Management/managementGroups/myMG
. Changing this forces a new resource to be created.- skip
Service booleanPrincipal Aad Check If the
principal_id
is a newly provisionedService Principal
set this value totrue
to skip theAzure Active Directory
check which may fail due to replication lag. This argument is only valid if theprincipal_id
is aService Principal
identity. Defaults tofalse
.NOTE: If it is not a
Service Principal
identity it will cause the role assignment to fail.
- condition str
The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
- condition_
version str The version of the condition. Possible values are
1.0
or2.0
. Changing this forces a new resource to be created.- delegated_
managed_ stridentity_ resource_ id The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.
NOTE: this field is only used in cross tenant scenario.
- description str
The description for this Role Assignment. Changing this forces a new resource to be created.
- name str
A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
- principal_
id str The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.
NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).
- principal_
type str The type of the
principal_id
, e.g. User, Group, Service Principal, Application, etc.- role_
definition_ strid The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with
role_definition_name
.- role_
definition_ strname The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with
role_definition_id
.- scope str
The scope at which the Role Assignment applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
, or/providers/Microsoft.Management/managementGroups/myMG
. Changing this forces a new resource to be created.- skip_
service_ boolprincipal_ aad_ check If the
principal_id
is a newly provisionedService Principal
set this value totrue
to skip theAzure Active Directory
check which may fail due to replication lag. This argument is only valid if theprincipal_id
is aService Principal
identity. Defaults tofalse
.NOTE: If it is not a
Service Principal
identity it will cause the role assignment to fail.
- condition String
The condition that limits the resources that the role can be assigned to. Changing this forces a new resource to be created.
- condition
Version String The version of the condition. Possible values are
1.0
or2.0
. Changing this forces a new resource to be created.- delegated
Managed StringIdentity Resource Id The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created.
NOTE: this field is only used in cross tenant scenario.
- description String
The description for this Role Assignment. Changing this forces a new resource to be created.
- name String
A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.
- principal
Id String The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.
NOTE: The Principal ID is also known as the Object ID (ie not the "Application ID" for applications).
- principal
Type String The type of the
principal_id
, e.g. User, Group, Service Principal, Application, etc.- role
Definition StringId The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with
role_definition_name
.- role
Definition StringName The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with
role_definition_id
.- scope String
The scope at which the Role Assignment applies to, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333
,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup
, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM
, or/providers/Microsoft.Management/managementGroups/myMG
. Changing this forces a new resource to be created.- skip
Service BooleanPrincipal Aad Check If the
principal_id
is a newly provisionedService Principal
set this value totrue
to skip theAzure Active Directory
check which may fail due to replication lag. This argument is only valid if theprincipal_id
is aService Principal
identity. Defaults tofalse
.NOTE: If it is not a
Service Principal
identity it will cause the role assignment to fail.
Import
Role Assignments can be imported using the resource id
, e.g.
$ pulumi import azure:role/assignment:Assignment example /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000
- for scope
Subscription
, the id format is/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000
* for scopeResource Group
, the id format is/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000
text /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000|00000000-0000-0000-0000-000000000000
Package Details
- Repository
- Azure Classic pulumi/pulumi-azure
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
azurerm
Terraform Provider.