We recommend using Azure Native.
Viewing docs for Azure v6.33.0
published on Monday, Feb 23, 2026 by Pulumi
published on Monday, Feb 23, 2026 by Pulumi
We recommend using Azure Native.
Viewing docs for Azure v6.33.0
published on Monday, Feb 23, 2026 by Pulumi
published on Monday, Feb 23, 2026 by Pulumi
Deprecated: azure.role.getRoleDefinition has been deprecated in favor of azure.authorization.getRoleDefinition
Use this data source to access information about an existing Role Definition.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const primary = azure.core.getSubscription({});
const customRoleDefinition = new azure.authorization.RoleDefinition("custom", {
roleDefinitionId: "00000000-0000-0000-0000-000000000000",
name: "CustomRoleDef",
scope: primary.then(primary => primary.id),
});
const custom = pulumi.all([customRoleDefinition.roleDefinitionId, primary]).apply(([roleDefinitionId, primary]) => azure.authorization.getRoleDefinitionOutput({
roleDefinitionId: roleDefinitionId,
scope: primary.id,
}));
const custom_byname = pulumi.all([customRoleDefinition.name, primary]).apply(([name, primary]) => azure.authorization.getRoleDefinitionOutput({
name: name,
scope: primary.id,
}));
const builtin = azure.authorization.getRoleDefinition({
name: "Contributor",
});
export const customRoleDefinitionId = custom.apply(custom => custom.id);
export const contributorRoleDefinitionId = builtin.then(builtin => builtin.id);
import pulumi
import pulumi_azure as azure
primary = azure.core.get_subscription()
custom_role_definition = azure.authorization.RoleDefinition("custom",
role_definition_id="00000000-0000-0000-0000-000000000000",
name="CustomRoleDef",
scope=primary.id)
custom = custom_role_definition.role_definition_id.apply(lambda role_definition_id: azure.authorization.get_role_definition(role_definition_id=role_definition_id,
scope=primary.id))
custom_byname = custom_role_definition.name.apply(lambda name: azure.authorization.get_role_definition(name=name,
scope=primary.id))
builtin = azure.authorization.get_role_definition(name="Contributor")
pulumi.export("customRoleDefinitionId", custom.id)
pulumi.export("contributorRoleDefinitionId", builtin.id)
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/authorization"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
primary, err := core.LookupSubscription(ctx, &core.LookupSubscriptionArgs{}, nil)
if err != nil {
return err
}
customRoleDefinition, err := authorization.NewRoleDefinition(ctx, "custom", &authorization.RoleDefinitionArgs{
RoleDefinitionId: pulumi.String("00000000-0000-0000-0000-000000000000"),
Name: pulumi.String("CustomRoleDef"),
Scope: pulumi.String(primary.Id),
})
if err != nil {
return err
}
custom := customRoleDefinition.RoleDefinitionId.ApplyT(func(roleDefinitionId string) (authorization.GetRoleDefinitionResult, error) {
return authorization.GetRoleDefinitionResult(authorization.LookupRoleDefinition(ctx, &authorization.LookupRoleDefinitionArgs{
RoleDefinitionId: pulumi.StringRef(pulumi.StringRef(roleDefinitionId)),
Scope: pulumi.StringRef(pulumi.StringRef(primary.Id)),
}, nil)), nil
}).(authorization.GetRoleDefinitionResultOutput)
_ = customRoleDefinition.Name.ApplyT(func(name string) (authorization.GetRoleDefinitionResult, error) {
return authorization.GetRoleDefinitionResult(authorization.LookupRoleDefinition(ctx, &authorization.LookupRoleDefinitionArgs{
Name: pulumi.StringRef(pulumi.StringRef(name)),
Scope: pulumi.StringRef(pulumi.StringRef(primary.Id)),
}, nil)), nil
}).(authorization.GetRoleDefinitionResultOutput)
builtin, err := authorization.LookupRoleDefinition(ctx, &authorization.LookupRoleDefinitionArgs{
Name: pulumi.StringRef("Contributor"),
}, nil)
if err != nil {
return err
}
ctx.Export("customRoleDefinitionId", custom.Id)
ctx.Export("contributorRoleDefinitionId", builtin.Id)
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var primary = Azure.Core.GetSubscription.Invoke();
var customRoleDefinition = new Azure.Authorization.RoleDefinition("custom", new()
{
RoleDefinitionId = "00000000-0000-0000-0000-000000000000",
Name = "CustomRoleDef",
Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
});
var custom = Azure.Authorization.GetRoleDefinition.Invoke(new()
{
RoleDefinitionId = customRoleDefinition.RoleDefinitionId,
Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
});
var custom_byname = Azure.Authorization.GetRoleDefinition.Invoke(new()
{
Name = customRoleDefinition.Name,
Scope = primary.Apply(getSubscriptionResult => getSubscriptionResult.Id),
});
var builtin = Azure.Authorization.GetRoleDefinition.Invoke(new()
{
Name = "Contributor",
});
return new Dictionary<string, object?>
{
["customRoleDefinitionId"] = custom.Apply(getRoleDefinitionResult => getRoleDefinitionResult.Id),
["contributorRoleDefinitionId"] = builtin.Apply(getRoleDefinitionResult => getRoleDefinitionResult.Id),
};
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.inputs.GetSubscriptionArgs;
import com.pulumi.azure.authorization.RoleDefinition;
import com.pulumi.azure.authorization.RoleDefinitionArgs;
import com.pulumi.azure.authorization.AuthorizationFunctions;
import com.pulumi.azure.authorization.inputs.GetRoleDefinitionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var primary = CoreFunctions.getSubscription(GetSubscriptionArgs.builder()
.build());
var customRoleDefinition = new RoleDefinition("customRoleDefinition", RoleDefinitionArgs.builder()
.roleDefinitionId("00000000-0000-0000-0000-000000000000")
.name("CustomRoleDef")
.scope(primary.id())
.build());
final var custom = customRoleDefinition.roleDefinitionId().applyValue(_roleDefinitionId -> AuthorizationFunctions.getRoleDefinition(GetRoleDefinitionArgs.builder()
.roleDefinitionId(_roleDefinitionId)
.scope(primary.id())
.build()));
final var custom-byname = customRoleDefinition.name().applyValue(_name -> AuthorizationFunctions.getRoleDefinition(GetRoleDefinitionArgs.builder()
.name(_name)
.scope(primary.id())
.build()));
final var builtin = AuthorizationFunctions.getRoleDefinition(GetRoleDefinitionArgs.builder()
.name("Contributor")
.build());
ctx.export("customRoleDefinitionId", custom.id());
ctx.export("contributorRoleDefinitionId", builtin.id());
}
}
resources:
customRoleDefinition:
type: azure:authorization:RoleDefinition
name: custom
properties:
roleDefinitionId: 00000000-0000-0000-0000-000000000000
name: CustomRoleDef
scope: ${primary.id}
variables:
primary:
fn::invoke:
function: azure:core:getSubscription
arguments: {}
custom:
fn::invoke:
function: azure:authorization:getRoleDefinition
arguments:
roleDefinitionId: ${customRoleDefinition.roleDefinitionId}
scope: ${primary.id}
custom-byname:
fn::invoke:
function: azure:authorization:getRoleDefinition
arguments:
name: ${customRoleDefinition.name}
scope: ${primary.id}
builtin:
fn::invoke:
function: azure:authorization:getRoleDefinition
arguments:
name: Contributor
outputs:
customRoleDefinitionId: ${custom.id}
contributorRoleDefinitionId: ${builtin.id}
API Providers
This data source uses the following Azure API Providers:
Microsoft.Authorization- 2022-05-01-preview
Using getRoleDefinition
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getRoleDefinition(args: GetRoleDefinitionArgs, opts?: InvokeOptions): Promise<GetRoleDefinitionResult>
function getRoleDefinitionOutput(args: GetRoleDefinitionOutputArgs, opts?: InvokeOptions): Output<GetRoleDefinitionResult>def get_role_definition(name: Optional[str] = None,
role_definition_id: Optional[str] = None,
scope: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetRoleDefinitionResult
def get_role_definition_output(name: Optional[pulumi.Input[str]] = None,
role_definition_id: Optional[pulumi.Input[str]] = None,
scope: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetRoleDefinitionResult]func GetRoleDefinition(ctx *Context, args *GetRoleDefinitionArgs, opts ...InvokeOption) (*GetRoleDefinitionResult, error)
func GetRoleDefinitionOutput(ctx *Context, args *GetRoleDefinitionOutputArgs, opts ...InvokeOption) GetRoleDefinitionResultOutput> Note: This function is named GetRoleDefinition in the Go SDK.
public static class GetRoleDefinition
{
public static Task<GetRoleDefinitionResult> InvokeAsync(GetRoleDefinitionArgs args, InvokeOptions? opts = null)
public static Output<GetRoleDefinitionResult> Invoke(GetRoleDefinitionInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetRoleDefinitionResult> getRoleDefinition(GetRoleDefinitionArgs args, InvokeOptions options)
public static Output<GetRoleDefinitionResult> getRoleDefinition(GetRoleDefinitionArgs args, InvokeOptions options)
fn::invoke:
function: azure:role/getRoleDefinition:getRoleDefinition
arguments:
# arguments dictionaryThe following arguments are supported:
- Name string
Specifies the Name of either a built-in or custom Role Definition.
Note: You can also use this for built-in roles such as
Contributor,Owner,ReaderandVirtual Machine Contributor- Role
Definition stringId - Specifies the ID of the Role Definition as a UUID/GUID.
- Scope string
Specifies the Scope at which the Custom Role Definition exists.
Note: One of
nameorrole_definition_idmust be specified.
- Name string
Specifies the Name of either a built-in or custom Role Definition.
Note: You can also use this for built-in roles such as
Contributor,Owner,ReaderandVirtual Machine Contributor- Role
Definition stringId - Specifies the ID of the Role Definition as a UUID/GUID.
- Scope string
Specifies the Scope at which the Custom Role Definition exists.
Note: One of
nameorrole_definition_idmust be specified.
- name String
Specifies the Name of either a built-in or custom Role Definition.
Note: You can also use this for built-in roles such as
Contributor,Owner,ReaderandVirtual Machine Contributor- role
Definition StringId - Specifies the ID of the Role Definition as a UUID/GUID.
- scope String
Specifies the Scope at which the Custom Role Definition exists.
Note: One of
nameorrole_definition_idmust be specified.
- name string
Specifies the Name of either a built-in or custom Role Definition.
Note: You can also use this for built-in roles such as
Contributor,Owner,ReaderandVirtual Machine Contributor- role
Definition stringId - Specifies the ID of the Role Definition as a UUID/GUID.
- scope string
Specifies the Scope at which the Custom Role Definition exists.
Note: One of
nameorrole_definition_idmust be specified.
- name str
Specifies the Name of either a built-in or custom Role Definition.
Note: You can also use this for built-in roles such as
Contributor,Owner,ReaderandVirtual Machine Contributor- role_
definition_ strid - Specifies the ID of the Role Definition as a UUID/GUID.
- scope str
Specifies the Scope at which the Custom Role Definition exists.
Note: One of
nameorrole_definition_idmust be specified.
- name String
Specifies the Name of either a built-in or custom Role Definition.
Note: You can also use this for built-in roles such as
Contributor,Owner,ReaderandVirtual Machine Contributor- role
Definition StringId - Specifies the ID of the Role Definition as a UUID/GUID.
- scope String
Specifies the Scope at which the Custom Role Definition exists.
Note: One of
nameorrole_definition_idmust be specified.
getRoleDefinition Result
The following output properties are available:
- Assignable
Scopes List<string> - One or more assignable scopes for this Role Definition, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. - Description string
- The Description of the built-in Role.
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- Permissions
List<Get
Role Definition Permission> - A
permissionsblock as documented below. - Role
Definition stringId - Type string
- The Type of the Role.
- Scope string
- Assignable
Scopes []string - One or more assignable scopes for this Role Definition, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. - Description string
- The Description of the built-in Role.
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- Permissions
[]Get
Role Definition Permission - A
permissionsblock as documented below. - Role
Definition stringId - Type string
- The Type of the Role.
- Scope string
- assignable
Scopes List<String> - One or more assignable scopes for this Role Definition, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. - description String
- The Description of the built-in Role.
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- permissions
List<Get
Role Definition Permission> - A
permissionsblock as documented below. - role
Definition StringId - type String
- The Type of the Role.
- scope String
- assignable
Scopes string[] - One or more assignable scopes for this Role Definition, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. - description string
- The Description of the built-in Role.
- id string
- The provider-assigned unique ID for this managed resource.
- name string
- permissions
Get
Role Definition Permission[] - A
permissionsblock as documented below. - role
Definition stringId - type string
- The Type of the Role.
- scope string
- assignable_
scopes Sequence[str] - One or more assignable scopes for this Role Definition, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. - description str
- The Description of the built-in Role.
- id str
- The provider-assigned unique ID for this managed resource.
- name str
- permissions
Sequence[Get
Role Definition Permission] - A
permissionsblock as documented below. - role_
definition_ strid - type str
- The Type of the Role.
- scope str
- assignable
Scopes List<String> - One or more assignable scopes for this Role Definition, such as
/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333,/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or/subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. - description String
- The Description of the built-in Role.
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- permissions List<Property Map>
- A
permissionsblock as documented below. - role
Definition StringId - type String
- The Type of the Role.
- scope String
Supporting Types
GetRoleDefinitionPermission
- Actions List<string>
- A list of actions supported by this role.
- Condition string
- The conditions on this role definition, which limits the resources it can be assigned to.
- Condition
Version string - The version of the condition.
- Not
Actions List<string> - A list of actions which are denied by this role.
- Data
Actions List<string> - A list of data actions allowed by this role.
- Not
Data List<string>Actions - A list of data actions which are denied by this role.
- Actions []string
- A list of actions supported by this role.
- Condition string
- The conditions on this role definition, which limits the resources it can be assigned to.
- Condition
Version string - The version of the condition.
- Not
Actions []string - A list of actions which are denied by this role.
- Data
Actions []string - A list of data actions allowed by this role.
- Not
Data []stringActions - A list of data actions which are denied by this role.
- actions List<String>
- A list of actions supported by this role.
- condition String
- The conditions on this role definition, which limits the resources it can be assigned to.
- condition
Version String - The version of the condition.
- not
Actions List<String> - A list of actions which are denied by this role.
- data
Actions List<String> - A list of data actions allowed by this role.
- not
Data List<String>Actions - A list of data actions which are denied by this role.
- actions string[]
- A list of actions supported by this role.
- condition string
- The conditions on this role definition, which limits the resources it can be assigned to.
- condition
Version string - The version of the condition.
- not
Actions string[] - A list of actions which are denied by this role.
- data
Actions string[] - A list of data actions allowed by this role.
- not
Data string[]Actions - A list of data actions which are denied by this role.
- actions Sequence[str]
- A list of actions supported by this role.
- condition str
- The conditions on this role definition, which limits the resources it can be assigned to.
- condition_
version str - The version of the condition.
- not_
actions Sequence[str] - A list of actions which are denied by this role.
- data_
actions Sequence[str] - A list of data actions allowed by this role.
- not_
data_ Sequence[str]actions - A list of data actions which are denied by this role.
- actions List<String>
- A list of actions supported by this role.
- condition String
- The conditions on this role definition, which limits the resources it can be assigned to.
- condition
Version String - The version of the condition.
- not
Actions List<String> - A list of actions which are denied by this role.
- data
Actions List<String> - A list of data actions allowed by this role.
- not
Data List<String>Actions - A list of data actions which are denied by this role.
Package Details
- Repository
- Azure Classic pulumi/pulumi-azure
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
azurermTerraform Provider.
We recommend using Azure Native.
Viewing docs for Azure v6.33.0
published on Monday, Feb 23, 2026 by Pulumi
published on Monday, Feb 23, 2026 by Pulumi
