LoginSignup
0
0

More than 1 year has passed since last update.

REST API の Azure RBAC を Azure CLI で試してみた

Posted at

Azure サブスクリプションのアクセス制御 (IAM) でユーザーやサービスプリンシパルにロールを割り当てます。これをアプリから実行する必要がありそうなので、事前検証として REST API の Azure RBAC を Azure CLI で試してみました。

セキュリティ管理者ロールをユーザーに割り当てる

bash
SubscriptionId=$(az account show \
  --query id \
  --output tsv)

echo $SubscriptionId

RoleId=$(az rest \
  --method get \
  --url https://management.azure.com/subscriptions/$SubscriptionId/providers/Microsoft.Authorization/roleDefinitions?api-version=2022-04-01 \
  --query "value[?properties.roleName=='Security Admin'].id" \
  --output tsv)

echo $RoleId

MyUpn=$(az account show \
  --query user.name \
  --output tsv)

echo $MyUpn

MyId=$(az ad user show \
  --id $MyUpn \
  --query id \
  --output tsv)

echo $MyId

az rest \
  --method put \
  --url https://management.azure.com/subscriptions/$SubscriptionId/providers/Microsoft.Authorization/roleAssignments/$(uuidgen)?api-version=2022-04-01 \
  --body '{
    "properties": {
      "roleDefinitionId": "'$RoleId'",
      "principalId": "'$MyId'",
      "principalType": "User"
    }
  }'

閲覧者ロールをサービスプリンシパルに割り当てる

bash
ReaderRoleId=$(az rest \
  --method get \
  --url https://management.azure.com/subscriptions/$SubscriptionId/providers/Microsoft.Authorization/roleDefinitions?api-version=2022-04-01 \
  --query "value[?properties.roleName=='Reader'].id" \
  --output tsv)

echo $ReaderRoleId

ServicePrincipalId=$(az ad sp list \
  --display-name sampleapp \
  --query [].id \
  --output tsv)

echo $ServicePrincipalId

az rest \
  --method put \
  --url https://management.azure.com/subscriptions/$SubscriptionId/providers/Microsoft.Authorization/roleAssignments/$(uuidgen)?api-version=2022-04-01 \
  --body '{
    "properties": {
      "roleDefinitionId": "'$ReaderRoleId'",
      "principalId": "'$ServicePrincipalId'",
      "principalType": "ServicePrincipal"
    }
  }'

参考

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
0
0