Azure CLI でサブスクリプションにロールを割り当ててみた
Azure サブスクリプションへのロール割り当てを Azure CLI で実行してみたいと思います。本ブログでは、サブスクリプションに対して特定の Azure AD グループに共同作成者ロールを付与します。
Azure CLI でサブスクリプションにロール割り当て
Azure CLI に使用してサブスクリプションにロールを割り当てる手順は次のドキュメントに記載があります。本ドキュメントに沿って設定してみます。
Azure CLI を使用して Azure ロールを割り当てる - Azure RBAC | Microsoft Learn
az role assignment
コマンドでサブスクリプションにロールを割り当てることができます。
az role assignment | Microsoft Learn
サブスクリプションに対して、グループに共同作成者ロールを割り当てる実行コマンド例です。
az role assignment create --assignee "d6916475-7391-4495-840a-e93daexample" \ --role "b24988ac-6180-42a0-ab88-20f7382dd24c" \ --subscription "eab80a4f-1fd9-464d-b71c-d3cd6example"
実行結果例です。
$ az role assignment create --assignee "d6916475-7391-4495-840a-e93daexample" \ --role "b24988ac-6180-42a0-ab88-20f7382dd24c" \ --subscription "eab80a4f-1fd9-464d-b71c-d3cd6example" --scope argument will become required for creating a role assignment in the breaking change release of the fall of 2023. Please explicitly specify --scope. { "condition": null, "conditionVersion": null, "createdBy": null, "createdOn": "2023-06-20T14:45:26.112804+00:00", "delegatedManagedIdentityResourceId": null, "description": null, "id": "/subscriptions/eab80a4f-1fd9-464d-b71c-d3cd6example/providers/Microsoft.Authorization/roleAssignments/82f12c4a-78c9-45f3-b42a-25f88ef7cb65", "name": "82f12c4a-78c9-45f3-b42a-25f88ef7cb65", "principalId": "d6916475-7391-4495-840a-e93daexample", "principalType": "Group", "roleDefinitionId": "/subscriptions/eab80a4f-1fd9-464d-b71c-d3cd6example/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", "scope": "/subscriptions/eab80a4f-1fd9-464d-b71c-d3cd6example", "type": "Microsoft.Authorization/roleAssignments", "updatedBy": "57cd7118-f92c-4964-9dfb-9061cexample", "updatedOn": "2023-06-20T14:45:28.448014+00:00" }
割り当て結果を確認してみたいと思います。
Azure CLI でサブスクリプションに割り当てられているロールを確認する方法は次のドキュメントに記載があります。
Azure CLI を使用して Azure ロールの割り当てを一覧表示する - Azure RBAC | Microsoft Learn
実行コマンド例です。
az role assignment list --subscription "eab80a4f-1fd9-464d-b71c-d3cd6example"
実行結果例です。
$ az role assignment list --subscription "eab80a4f-1fd9-464d-b71c-d3cd6example" [ { "condition": null, "conditionVersion": null, "createdBy": "57cd7118-f92c-4964-9dfb-9061cexample", "createdOn": "2023-06-20T14:45:28.448014+00:00", "delegatedManagedIdentityResourceId": null, "description": null, "id": "/subscriptions/eab80a4f-1fd9-464d-b71c-d3cd6example/providers/Microsoft.Authorization/roleAssignments/82f12c4a-78c9-45f3-b42a-25f88ef7cb65", "name": "82f12c4a-78c9-45f3-b42a-25f88ef7cb65", "principalId": "d6916475-7391-4495-840a-e93daexample", "principalName": "example-group", "principalType": "Group", "roleDefinitionId": "/subscriptions/eab80a4f-1fd9-464d-b71c-d3cd6example/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", "roleDefinitionName": "Contributor", "scope": "/subscriptions/eab80a4f-1fd9-464d-b71c-d3cd6example", "type": "Microsoft.Authorization/roleAssignments", "updatedBy": "57cd7118-f92c-4964-9dfb-9061cexample", "updatedOn": "2023-06-20T14:45:28.448014+00:00" } ]
各種 ID の確認方法
az role assignment
コマンド実行のために必要な次の ID を Azure CLI で確認する方法を記載します。
- アクセスが必要なユーザーまたはグループの ID
- 割り当てるロールの ID
- サブスクリプションの ID
アクセスが必要なユーザーまたはグループの ID の確認
グループ ID を確認するコマンドです。
$ az ad group show --group example-group --query "id" --output tsv d6916475-7391-4495-840a-e93daexample
もし ユーザー ID を確認したい場合は次のコマンドです。
$ az ad user show --id [email protected] --query "id" --output tsv c6c3a2ac-3fb6-4fbe-bd06-39a99example
割り当てるロールの ID の確認
次のコマンドでロール一覧を確認できます。一覧だとロールの数が多いのでContributor
でフィルタした例を記載しています。14 行目が共同作成者(Contributor)ロールです。
$ az role definition list --query "[].{name:name, roleType:roleType, roleName:roleName}" --output tsv | grep Contributor 312a565d-c81f-4fd8-895a-4e21e48d571c BuiltInRole API Management Service Contributor ae349356-3a1b-4a5e-921d-050484c6347e BuiltInRole Application Insights Component Contributor 4f8fab4f-1852-4a58-a46a-8eaf358af14a BuiltInRole Avere Contributor 5e467623-bb1f-42f4-a55d-6e525e11384b BuiltInRole Backup Contributor 5e3c6656-6cfa-4708-81fe-0de47ac73342 BuiltInRole BizTalk Contributor 426e0c7f-0c7e-4658-b36f-ff54d6c29b45 BuiltInRole CDN Endpoint Contributor ec156ff8-a8d1-4d15-830c-5b80698ca432 BuiltInRole CDN Profile Contributor b34d265f-36f7-4a0d-a4d4-e158ca92e90f BuiltInRole Classic Network Contributor 86e8f5dc-a6e9-4c67-9d15-de283e8eac25 BuiltInRole Classic Storage Account Contributor 9106cda0-8a86-4e81-b686-29a22c54effe BuiltInRole ClearDB MySQL DB Contributor d73bb868-a0df-4d4d-bd69-98a00b01fccb BuiltInRole Classic Virtual Machine Contributor 25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68 BuiltInRole Cognitive Services Contributor b24988ac-6180-42a0-ab88-20f7382dd24c BuiltInRole Contributor 434105ed-43f6-45c7-a02f-909b2ba83430 BuiltInRole Cost Management Contributor add466c9-e687-43fc-8d98-dfcf8d720be5 BuiltInRole Data Box Contributor 673868aa-7521-48a0-acc6-0f60742d39f5 BuiltInRole Data Factory Contributor 5bd9cd88-fe45-4216-938b-f97437e15450 BuiltInRole DocumentDB Account Contributor befefa01-2a29-4197-83a8-272ff33ce314 BuiltInRole DNS Zone Contributor 428e0ff0-5e57-4d9c-a221-2c70d0e0a443 BuiltInRole EventGrid EventSubscription Contributor 8d8d5a11-05d3-4bda-a417-a08778121c7c BuiltInRole HDInsight Domain Services Contributor 03a6d094-3444-4b3d-88af-7477090a9e5e BuiltInRole Intelligent Systems Account Contributor f25e0fa2-a7c8-4377-a976-54943a77a395 BuiltInRole Key Vault Contributor 92aaf0da-9dab-42b6-94a3-d43ce8d16293 BuiltInRole Log Analytics Contributor 87a39d53-fc1b-424a-814c-f7e04687dc9e BuiltInRole Logic App Contributor e40ec5ca-96e0-45a2-b4ff-59039f2c2b59 BuiltInRole Managed Identity Contributor 5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c BuiltInRole Management Group Contributor 4d97b98b-1d4f-4787-a291-c67834d212e7 BuiltInRole Network Contributor 5d28c62d-5b37-4476-8438-e587778df237 BuiltInRole New Relic APM Account Contributor e0f68234-74aa-48ed-b826-c38b57376e17 BuiltInRole Redis Cache Contributor 36243c78-bf99-498c-9df9-86d9f8d28608 BuiltInRole Resource Policy Contributor 188a0f2f-5c9e-469b-ae67-2aa5ce574b94 BuiltInRole Scheduler Job Collections Contributor 7ca78c08-252a-4471-8644-bb5ff32d4ba0 BuiltInRole Search Service Contributor 8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827 BuiltInRole Spatial Anchors Account Contributor 6670b86e-a3f7-4917-ac9b-5d6ab1be4567 BuiltInRole Site Recovery Contributor 4939a1f6-9ae0-4e48-a1e0-f2cbe897382d BuiltInRole SQL Managed Instance Contributor 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec BuiltInRole SQL DB Contributor 17d1049b-9a84-46fb-8f53-869881c3d3ab BuiltInRole Storage Account Contributor 6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437 BuiltInRole SQL Server Contributor ba92f5b4-2d11-453d-a403-e96b0029c9fe BuiltInRole Storage Blob Data Contributor 974c5e8b-45b9-4653-ba55-5f855dd0fb88 BuiltInRole Storage Queue Data Contributor cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e BuiltInRole Support Request Contributor a4b10055-b0c7-44c2-b00f-c7b5b3550cf7 BuiltInRole Traffic Manager Contributor 9980e02c-c2be-4d73-94e8-173b1dc7cf3c BuiltInRole Virtual Machine Contributor 2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b BuiltInRole Web Plan Contributor de139f84-1756-47ae-9be6-808fbbe84772 BuiltInRole Website Contributor bbf86eb8-f7b4-4cce-96e4-18cddf81d86e BuiltInRole Attestation Contributor 0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb BuiltInRole Storage File Data SMB Share Contributor b12aa53e-6015-4669-85d0-8515ebb3ae7f BuiltInRole Private DNS Zone Contributor a7264617-510b-434b-a828-9731dc254ea7 BuiltInRole Storage File Data SMB Share Elevated Contributor 41077137-e803-4205-871c-5a86e6a753b4 BuiltInRole Blueprint Contributor ab8e14d6-4a74-4a29-9ba8-549422addade BuiltInRole Microsoft Sentinel Contributor 8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761 BuiltInRole SignalR/Web PubSub Contributor 7f646f1b-fa08-80eb-a22b-edd6ce5c915c BuiltInRole Experimentation Contributor 641177b8-a67a-45b9-a033-47bc880bb21e BuiltInRole Managed Application Contributor Role 612c2aa1-cb24-443b-ac28-3ab7272de6f5 BuiltInRole Security Assessment Contributor 4a9ae827-6dc8-4573-8ac7-8239d42aa03f BuiltInRole Tag Contributor a41e2c5b-bd99-4a07-88f4-9bf657a760b8 BuiltInRole Integration Service Environment Contributor ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8 BuiltInRole Azure Kubernetes Service Contributor Role 5a1fc7df-4bf1-4951-a576-89034ee01acd BuiltInRole FHIR Data Contributor 8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204 BuiltInRole Azure Maps Data Contributor c1ff6cc2-c111-46fe-8896-e0ef812ad9f3 BuiltInRole Cognitive Services Custom Vision Contributor daa9e50b-21df-454c-94a6-a8050adab352 BuiltInRole Collaborative Data Contributor 5dffeca3-4936-4216-b2bc-10343a5abb25 BuiltInRole Schema Registry Contributor (Preview) 8508508a-4469-4e45-963b-2518ee0bb728 BuiltInRole AgFood Platform Service Contributor e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1 BuiltInRole Storage Account Backup Contributor 6188b7c9-7d01-4f99-a59f-c88b630326c0 BuiltInRole Experimentation Metric Contributor ca6382a4-1721-4bcf-a114-ff0c70227b6b BuiltInRole Application Group Contributor 082f0a83-3be5-4ba1-904c-961cca79b387 BuiltInRole Desktop Virtualization Contributor 21efdde3-836f-432b-bf3d-3e8e734d4b2b BuiltInRole Desktop Virtualization Workspace Contributor e307426c-f9b6-4e81-87de-d99efb3c32bc BuiltInRole Desktop Virtualization Host Pool Contributor 86240b0e-9422-4c43-887b-b61143f32ba8 BuiltInRole Desktop Virtualization Application Group Contributor 7efff54f-a5b4-42b5-a1c5-5411624893ce BuiltInRole Disk Snapshot Contributor 1e241071-0855-49ea-94dc-649edcd759de BuiltInRole EventGrid Contributor 0e75ca1e-0464-4b4d-8b93-68208a576181 BuiltInRole Cognitive Services Speech Contributor 494bdba2-168f-4f31-a0a1-191d2f7c028c BuiltInRole IoT Hub Twin Contributor 4ea46cd5-c1b2-4a8e-910b-273211f9ce47 BuiltInRole IoT Hub Registry Contributor 4fc6c259-987e-4a07-842e-c321cc9d413f BuiltInRole IoT Hub Data Contributor 8ebe5a00-799e-43f5-93ac-243d3dce84a7 BuiltInRole Search Index Data Contributor 0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3 BuiltInRole Storage Table Data Contributor f353d9bd-d4a6-484e-a77a-8050b599b867 BuiltInRole Automation Contributor 85cb6faf-e071-4c9b-8136-154b5a04f717 BuiltInRole Kubernetes Extension Contributor dfce44e4-17b7-4bd1-a6d1-04996ec95633 BuiltInRole Device Provisioning Service Data Contributor f5880b48-c26d-48be-b172-7927bfa1c8f1 BuiltInRole Azure Spring Cloud Service Registry Contributor a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b BuiltInRole Azure Spring Cloud Config Server Contributor 6ae96244-5829-4925-a7d3-5975537d91dd BuiltInRole Azure VM Managed identities restore Contributor dba33070-676a-4fb0-87fa-064dc56ff7fb BuiltInRole Azure Maps Contributor b748a06d-6150-4f8a-aaa9-ce3940cd96cb BuiltInRole Azure Arc VMware VM Contributor 749a398d-560b-491b-bb21-08924219302e BuiltInRole Load Test Contributor 0c8b84dc-067c-4039-9615-fa1a4b77c726 BuiltInRole PlayFab Contributor f69b8690-cc87-41d6-b77a-a4bc3c0a966f BuiltInRole Lab Services Contributor 5daaa2af-1fe8-407c-9122-bba179798270 BuiltInRole Lab Contributor e8ddcd69-c73f-4f9f-9844-4100522f16ad BuiltInRole Workbook Contributor 749f88d5-cbae-40b8-bcfc-e573ddc772fa BuiltInRole Monitoring Contributor b8b15564-4fa6-4a59-ab12-03e1d9594795 BuiltInRole Autonomous Development Platform Data Contributor (Preview) f4c81013-99ee-4d62-a7ee-b3f1f648599a BuiltInRole Microsoft Sentinel Automation Contributor 088ab73d-1256-47ae-bea9-9de8e7131f31 BuiltInRole Guest Configuration Resource Contributor eeaeda52-9324-47f6-8069-5d5bade478b2 BuiltInRole Domain Services Contributor 0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d BuiltInRole DNS Resolver Contributor 6b77f0a0-0d89-41cc-acd1-579c22c17a67 BuiltInRole AgFood Platform Sensor Partner Contributor cd08ab90-6b14-449c-ad9a-8f8e549482c6 BuiltInRole Scheduled Patching Contributor e582369a-e17b-42a5-b10c-874c387c530b BuiltInRole Azure Arc ScVmm VM Contributor a959dbd1-f747-45e3-8ba6-dd80f235f97c BuiltInRole Desktop Virtualization Virtual Machine Contributor 40c5ff49-9181-41f8-ae61-143b0e78555e BuiltInRole Desktop Virtualization Power On Off Contributor 489581de-a3bd-480d-9518-53dea7416b33 BuiltInRole Desktop Virtualization Power On Contributor 63bb64ad-9799-4770-b5c3-24ed299a07bf BuiltInRole Azure Kubernetes Fleet Manager Contributor Role 1c9b6475-caf0-4164-b5a1-2142a7116f4b BuiltInRole Template Spec Contributor a001fd3d-188f-4b5d-821b-7da978bf7442 BuiltInRole Cognitive Services OpenAI Contributor 0ab34830-df19-4f8c-b84e-aa85b8afa6e8 BuiltInRole Azure Front Door Domain Contributor 3f2eb865-5811-4578-b90a-6fc6fa0df8e5 BuiltInRole Azure Front Door Secret Contributor 0c34c906-8d99-4cb7-8bb7-33f5b0a1a799 BuiltInRole API Management Workspace Contributor 69566ab7-960f-475b-8e7c-b3118f30c6bd BuiltInRole Storage File Data Privileged Contributor 1f135831-5bbe-4924-9016-264044c00788 BuiltInRole Windows365NetworkInterfaceContributor 8b9dfcab-4b77-4632-a6df-94bd07820648 BuiltInRole Azure Sphere Contributor e9b8712a-cbcf-4ea7-b0f7-e71b803401e6 BuiltInRole SaaS Hub Contributor 7ac06ca7-21ca-47e3-a67b-cbd6e6223baf BuiltInRole Cognitive Search Serverless Data Contributor
サブスクリプションの ID の確認
サブスクリプションの ID は次のコマンドで確認できます。数が多い場合は、grep で絞っても良いと思います。
$ az account list --query "[].{name:name, id:id}" --output tsv test-subscription eab80a4f-1fd9-464d-b71c-d3cd6example
ID 確認と割り当てを一度に実行したい場合の例
ID の確認とロール割り当てを続けて実施したい場合の例を紹介します。
例えば、サブスクリプションと割り当てるロールが決まっていて、グループが異なる割り当て作業が繰り返しある場合は、次の例のコマンドを一度にコピペして実行することもできます。groupName
の値を都度書き換えて実行する想定であり、割り当てるロールはContributor
としています。
groupName="example-group" groupId=$(az ad group show --group ${groupName} --query "id" --output tsv) az role assignment create --assignee ${groupId} \ --role "b24988ac-6180-42a0-ab88-20f7382dd24c" \ --subscription "eab80a4f-1fd9-464d-b71c-d3cd6example"
以上で、Azure CLI を使用したサブスクリプションへのロール割り当ての紹介は終わりです。
さいごに
サブスクリプションへのロール割り当てを Azure CLI で実施する機会がありましたので、ブログにしてみました。
このブログがどなたかのご参考になれば幸いです。