Azure サブスクリプションへのロール割り当てを Azure CLI で実行してみたいと思います。本ブログでは、サブスクリプションに対して特定の Azure AD グループに共同作成者ロールを付与します。
Azure CLI でサブスクリプションにロール割り当て
Azure CLI に使用してサブスクリプションにロールを割り当てる手順は次のドキュメントに記載があります。本ドキュメントに沿って設定してみます。
Azure CLI を使用して Azure ロールを割り当てる - Azure RBAC | Microsoft Learn
az role assignmentコマンドでサブスクリプションにロールを割り当てることができます。
az role assignment | Microsoft Learn
サブスクリプションに対して、グループに共同作成者ロールを割り当てる実行コマンド例です。
az role assignment create --assignee "d6916475-7391-4495-840a-e93daexample" \
--role "b24988ac-6180-42a0-ab88-20f7382dd24c" \
--subscription "eab80a4f-1fd9-464d-b71c-d3cd6example"実行結果例です。
$ az role assignment create --assignee "d6916475-7391-4495-840a-e93daexample" \
--role "b24988ac-6180-42a0-ab88-20f7382dd24c" \
--subscription "eab80a4f-1fd9-464d-b71c-d3cd6example"
--scope argument will become required for creating a role assignment in the breaking change release of the fall of 2023. Please explicitly specify --scope.
{
"condition": null,
"conditionVersion": null,
"createdBy": null,
"createdOn": "2023-06-20T14:45:26.112804+00:00",
"delegatedManagedIdentityResourceId": null,
"description": null,
"id": "/subscriptions/eab80a4f-1fd9-464d-b71c-d3cd6example/providers/Microsoft.Authorization/roleAssignments/82f12c4a-78c9-45f3-b42a-25f88ef7cb65",
"name": "82f12c4a-78c9-45f3-b42a-25f88ef7cb65",
"principalId": "d6916475-7391-4495-840a-e93daexample",
"principalType": "Group",
"roleDefinitionId": "/subscriptions/eab80a4f-1fd9-464d-b71c-d3cd6example/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"scope": "/subscriptions/eab80a4f-1fd9-464d-b71c-d3cd6example",
"type": "Microsoft.Authorization/roleAssignments",
"updatedBy": "57cd7118-f92c-4964-9dfb-9061cexample",
"updatedOn": "2023-06-20T14:45:28.448014+00:00"
}
割り当て結果を確認してみたいと思います。
Azure CLI でサブスクリプションに割り当てられているロールを確認する方法は次のドキュメントに記載があります。
Azure CLI を使用して Azure ロールの割り当てを一覧表示する - Azure RBAC | Microsoft Learn
実行コマンド例です。
az role assignment list --subscription "eab80a4f-1fd9-464d-b71c-d3cd6example"実行結果例です。
$ az role assignment list --subscription "eab80a4f-1fd9-464d-b71c-d3cd6example"
[
{
"condition": null,
"conditionVersion": null,
"createdBy": "57cd7118-f92c-4964-9dfb-9061cexample",
"createdOn": "2023-06-20T14:45:28.448014+00:00",
"delegatedManagedIdentityResourceId": null,
"description": null,
"id": "/subscriptions/eab80a4f-1fd9-464d-b71c-d3cd6example/providers/Microsoft.Authorization/roleAssignments/82f12c4a-78c9-45f3-b42a-25f88ef7cb65",
"name": "82f12c4a-78c9-45f3-b42a-25f88ef7cb65",
"principalId": "d6916475-7391-4495-840a-e93daexample",
"principalName": "example-group",
"principalType": "Group",
"roleDefinitionId": "/subscriptions/eab80a4f-1fd9-464d-b71c-d3cd6example/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"roleDefinitionName": "Contributor",
"scope": "/subscriptions/eab80a4f-1fd9-464d-b71c-d3cd6example",
"type": "Microsoft.Authorization/roleAssignments",
"updatedBy": "57cd7118-f92c-4964-9dfb-9061cexample",
"updatedOn": "2023-06-20T14:45:28.448014+00:00"
}
]各種 ID の確認方法
az role assignmentコマンド実行のために必要な次の ID を Azure CLI で確認する方法を記載します。
- アクセスが必要なユーザーまたはグループの ID
- 割り当てるロールの ID
- サブスクリプションの ID
アクセスが必要なユーザーまたはグループの ID の確認
グループ ID を確認するコマンドです。
$ az ad group show --group example-group --query "id" --output tsv
d6916475-7391-4495-840a-e93daexampleもし ユーザー ID を確認したい場合は次のコマンドです。
$ az ad user show --id example-user@example.net --query "id" --output tsv
c6c3a2ac-3fb6-4fbe-bd06-39a99example割り当てるロールの ID の確認
次のコマンドでロール一覧を確認できます。一覧だとロールの数が多いのでContributorでフィルタした例を記載しています。14 行目が共同作成者(Contributor)ロールです。
$ az role definition list --query "[].{name:name, roleType:roleType, roleName:roleName}" --output tsv | grep Contributor
312a565d-c81f-4fd8-895a-4e21e48d571c BuiltInRole API Management Service Contributor
ae349356-3a1b-4a5e-921d-050484c6347e BuiltInRole Application Insights Component Contributor
4f8fab4f-1852-4a58-a46a-8eaf358af14a BuiltInRole Avere Contributor
5e467623-bb1f-42f4-a55d-6e525e11384b BuiltInRole Backup Contributor
5e3c6656-6cfa-4708-81fe-0de47ac73342 BuiltInRole BizTalk Contributor
426e0c7f-0c7e-4658-b36f-ff54d6c29b45 BuiltInRole CDN Endpoint Contributor
ec156ff8-a8d1-4d15-830c-5b80698ca432 BuiltInRole CDN Profile Contributor
b34d265f-36f7-4a0d-a4d4-e158ca92e90f BuiltInRole Classic Network Contributor
86e8f5dc-a6e9-4c67-9d15-de283e8eac25 BuiltInRole Classic Storage Account Contributor
9106cda0-8a86-4e81-b686-29a22c54effe BuiltInRole ClearDB MySQL DB Contributor
d73bb868-a0df-4d4d-bd69-98a00b01fccb BuiltInRole Classic Virtual Machine Contributor
25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68 BuiltInRole Cognitive Services Contributor
b24988ac-6180-42a0-ab88-20f7382dd24c BuiltInRole Contributor
434105ed-43f6-45c7-a02f-909b2ba83430 BuiltInRole Cost Management Contributor
add466c9-e687-43fc-8d98-dfcf8d720be5 BuiltInRole Data Box Contributor
673868aa-7521-48a0-acc6-0f60742d39f5 BuiltInRole Data Factory Contributor
5bd9cd88-fe45-4216-938b-f97437e15450 BuiltInRole DocumentDB Account Contributor
befefa01-2a29-4197-83a8-272ff33ce314 BuiltInRole DNS Zone Contributor
428e0ff0-5e57-4d9c-a221-2c70d0e0a443 BuiltInRole EventGrid EventSubscription Contributor
8d8d5a11-05d3-4bda-a417-a08778121c7c BuiltInRole HDInsight Domain Services Contributor
03a6d094-3444-4b3d-88af-7477090a9e5e BuiltInRole Intelligent Systems Account Contributor
f25e0fa2-a7c8-4377-a976-54943a77a395 BuiltInRole Key Vault Contributor
92aaf0da-9dab-42b6-94a3-d43ce8d16293 BuiltInRole Log Analytics Contributor
87a39d53-fc1b-424a-814c-f7e04687dc9e BuiltInRole Logic App Contributor
e40ec5ca-96e0-45a2-b4ff-59039f2c2b59 BuiltInRole Managed Identity Contributor
5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c BuiltInRole Management Group Contributor
4d97b98b-1d4f-4787-a291-c67834d212e7 BuiltInRole Network Contributor
5d28c62d-5b37-4476-8438-e587778df237 BuiltInRole New Relic APM Account Contributor
e0f68234-74aa-48ed-b826-c38b57376e17 BuiltInRole Redis Cache Contributor
36243c78-bf99-498c-9df9-86d9f8d28608 BuiltInRole Resource Policy Contributor
188a0f2f-5c9e-469b-ae67-2aa5ce574b94 BuiltInRole Scheduler Job Collections Contributor
7ca78c08-252a-4471-8644-bb5ff32d4ba0 BuiltInRole Search Service Contributor
8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827 BuiltInRole Spatial Anchors Account Contributor
6670b86e-a3f7-4917-ac9b-5d6ab1be4567 BuiltInRole Site Recovery Contributor
4939a1f6-9ae0-4e48-a1e0-f2cbe897382d BuiltInRole SQL Managed Instance Contributor
9b7fa17d-e63e-47b0-bb0a-15c516ac86ec BuiltInRole SQL DB Contributor
17d1049b-9a84-46fb-8f53-869881c3d3ab BuiltInRole Storage Account Contributor
6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437 BuiltInRole SQL Server Contributor
ba92f5b4-2d11-453d-a403-e96b0029c9fe BuiltInRole Storage Blob Data Contributor
974c5e8b-45b9-4653-ba55-5f855dd0fb88 BuiltInRole Storage Queue Data Contributor
cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e BuiltInRole Support Request Contributor
a4b10055-b0c7-44c2-b00f-c7b5b3550cf7 BuiltInRole Traffic Manager Contributor
9980e02c-c2be-4d73-94e8-173b1dc7cf3c BuiltInRole Virtual Machine Contributor
2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b BuiltInRole Web Plan Contributor
de139f84-1756-47ae-9be6-808fbbe84772 BuiltInRole Website Contributor
bbf86eb8-f7b4-4cce-96e4-18cddf81d86e BuiltInRole Attestation Contributor
0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb BuiltInRole Storage File Data SMB Share Contributor
b12aa53e-6015-4669-85d0-8515ebb3ae7f BuiltInRole Private DNS Zone Contributor
a7264617-510b-434b-a828-9731dc254ea7 BuiltInRole Storage File Data SMB Share Elevated Contributor
41077137-e803-4205-871c-5a86e6a753b4 BuiltInRole Blueprint Contributor
ab8e14d6-4a74-4a29-9ba8-549422addade BuiltInRole Microsoft Sentinel Contributor
8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761 BuiltInRole SignalR/Web PubSub Contributor
7f646f1b-fa08-80eb-a22b-edd6ce5c915c BuiltInRole Experimentation Contributor
641177b8-a67a-45b9-a033-47bc880bb21e BuiltInRole Managed Application Contributor Role
612c2aa1-cb24-443b-ac28-3ab7272de6f5 BuiltInRole Security Assessment Contributor
4a9ae827-6dc8-4573-8ac7-8239d42aa03f BuiltInRole Tag Contributor
a41e2c5b-bd99-4a07-88f4-9bf657a760b8 BuiltInRole Integration Service Environment Contributor
ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8 BuiltInRole Azure Kubernetes Service Contributor Role
5a1fc7df-4bf1-4951-a576-89034ee01acd BuiltInRole FHIR Data Contributor
8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204 BuiltInRole Azure Maps Data Contributor
c1ff6cc2-c111-46fe-8896-e0ef812ad9f3 BuiltInRole Cognitive Services Custom Vision Contributor
daa9e50b-21df-454c-94a6-a8050adab352 BuiltInRole Collaborative Data Contributor
5dffeca3-4936-4216-b2bc-10343a5abb25 BuiltInRole Schema Registry Contributor (Preview)
8508508a-4469-4e45-963b-2518ee0bb728 BuiltInRole AgFood Platform Service Contributor
e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1 BuiltInRole Storage Account Backup Contributor
6188b7c9-7d01-4f99-a59f-c88b630326c0 BuiltInRole Experimentation Metric Contributor
ca6382a4-1721-4bcf-a114-ff0c70227b6b BuiltInRole Application Group Contributor
082f0a83-3be5-4ba1-904c-961cca79b387 BuiltInRole Desktop Virtualization Contributor
21efdde3-836f-432b-bf3d-3e8e734d4b2b BuiltInRole Desktop Virtualization Workspace Contributor
e307426c-f9b6-4e81-87de-d99efb3c32bc BuiltInRole Desktop Virtualization Host Pool Contributor
86240b0e-9422-4c43-887b-b61143f32ba8 BuiltInRole Desktop Virtualization Application Group Contributor
7efff54f-a5b4-42b5-a1c5-5411624893ce BuiltInRole Disk Snapshot Contributor
1e241071-0855-49ea-94dc-649edcd759de BuiltInRole EventGrid Contributor
0e75ca1e-0464-4b4d-8b93-68208a576181 BuiltInRole Cognitive Services Speech Contributor
494bdba2-168f-4f31-a0a1-191d2f7c028c BuiltInRole IoT Hub Twin Contributor
4ea46cd5-c1b2-4a8e-910b-273211f9ce47 BuiltInRole IoT Hub Registry Contributor
4fc6c259-987e-4a07-842e-c321cc9d413f BuiltInRole IoT Hub Data Contributor
8ebe5a00-799e-43f5-93ac-243d3dce84a7 BuiltInRole Search Index Data Contributor
0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3 BuiltInRole Storage Table Data Contributor
f353d9bd-d4a6-484e-a77a-8050b599b867 BuiltInRole Automation Contributor
85cb6faf-e071-4c9b-8136-154b5a04f717 BuiltInRole Kubernetes Extension Contributor
dfce44e4-17b7-4bd1-a6d1-04996ec95633 BuiltInRole Device Provisioning Service Data Contributor
f5880b48-c26d-48be-b172-7927bfa1c8f1 BuiltInRole Azure Spring Cloud Service Registry Contributor
a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b BuiltInRole Azure Spring Cloud Config Server Contributor
6ae96244-5829-4925-a7d3-5975537d91dd BuiltInRole Azure VM Managed identities restore Contributor
dba33070-676a-4fb0-87fa-064dc56ff7fb BuiltInRole Azure Maps Contributor
b748a06d-6150-4f8a-aaa9-ce3940cd96cb BuiltInRole Azure Arc VMware VM Contributor
749a398d-560b-491b-bb21-08924219302e BuiltInRole Load Test Contributor
0c8b84dc-067c-4039-9615-fa1a4b77c726 BuiltInRole PlayFab Contributor
f69b8690-cc87-41d6-b77a-a4bc3c0a966f BuiltInRole Lab Services Contributor
5daaa2af-1fe8-407c-9122-bba179798270 BuiltInRole Lab Contributor
e8ddcd69-c73f-4f9f-9844-4100522f16ad BuiltInRole Workbook Contributor
749f88d5-cbae-40b8-bcfc-e573ddc772fa BuiltInRole Monitoring Contributor
b8b15564-4fa6-4a59-ab12-03e1d9594795 BuiltInRole Autonomous Development Platform Data Contributor (Preview)
f4c81013-99ee-4d62-a7ee-b3f1f648599a BuiltInRole Microsoft Sentinel Automation Contributor
088ab73d-1256-47ae-bea9-9de8e7131f31 BuiltInRole Guest Configuration Resource Contributor
eeaeda52-9324-47f6-8069-5d5bade478b2 BuiltInRole Domain Services Contributor
0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d BuiltInRole DNS Resolver Contributor
6b77f0a0-0d89-41cc-acd1-579c22c17a67 BuiltInRole AgFood Platform Sensor Partner Contributor
cd08ab90-6b14-449c-ad9a-8f8e549482c6 BuiltInRole Scheduled Patching Contributor
e582369a-e17b-42a5-b10c-874c387c530b BuiltInRole Azure Arc ScVmm VM Contributor
a959dbd1-f747-45e3-8ba6-dd80f235f97c BuiltInRole Desktop Virtualization Virtual Machine Contributor
40c5ff49-9181-41f8-ae61-143b0e78555e BuiltInRole Desktop Virtualization Power On Off Contributor
489581de-a3bd-480d-9518-53dea7416b33 BuiltInRole Desktop Virtualization Power On Contributor
63bb64ad-9799-4770-b5c3-24ed299a07bf BuiltInRole Azure Kubernetes Fleet Manager Contributor Role
1c9b6475-caf0-4164-b5a1-2142a7116f4b BuiltInRole Template Spec Contributor
a001fd3d-188f-4b5d-821b-7da978bf7442 BuiltInRole Cognitive Services OpenAI Contributor
0ab34830-df19-4f8c-b84e-aa85b8afa6e8 BuiltInRole Azure Front Door Domain Contributor
3f2eb865-5811-4578-b90a-6fc6fa0df8e5 BuiltInRole Azure Front Door Secret Contributor
0c34c906-8d99-4cb7-8bb7-33f5b0a1a799 BuiltInRole API Management Workspace Contributor
69566ab7-960f-475b-8e7c-b3118f30c6bd BuiltInRole Storage File Data Privileged Contributor
1f135831-5bbe-4924-9016-264044c00788 BuiltInRole Windows365NetworkInterfaceContributor
8b9dfcab-4b77-4632-a6df-94bd07820648 BuiltInRole Azure Sphere Contributor
e9b8712a-cbcf-4ea7-b0f7-e71b803401e6 BuiltInRole SaaS Hub Contributor
7ac06ca7-21ca-47e3-a67b-cbd6e6223baf BuiltInRole Cognitive Search Serverless Data Contributorサブスクリプションの ID の確認
サブスクリプションの ID は次のコマンドで確認できます。数が多い場合は、grep で絞っても良いと思います。
$ az account list --query "[].{name:name, id:id}" --output tsv
test-subscription eab80a4f-1fd9-464d-b71c-d3cd6exampleID 確認と割り当てを一度に実行したい場合の例
ID の確認とロール割り当てを続けて実施したい場合の例を紹介します。
例えば、サブスクリプションと割り当てるロールが決まっていて、グループが異なる割り当て作業が繰り返しある場合は、次の例のコマンドを一度にコピペして実行することもできます。groupNameの値を都度書き換えて実行する想定であり、割り当てるロールはContributorとしています。
groupName="example-group"
groupId=$(az ad group show --group ${groupName} --query "id" --output tsv)
az role assignment create --assignee ${groupId} \
--role "b24988ac-6180-42a0-ab88-20f7382dd24c" \
--subscription "eab80a4f-1fd9-464d-b71c-d3cd6example"
以上で、Azure CLI を使用したサブスクリプションへのロール割り当ての紹介は終わりです。
さいごに
サブスクリプションへのロール割り当てを Azure CLI で実施する機会がありましたので、ブログにしてみました。
このブログがどなたかのご参考になれば幸いです。
3
