Module authorization

This page documents the language specification for the azure package. If you're looking for help working with the inputs, outputs, or functions of azure resources in a Pulumi program, please see the resource documentation for examples and API reference.

Resources

Resource Assignment

class Assignment extends CustomResource

Assigns a given Principal (User or Group) to a given Role.

Example Usage

Using A Built-In Role)

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const primary = azure.core.getSubscription({});
const exampleClientConfig = azure.core.getClientConfig({});
const exampleAssignment = new azure.authorization.Assignment("exampleAssignment", {
    scope: primary.then(primary => primary.id),
    roleDefinitionName: "Reader",
    principalId: exampleClientConfig.then(exampleClientConfig => exampleClientConfig.objectId),
});

Custom Role & Service Principal)

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const primary = azure.core.getSubscription({});
const exampleClientConfig = azure.core.getClientConfig({});
const exampleRoleDefinition = new azure.authorization.RoleDefinition("exampleRoleDefinition", {
    roleDefinitionId: "00000000-0000-0000-0000-000000000000",
    scope: primary.then(primary => primary.id),
    permissions: [{
        actions: ["Microsoft.Resources/subscriptions/resourceGroups/read"],
        notActions: [],
    }],
    assignableScopes: [primary.then(primary => primary.id)],
});
const exampleAssignment = new azure.authorization.Assignment("exampleAssignment", {
    name: "00000000-0000-0000-0000-000000000000",
    scope: primary.then(primary => primary.id),
    roleDefinitionId: exampleRoleDefinition.id,
    principalId: exampleClientConfig.then(exampleClientConfig => exampleClientConfig.objectId),
});

Custom Role & User)

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const primary = azure.core.getSubscription({});
const exampleClientConfig = azure.core.getClientConfig({});
const exampleRoleDefinition = new azure.authorization.RoleDefinition("exampleRoleDefinition", {
    roleDefinitionId: "00000000-0000-0000-0000-000000000000",
    scope: primary.then(primary => primary.id),
    permissions: [{
        actions: ["Microsoft.Resources/subscriptions/resourceGroups/read"],
        notActions: [],
    }],
    assignableScopes: [primary.then(primary => primary.id)],
});
const exampleAssignment = new azure.authorization.Assignment("exampleAssignment", {
    name: "00000000-0000-0000-0000-000000000000",
    scope: primary.then(primary => primary.id),
    roleDefinitionId: exampleRoleDefinition.id,
    principalId: exampleClientConfig.then(exampleClientConfig => exampleClientConfig.clientId),
});

Custom Role & Management Group)

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const primary = azure.core.getSubscription({});
const exampleClientConfig = azure.core.getClientConfig({});
const exampleGroup = azure.management.getGroup({});
const exampleRoleDefinition = new azure.authorization.RoleDefinition("exampleRoleDefinition", {
    roleDefinitionId: "00000000-0000-0000-0000-000000000000",
    scope: primary.then(primary => primary.id),
    permissions: [{
        actions: ["Microsoft.Resources/subscriptions/resourceGroups/read"],
        notActions: [],
    }],
    assignableScopes: [primary.then(primary => primary.id)],
});
const exampleAssignment = new azure.authorization.Assignment("exampleAssignment", {
    name: "00000000-0000-0000-0000-000000000000",
    scope: data.azurerm_management_group.primary.id,
    roleDefinitionId: exampleRoleDefinition.id,
    principalId: exampleClientConfig.then(exampleClientConfig => exampleClientConfig.clientId),
});

constructor

new Assignment(name: string, args: AssignmentArgs, opts?: pulumi.CustomResourceOptions)

Create a Assignment resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AssignmentState, opts?: pulumi.CustomResourceOptions): Assignment

Get an existing Assignment resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Assignment

Returns true if the given object is an instance of Assignment. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

property principalId

public principalId: pulumi.Output<string>;

The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

property principalType

public principalType: pulumi.Output<string>;

The type of the principalId, e.g. User, Group, Service Principal, Application, etc.

property roleDefinitionId

public roleDefinitionId: pulumi.Output<string>;

The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with roleDefinitionName.

property roleDefinitionName

public roleDefinitionName: pulumi.Output<string>;

The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with roleDefinitionId.

property scope

public scope: pulumi.Output<string>;

The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.

property skipServicePrincipalAadCheck

public skipServicePrincipalAadCheck: pulumi.Output<boolean>;

If the principalId is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principalId is a Service Principal identity. If it is not a Service Principal identity it will cause the role assignment to fail. Defaults to false.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource RoleDefinition

class RoleDefinition extends CustomResource

Manages a custom Role Definition, used to assign Roles to Users/Principals. See ‘Understand role definitions’ in the Azure documentation for more details.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const primary = azure.core.getSubscription({});
const example = new azure.authorization.RoleDefinition("example", {
    scope: primary.then(primary => primary.id),
    description: "This is a custom role created",
    permissions: [{
        actions: ["*"],
        notActions: [],
    }],
    assignableScopes: [primary.then(primary => primary.id)],
});

constructor

new RoleDefinition(name: string, args: RoleDefinitionArgs, opts?: pulumi.CustomResourceOptions)

Create a RoleDefinition resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: RoleDefinitionState, opts?: pulumi.CustomResourceOptions): RoleDefinition

Get an existing RoleDefinition resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is RoleDefinition

Returns true if the given object is an instance of RoleDefinition. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property assignableScopes

public assignableScopes: pulumi.Output<string[]>;

One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

property description

public description: pulumi.Output<string | undefined>;

A description of the Role Definition.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

The name of the Role Definition. Changing this forces a new resource to be created.

property permissions

public permissions: pulumi.Output<RoleDefinitionPermission[]>;

A permissions block as defined below.

property roleDefinitionId

public roleDefinitionId: pulumi.Output<string>;

A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.

property scope

public scope: pulumi.Output<string>;

The scope at which the Role Definition applies too, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. It is recommended to use the first entry of the assignableScopes. Changing this forces a new resource to be created.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource UserAssignedIdentity

class UserAssignedIdentity extends CustomResource

Manages a user assigned identity.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const exampleResourceGroup = new azure.core.ResourceGroup("exampleResourceGroup", {location: "eastus"});
const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("exampleUserAssignedIdentity", {
    resourceGroupName: exampleResourceGroup.name,
    location: exampleResourceGroup.location,
});

constructor

new UserAssignedIdentity(name: string, args: UserAssignedIdentityArgs, opts?: pulumi.CustomResourceOptions)

Create a UserAssignedIdentity resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: UserAssignedIdentityState, opts?: pulumi.CustomResourceOptions): UserAssignedIdentity

Get an existing UserAssignedIdentity resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is UserAssignedIdentity

Returns true if the given object is an instance of UserAssignedIdentity. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property clientId

public clientId: pulumi.Output<string>;

Client ID associated with the user assigned identity.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property location

public location: pulumi.Output<string>;

The location/region where the user assigned identity is created.

property name

public name: pulumi.Output<string>;

The name of the user assigned identity. Changing this forces a new identity to be created.

property principalId

public principalId: pulumi.Output<string>;

Service Principal ID associated with the user assigned identity.

property resourceGroupName

public resourceGroupName: pulumi.Output<string>;

The name of the resource group in which to create the user assigned identity.

property tags

public tags: pulumi.Output<{[key: string]: string} | undefined>;

A mapping of tags to assign to the resource.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Functions

Function getRoleDefinition

getRoleDefinition(args?: GetRoleDefinitionArgs, opts?: pulumi.InvokeOptions): Promise<GetRoleDefinitionResult>

Use this data source to access information about an existing Role Definition.

Function getUserAssignedIdentity

getUserAssignedIdentity(args: GetUserAssignedIdentityArgs, opts?: pulumi.InvokeOptions): Promise<GetUserAssignedIdentityResult>

Use this data source to access information about an existing User Assigned Identity.

Example Usage

Reference An Existing)

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const example = azure.authorization.getUserAssignedIdentity({
    name: "name_of_user_assigned_identity",
    resourceGroupName: "name_of_resource_group",
});
export const uaiClientId = example.then(example => example.clientId);
export const uaiPrincipalId = example.then(example => example.principalId);

Others

interface AssignmentArgs

interface AssignmentArgs

The set of arguments for constructing a Assignment resource.

property name

name?: pulumi.Input<string>;

A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

property principalId

principalId: pulumi.Input<string>;

The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

property roleDefinitionId

roleDefinitionId?: pulumi.Input<string>;

The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with roleDefinitionName.

property roleDefinitionName

roleDefinitionName?: pulumi.Input<string>;

The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with roleDefinitionId.

property scope

scope: pulumi.Input<string>;

property skipServicePrincipalAadCheck

skipServicePrincipalAadCheck?: pulumi.Input<boolean>;

interface AssignmentState

interface AssignmentState

Input properties used for looking up and filtering Assignment resources.

property name

name?: pulumi.Input<string>;

A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

property principalId

principalId?: pulumi.Input<string>;

The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

property principalType

principalType?: pulumi.Input<string>;

The type of the principalId, e.g. User, Group, Service Principal, Application, etc.

property roleDefinitionId

roleDefinitionId?: pulumi.Input<string>;

The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with roleDefinitionName.

property roleDefinitionName

roleDefinitionName?: pulumi.Input<string>;

The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with roleDefinitionId.

property scope

scope?: pulumi.Input<string>;

property skipServicePrincipalAadCheck

skipServicePrincipalAadCheck?: pulumi.Input<boolean>;

interface GetRoleDefinitionArgs

interface GetRoleDefinitionArgs

A collection of arguments for invoking getRoleDefinition.

property name

name?: undefined | string;

Specifies the Name of either a built-in or custom Role Definition.

property roleDefinitionId

roleDefinitionId?: undefined | string;

Specifies the ID of the Role Definition as a UUID/GUID.

property scope

scope?: undefined | string;

Specifies the Scope at which the Custom Role Definition exists.

interface GetRoleDefinitionResult

interface GetRoleDefinitionResult

A collection of values returned by getRoleDefinition.

property assignableScopes

assignableScopes: string[];

property description

description: string;

the Description of the built-in Role.

property id

id: string;

The provider-assigned unique ID for this managed resource.

property name

name: string;

property permissions

permissions: GetRoleDefinitionPermission[];

a permissions block as documented below.

property roleDefinitionId

roleDefinitionId: string;

property scope

scope?: undefined | string;

property type

type: string;

the Type of the Role.

interface GetUserAssignedIdentityArgs

interface GetUserAssignedIdentityArgs

A collection of arguments for invoking getUserAssignedIdentity.

property name

name: string;

The name of the User Assigned Identity.

property resourceGroupName

resourceGroupName: string;

The name of the Resource Group in which the User Assigned Identity exists.

interface GetUserAssignedIdentityResult

interface GetUserAssignedIdentityResult

A collection of values returned by getUserAssignedIdentity.

property clientId

clientId: string;

The Client ID of the User Assigned Identity.

property id

id: string;

The provider-assigned unique ID for this managed resource.

property location

location: string;

The Azure location where the User Assigned Identity exists.

property name

name: string;

property principalId

principalId: string;

The Service Principal ID of the User Assigned Identity.

property resourceGroupName

resourceGroupName: string;

property tags

tags: {[key: string]: string};

A mapping of tags assigned to the User Assigned Identity.

interface RoleDefinitionArgs

interface RoleDefinitionArgs

The set of arguments for constructing a RoleDefinition resource.

property assignableScopes

assignableScopes: pulumi.Input<pulumi.Input<string>[]>;

property description

description?: pulumi.Input<string>;

A description of the Role Definition.

property name

name?: pulumi.Input<string>;

The name of the Role Definition. Changing this forces a new resource to be created.

property permissions

permissions: pulumi.Input<pulumi.Input<RoleDefinitionPermission>[]>;

A permissions block as defined below.

property roleDefinitionId

roleDefinitionId?: pulumi.Input<string>;

A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.

property scope

scope: pulumi.Input<string>;

interface RoleDefinitionState

interface RoleDefinitionState

Input properties used for looking up and filtering RoleDefinition resources.

property assignableScopes

assignableScopes?: pulumi.Input<pulumi.Input<string>[]>;

property description

description?: pulumi.Input<string>;

A description of the Role Definition.

property name

name?: pulumi.Input<string>;

The name of the Role Definition. Changing this forces a new resource to be created.

property permissions

permissions?: pulumi.Input<pulumi.Input<RoleDefinitionPermission>[]>;

A permissions block as defined below.

property roleDefinitionId

roleDefinitionId?: pulumi.Input<string>;

A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.

property scope

scope?: pulumi.Input<string>;

interface UserAssignedIdentityArgs

interface UserAssignedIdentityArgs

The set of arguments for constructing a UserAssignedIdentity resource.

property location

location?: pulumi.Input<string>;

The location/region where the user assigned identity is created.

property name

name?: pulumi.Input<string>;

The name of the user assigned identity. Changing this forces a new identity to be created.

property resourceGroupName

resourceGroupName: pulumi.Input<string>;

The name of the resource group in which to create the user assigned identity.

property tags

tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

A mapping of tags to assign to the resource.

interface UserAssignedIdentityState

interface UserAssignedIdentityState

Input properties used for looking up and filtering UserAssignedIdentity resources.

property clientId

clientId?: pulumi.Input<string>;

Client ID associated with the user assigned identity.

property location

location?: pulumi.Input<string>;

The location/region where the user assigned identity is created.

property name

name?: pulumi.Input<string>;

The name of the user assigned identity. Changing this forces a new identity to be created.

property principalId

principalId?: pulumi.Input<string>;

Service Principal ID associated with the user assigned identity.

property resourceGroupName

resourceGroupName?: pulumi.Input<string>;

The name of the resource group in which to create the user assigned identity.

property tags

tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;

A mapping of tags to assign to the resource.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud

Module authorization

Resources

Functions

Others

Resources

Example Usage

Using A Built-In Role)

Custom Role & Service Principal)

Custom Role & User)

Custom Role & Management Group)

Example Usage

Example Usage

Functions

Example Usage

Reference An Existing)

Others