1. Docs
  2. Reference
  3. API
  4. pulumi_azure
  5. authorization

This page documents the language specification for the azure package. If you're looking for help working with the inputs, outputs, or functions of azure resources in a Pulumi program, please see the resource documentation for examples and API reference.

authorization

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-azure repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-azurerm repo.

class pulumi_azure.authorization.Assignment(resource_name, opts=None, name=None, principal_id=None, role_definition_id=None, role_definition_name=None, scope=None, skip_service_principal_aad_check=None, __props__=None, __name__=None, __opts__=None)

Assigns a given Principal (User or Group) to a given Role.

import pulumi
import pulumi_azure as azure

primary = azure.core.get_subscription()
example_client_config = azure.core.get_client_config()
example_assignment = azure.authorization.Assignment("exampleAssignment",
    scope=primary.id,
    role_definition_name="Reader",
    principal_id=example_client_config.object_id)

import pulumi
import pulumi_azure as azure

primary = azure.core.get_subscription()
example_client_config = azure.core.get_client_config()
example_role_definition = azure.authorization.RoleDefinition("exampleRoleDefinition",
    role_definition_id="00000000-0000-0000-0000-000000000000",
    scope=primary.id,
    permissions=[{
        "actions": ["Microsoft.Resources/subscriptions/resourceGroups/read"],
        "notActions": [],
    }],
    assignable_scopes=[primary.id])
example_assignment = azure.authorization.Assignment("exampleAssignment",
    name="00000000-0000-0000-0000-000000000000",
    scope=primary.id,
    role_definition_id=example_role_definition.id,
    principal_id=example_client_config.object_id)

import pulumi
import pulumi_azure as azure

primary = azure.core.get_subscription()
example_client_config = azure.core.get_client_config()
example_role_definition = azure.authorization.RoleDefinition("exampleRoleDefinition",
    role_definition_id="00000000-0000-0000-0000-000000000000",
    scope=primary.id,
    permissions=[{
        "actions": ["Microsoft.Resources/subscriptions/resourceGroups/read"],
        "notActions": [],
    }],
    assignable_scopes=[primary.id])
example_assignment = azure.authorization.Assignment("exampleAssignment",
    name="00000000-0000-0000-0000-000000000000",
    scope=primary.id,
    role_definition_id=example_role_definition.id,
    principal_id=example_client_config.client_id)

import pulumi
import pulumi_azure as azure

primary = azure.core.get_subscription()
example_client_config = azure.core.get_client_config()
example_group = azure.management.get_group()
example_role_definition = azure.authorization.RoleDefinition("exampleRoleDefinition",
    role_definition_id="00000000-0000-0000-0000-000000000000",
    scope=primary.id,
    permissions=[{
        "actions": ["Microsoft.Resources/subscriptions/resourceGroups/read"],
        "notActions": [],
    }],
    assignable_scopes=[primary.id])
example_assignment = azure.authorization.Assignment("exampleAssignment",
    name="00000000-0000-0000-0000-000000000000",
    scope=data["azurerm_management_group"]["primary"]["id"],
    role_definition_id=example_role_definition.id,
    principal_id=example_client_config.client_id)
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • name (pulumi.Input[str]) – A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

  • principal_id (pulumi.Input[str]) – The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

  • role_definition_id (pulumi.Input[str]) – The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.

  • role_definition_name (pulumi.Input[str]) – The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.

  • scope (pulumi.Input[str]) – The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.

  • skip_service_principal_aad_check (pulumi.Input[bool]) – If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. If it is not a Service Principal identity it will cause the role assignment to fail. Defaults to false.

name: pulumi.Output[str] = None

A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

principal_id: pulumi.Output[str] = None

The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

principal_type: pulumi.Output[str] = None

The type of the principal_id, e.g. User, Group, Service Principal, Application, etc.

role_definition_id: pulumi.Output[str] = None

The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.

role_definition_name: pulumi.Output[str] = None

The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.

scope: pulumi.Output[str] = None

The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.

skip_service_principal_aad_check: pulumi.Output[bool] = None

If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. If it is not a Service Principal identity it will cause the role assignment to fail. Defaults to false.

static get(resource_name, id, opts=None, name=None, principal_id=None, principal_type=None, role_definition_id=None, role_definition_name=None, scope=None, skip_service_principal_aad_check=None)

Get an existing Assignment resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • name (pulumi.Input[str]) – A unique UUID/GUID for this Role Assignment - one will be generated if not specified. Changing this forces a new resource to be created.

  • principal_id (pulumi.Input[str]) – The ID of the Principal (User, Group or Service Principal) to assign the Role Definition to. Changing this forces a new resource to be created.

  • principal_type (pulumi.Input[str]) – The type of the principal_id, e.g. User, Group, Service Principal, Application, etc.

  • role_definition_id (pulumi.Input[str]) – The Scoped-ID of the Role Definition. Changing this forces a new resource to be created. Conflicts with role_definition_name.

  • role_definition_name (pulumi.Input[str]) – The name of a built-in Role. Changing this forces a new resource to be created. Conflicts with role_definition_id.

  • scope (pulumi.Input[str]) – The scope at which the Role Assignment applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM, or /providers/Microsoft.Management/managementGroups/myMG. Changing this forces a new resource to be created.

  • skip_service_principal_aad_check (pulumi.Input[bool]) – If the principal_id is a newly provisioned Service Principal set this value to true to skip the Azure Active Directory check which may fail due to replication lag. This argument is only valid if the principal_id is a Service Principal identity. If it is not a Service Principal identity it will cause the role assignment to fail. Defaults to false.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_azure.authorization.AwaitableGetRoleDefinitionResult(assignable_scopes=None, description=None, id=None, name=None, permissions=None, role_definition_id=None, scope=None, type=None)
class pulumi_azure.authorization.AwaitableGetUserAssignedIdentityResult(client_id=None, id=None, location=None, name=None, principal_id=None, resource_group_name=None, tags=None)
class pulumi_azure.authorization.GetRoleDefinitionResult(assignable_scopes=None, description=None, id=None, name=None, permissions=None, role_definition_id=None, scope=None, type=None)

A collection of values returned by getRoleDefinition.

assignable_scopes = None

One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

description = None

the Description of the built-in Role.

id = None

The provider-assigned unique ID for this managed resource.

permissions = None

a permissions block as documented below.

type = None

the Type of the Role.

class pulumi_azure.authorization.GetUserAssignedIdentityResult(client_id=None, id=None, location=None, name=None, principal_id=None, resource_group_name=None, tags=None)

A collection of values returned by getUserAssignedIdentity.

client_id = None

The Client ID of the User Assigned Identity.

id = None

The provider-assigned unique ID for this managed resource.

location = None

The Azure location where the User Assigned Identity exists.

principal_id = None

The Service Principal ID of the User Assigned Identity.

tags = None

A mapping of tags assigned to the User Assigned Identity.

class pulumi_azure.authorization.RoleDefinition(resource_name, opts=None, assignable_scopes=None, description=None, name=None, permissions=None, role_definition_id=None, scope=None, __props__=None, __name__=None, __opts__=None)

Manages a custom Role Definition, used to assign Roles to Users/Principals. See ‘Understand role definitions’ in the Azure documentation for more details.

import pulumi
import pulumi_azure as azure

primary = azure.core.get_subscription()
example = azure.authorization.RoleDefinition("example",
    scope=primary.id,
    description="This is a custom role created",
    permissions=[{
        "actions": ["*"],
        "notActions": [],
    }],
    assignable_scopes=[primary.id])
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • assignable_scopes (pulumi.Input[list]) – One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

  • description (pulumi.Input[str]) – A description of the Role Definition.

  • name (pulumi.Input[str]) – The name of the Role Definition. Changing this forces a new resource to be created.

  • permissions (pulumi.Input[list]) – A permissions block as defined below.

  • role_definition_id (pulumi.Input[str]) – A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.

  • scope (pulumi.Input[str]) – The scope at which the Role Definition applies too, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. It is recommended to use the first entry of the assignable_scopes. Changing this forces a new resource to be created.

The permissions object supports the following:

assignable_scopes: pulumi.Output[list] = None

One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

description: pulumi.Output[str] = None

A description of the Role Definition.

name: pulumi.Output[str] = None

The name of the Role Definition. Changing this forces a new resource to be created.

permissions: pulumi.Output[list] = None

A permissions block as defined below.

role_definition_id: pulumi.Output[str] = None

A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.

scope: pulumi.Output[str] = None

The scope at which the Role Definition applies too, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. It is recommended to use the first entry of the assignable_scopes. Changing this forces a new resource to be created.

static get(resource_name, id, opts=None, assignable_scopes=None, description=None, name=None, permissions=None, role_definition_id=None, scope=None)

Get an existing RoleDefinition resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • assignable_scopes (pulumi.Input[list]) – One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

  • description (pulumi.Input[str]) – A description of the Role Definition.

  • name (pulumi.Input[str]) – The name of the Role Definition. Changing this forces a new resource to be created.

  • permissions (pulumi.Input[list]) – A permissions block as defined below.

  • role_definition_id (pulumi.Input[str]) – A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.

  • scope (pulumi.Input[str]) – The scope at which the Role Definition applies too, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. It is recommended to use the first entry of the assignable_scopes. Changing this forces a new resource to be created.

The permissions object supports the following:

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_azure.authorization.UserAssignedIdentity(resource_name, opts=None, location=None, name=None, resource_group_name=None, tags=None, __props__=None, __name__=None, __opts__=None)

Manages a user assigned identity.

import pulumi
import pulumi_azure as azure

example_resource_group = azure.core.ResourceGroup("exampleResourceGroup", location="eastus")
example_user_assigned_identity = azure.authorization.UserAssignedIdentity("exampleUserAssignedIdentity",
    resource_group_name=example_resource_group.name,
    location=example_resource_group.location)
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • location (pulumi.Input[str]) – The location/region where the user assigned identity is created.

  • name (pulumi.Input[str]) – The name of the user assigned identity. Changing this forces a new identity to be created.

  • resource_group_name (pulumi.Input[str]) – The name of the resource group in which to create the user assigned identity.

  • tags (pulumi.Input[dict]) – A mapping of tags to assign to the resource.

client_id: pulumi.Output[str] = None

Client ID associated with the user assigned identity.

location: pulumi.Output[str] = None

The location/region where the user assigned identity is created.

name: pulumi.Output[str] = None

The name of the user assigned identity. Changing this forces a new identity to be created.

principal_id: pulumi.Output[str] = None

Service Principal ID associated with the user assigned identity.

resource_group_name: pulumi.Output[str] = None

The name of the resource group in which to create the user assigned identity.

tags: pulumi.Output[dict] = None

A mapping of tags to assign to the resource.

static get(resource_name, id, opts=None, client_id=None, location=None, name=None, principal_id=None, resource_group_name=None, tags=None)

Get an existing UserAssignedIdentity resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • client_id (pulumi.Input[str]) – Client ID associated with the user assigned identity.

  • location (pulumi.Input[str]) – The location/region where the user assigned identity is created.

  • name (pulumi.Input[str]) – The name of the user assigned identity. Changing this forces a new identity to be created.

  • principal_id (pulumi.Input[str]) – Service Principal ID associated with the user assigned identity.

  • resource_group_name (pulumi.Input[str]) – The name of the resource group in which to create the user assigned identity.

  • tags (pulumi.Input[dict]) – A mapping of tags to assign to the resource.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

pulumi_azure.authorization.get_role_definition(name=None, role_definition_id=None, scope=None, opts=None)

Use this data source to access information about an existing Role Definition.

Parameters

  • name (str) – Specifies the Name of either a built-in or custom Role Definition.

  • role_definition_id (str) – Specifies the ID of the Role Definition as a UUID/GUID.

  • scope (str) – Specifies the Scope at which the Custom Role Definition exists.

pulumi_azure.authorization.get_user_assigned_identity(name=None, resource_group_name=None, opts=None)

Use this data source to access information about an existing User Assigned Identity.

import pulumi
import pulumi_azure as azure

example = azure.authorization.get_user_assigned_identity(name="name_of_user_assigned_identity",
    resource_group_name="name_of_resource_group")
pulumi.export("uaiClientId", example.client_id)
pulumi.export("uaiPrincipalId", example.principal_id)
Parameters

  • name (str) – The name of the User Assigned Identity.

  • resource_group_name (str) – The name of the Resource Group in which the User Assigned Identity exists.