How to list (RBAC) role definitions in Azure?

Damir Dobric Azure, Cloud

The list of all roles in Azure is mostly a kind of hidden detail, that is not explicitelly very often used.
For more information about RBAC, please take a look here:
https://docs.microsoft.com/en-us/azure/role-based-access-control/

For everything you can do in Azure, there is a dedicated role. For example, Azure Kubernetes Service RBAC Admin or Azure Kubernetes Service Contributor Role, etc. There are many of them.

To get the list of all role definitions you can use following statement:

az role definition list

This will output a very, very long list that cannot be represented in the console (bash) window.

In this case you might want to find the specific role only. To do this you should first lookup the name of the role. For example: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#azure-kubernetes-service-rbac-admin

This role is tracked uner the name:

"name": "3498e952-d568-435e-9b2c-8d77e338d7f7"

To lookup the full role definition use following command:

az role definition list -n "3498e952-d568-435e-9b2c-8d77e338d7f7"

You will get result like this:

  {
    "assignableScopes": [
      "/"
    ],
    "description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
    "id": "/subscriptions/74f2b754-46d2-4049-8b03-6371bf22efbb/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
    "name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
    "permissions": [
      {
        "actions": [
          "Microsoft.Authorization/*/read",
          "Microsoft.Insights/alertRules/*",
          "Microsoft.Resources/deployments/write",
          "Microsoft.Resources/subscriptions/operationresults/read",
          "Microsoft.Resources/subscriptions/read",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Support/*",
          "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
        ],
        "dataActions": [
          "Microsoft.ContainerService/managedClusters/*"
        ],
        "notActions": [],
        "notDataActions": [
          "Microsoft.ContainerService/managedClusters/resourcequotas/write",
          "Microsoft.ContainerService/managedClusters/resourcequotas/delete",
          "Microsoft.ContainerService/managedClusters/namespaces/write",
          "Microsoft.ContainerService/managedClusters/namespaces/delete"
        ]
      }
    ],
    "roleName": "Azure Kubernetes Service RBAC Admin",
    "roleType": "BuiltInRole",
    "type": "Microsoft.Authorization/roleDefinitions"
  }
comments powered by Disqus