如何使用RBAC API获取所有角色分配的列表
我正在对以下API进行GET请求
https://management.azure.com/subscriptions/{{subscriptionId}}/providers/Microsoft.Authorization/roleAssignments?api-version=2017-10-01-preview
这给了我以下格式的回复
{
"properties": {
"roleDefinitionId": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "fdef6f38-b48f-4358-8482-b243ea935082",
"principalType": "User",
"scope": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31/resourceGroups/GE-RGrp-Kentico",
"createdOn": "2017-08-21T11:38:53.7973201Z",
"updatedOn": "2017-08-21T11:38:53.7973201Z",
"createdBy": "f418e9e8-becc-41d8-ab47-66a4c50403b5",
"updatedBy": "f418e9e8-becc-41d8-ab47-66a4c50403b5"
},
"id": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31/resourceGroups/GE-RGrp-Kentico/providers/Microsoft.Authorization/roleAssignments/5e6caac9-c5fd-42f0-86c6-9e96b127be51",
"type": "Microsoft.Authorization/roleAssignments",
"name": "5e6caac9-c5fd-42f0-86c6-9e96b127be51"
}
但是当我进行CLI调用时,我使用
得到以下响应> az role assignment list
{
"id": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31/providers/Microsoft.Authorization/roleAssignments/4096c146-b6f8-4f92-a700-a47742a5b321",
"name": "4096c146-b6f8-4f92-a700-a47742a5b321",
"properties": {
"additionalProperties": {
"createdBy": "c2024d65-cf17-45fd-b34b-09cd5c21cac7",
"createdOn": "2017-11-07T22:03:12.4998370Z",
"updatedBy": "c2024d65-cf17-45fd-b34b-09cd5c21cac7",
"updatedOn": "2017-11-07T22:03:12.4998370Z"
},
"principalId": "780925c0-a487-4529-9eb2-837aa67a4d8a",
"principalName": "xcavanap@genesisenergy.co.nz",
"roleDefinitionId": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd",
"roleDefinitionName": "Security Admin",
"scope": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31"
},
以上回复确实有
"roleDefinitionName": "Security Admin"
但我希望通过API获得相同的响应,请帮助!!
2 个答案:
答案 0 :(得分:2)
要获取角色定义名称,您需要进行单独的REST API调用,然后在客户端执行连接。
如果在运行Azure PowerShell或Azure CLI时运行网络捕获,则可以直接查看REST API调用。
列出角色分配
获取https://management.azure.com/subscriptions/ {subscriptionId} /providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01
示例回复:
"value": [
{
"properties": {
"roleDefinitionId": "/subscriptions/<subscriptionId>/providers/Microsoft.Authorization/roleDefinitions/<roleDefinitionId>",
"principalId": "<principalId>",
"scope": "/subscriptions/<subscriptionId>",
"createdOn": "2017-02-03T07:55:59.6345664Z",
"updatedOn": "2017-02-03T07:55:59.6345664Z",
"createdBy": "7c728184-cd9e-47ad-b72f-e7ac40b80624",
"updatedBy": "7c728184-cd9e-47ad-b72f-e7ac40b80624"
},
"id": "/subscriptions/<subscriptionId>/providers/Microsoft.Authorization/roleAssignments/ea667734-e984-4726-bf0b-2116aaaedfde",
"type": "Microsoft.Authorization/roleAssignments",
"name": "ea667734-e984-4726-bf0b-2116aaaedfde"
},
列出角色定义
GET https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions?$ filter = atScopeAndBelow()&amp; api-version = 2015-07-01
示例回复:
{
"properties": {
"roleName": "Contributor",
"type": "BuiltInRole",
"description": "Lets you manage everything except access to resources.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action"
]
}
],
"createdOn": "0001-01-01T08:00:00.0000000Z",
"updatedOn": "2016-12-14T02:04:45.1393855Z",
"createdBy": null,
"updatedBy": null
},
"id": "/providers/Microsoft.Authorization/roleDefinitions/<roleDefinitionId>",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "<roleDefinitionId>"
},
获取AAD对象 - 包括主要名称
POST https://graph.windows.net/ / getObjectsByObjectIds?api-version = 1.6
{
"objectIds": [
"<objectId1>",
"<objectId2>",
...
],
"includeDirectoryObjectReferences": true
}
答案 1 :(得分:1)
根据Role Assignments - List REST API,响应中没有roleDefinitionName。您可以将feedback提供给azure团队。如果想获得roleDefinitionName,我们可以使用Role Definitions - Get By Id来做到这一点。
{
"value": [
{
"properties": {
"roleDefinitionId": "/subscriptions/subId/providers/Microsoft.Authorization/roleDefinitions/roledefinitionId",
"principalId": "Pid",
"scope": "/subscriptions/subId/resourcegroups/rgname"
},
"id": "/subscriptions/subId/resourcegroups/rgname/providers/Microsoft.Authorization/roleAssignments/roleassignmentId",
"type": "Microsoft.Authorization/roleAssignments",
"name": "raId"
}
]
}
<强>更新
不幸的是,Role Assignments - List REST API响应中没有roleDefinitionName和principalName。
对于&#39; principalName &#39;我们可以使用Service Principals - Get REST API来获取它。 objectId 值是您从Role Assignments - List REST API获得的 principalId
<强> UPDATE2:
看来graph.windows.net的访问令牌与management.azure.com不同?我怎么能找到图表的标记?
获取的访问令牌资源应为https://graph.windows.net
以下是获取访问令牌的c#代码演示
string authority = "https://login.microsoftonline.com/{0}";
string graphResourceId = "https://graph.windows.net";
string tenantId = "tenantId";
string clientId = "clientId";
string secretKey = "secretKey";
authority = String.Format(authority, tenantId);
AuthenticationContext authContext = new AuthenticationContext(authority);
var accessToken = authContext.AcquireTokenAsync(graphResourceId, new ClientCredential(clientId, secretKey)).Result.AccessToken;
注意:您还需要在azure门户中授予[Azure目录数据] Windows Azure Active Directory权限
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?