Get AzRoleDefinition by Action
Ever wanted to get all Azure roles containing a specific Action (permission) just to find that specific standard role to use when delegating permissions in Azure?
Here is a small snippet of PowerShell to do just that:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Start by getting all available roles | |
| $roles = Get-AzRoleDefinition | |
| # Create an expression to sort by | |
| $nrOfActions = @{label="Nr Of Actions";expression={$_.Actions.Count}} | |
| # Set the Action to search for as an variable | |
| $action = 'Microsoft.Resources/deployments/*' | |
| # Run the query against the saved roles | |
| $roles | Where-Object Actions -like $action | Select-Object Name,Id,$nrOfActions | Sort-Object 'Nr Of Actions' | |
| # And then copy the ID of the role you'r interested in, and use it in the next line: | |
| $roleDef = '63bb64ad-9799-4770-b5c3-24ed299a07bf' # This is Azure Kubernetes Fleet Manager Contributor Role | |
| # The run this to get the result | |
| Get-AzRoleDefinition -Id $roleDef -OutVariable result | |
| # And to look at as JSON | |
| $result | ConvertTo-Json | |
| # Or just a list of the allowed Actions | |
| $result | Select-Object -ExpandProperty Actions |
Looking through all roles, the question I often ask myself;
Is it better to use any of these built in roles OR is it better to create a custom role with the exact needed actions/notActions with a more descriptive name?