File format
The RBAC details are defined in json or yaml format. There is one file per resource group, subscription, or management group.
Example resource group
- YAML
- JSON
---
resourceGroupName: OSX-ARG-KEYVAULT-DEV
location: eastus
assignments:
- role: Contributor
objectName: Jennifer.Davies@osservantex.onmicrosoft.com
objectType: User
- role: Owner
objectName: Information Technology
objectType: Group
- role: Reader
objectName: Oliver.Walker@osservantex.onmicrosoft.com
objectType: User
- role: Key Vault Reader
objectName: Susan.Fisher@osservantex.onmicrosoft.com
objectType: User
scope: "/providers/Microsoft.KeyVault/vaults/osxkvappx"
tags:
Created: '2022-02-04'
Description: Dev keyvault resource group
Environment: Development
{
"resourceGroupName": "OSX-ARG-KEYVAULT-DEV",
"location": "eastus",
"assignments": [
{
"role": "Contributor",
"objectName": "Jennifer.Davies@osservantex.onmicrosoft.com",
"objectType": "User"
},
{
"role": "Owner",
"objectName": "Information Technology",
"objectType": "Group"
},
{
"role": "Reader",
"objectName": "Oliver.Walker@osservantex.onmicrosoft.com",
"objectType": "User"
},
{
"role": "Key Vault Reader",
"objectName": "Susan.Fisher@osservantex.onmicrosoft.com",
"objectType": "User",
"scope": "/providers/Microsoft.KeyVault/vaults/osxkvappx"
}
],
"tags": {
"Created": "2022-02-04",
"Description": "Dev keyvault resource group",
"Environment": "Development"
}
}
Properties
Resource Groups
Property | Required | Type | Description |
---|---|---|---|
resourceGroupName | Yes | String | The name of the resource group |
location | Yes | String | The location of the resource group |
assignments | No | Array | An array of rbac assignments |
tags | No | Object | An object with tag name/value pairs |
Assignments
Property | Required | Type | Description |
---|---|---|---|
role | Yes | String | The name of the Role |
objectName | Yes | String | The name of the User, Group or ServicePrincipal |
objectType | Yes | String | The type of object: User, Group or ServicePrincipal |
scope | No | String | Required if setting RBAC on resources within the resource group. Not required at resource group level. |
Order for assignments
When the code is exported from Azure it is written to file sorted in the following order:
Order | Property |
---|---|
1 | scope |
2 | role |
3 | objectName |
4 | objectType |
Best practice is to create assignments using the same order.
Scope is mostly null as it is not used for resource group assignments. These appear first in the order, followed by RBAC assigned to resources.
When creating the assignments they can be done in any order, but the next export which is ordered will show code changes.
Order for tags
Best practice is to create tags ordered alphabetically by name.
When creating the tags they can be done in any order, but the next export which is ordered will show code changes.
Scope
Role based assignments can be applied to resources by specifying the scope.
The scope or the resource group is known so only the scope after that is required.
e.g. Resource ID:
/subscriptions/fd84fdbc-ff81-4b9e-bbaa-96db46039ffb/resourceGroups/OSX-ARG-KEYVAULT-DEV/providers/Microsoft.KeyVault/vaults/osxkvappx
Scope:
/providers/Microsoft.KeyVault/vaults/osxkvappx
Example code:
- YAML
- JSON
---
assignments:
- role: Key Vault Reader
objectName: Susan.Fisher@osservantex.onmicrosoft.com
objectType: User
scope: "/providers/Microsoft.KeyVault/vaults/osxkvappx"
{
"assignments": [
{
"role": "Key Vault Reader",
"objectName": "Susan.Fisher@osservantex.onmicrosoft.com",
"objectType": "User",
"scope": "/providers/Microsoft.KeyVault/vaults/osxkvappx"
}
]
}