Skip to main content

File format

The RBAC details are defined in json or yaml format. There is one file per resource group, subscription, or management group.

Example resource group

---
resourceGroupName: OSX-ARG-KEYVAULT-DEV
location: eastus
assignments:
- role: Contributor
objectName: Jennifer.Davies@osservantex.onmicrosoft.com
objectType: User
- role: Owner
objectName: Information Technology
objectType: Group
- role: Reader
objectName: Oliver.Walker@osservantex.onmicrosoft.com
objectType: User
- role: Key Vault Reader
objectName: Susan.Fisher@osservantex.onmicrosoft.com
objectType: User
scope: "/providers/Microsoft.KeyVault/vaults/osxkvappx"
tags:
Created: '2022-02-04'
Description: Dev keyvault resource group
Environment: Development

Properties

Resource Groups

PropertyRequiredTypeDescription
resourceGroupNameYesStringThe name of the resource group
locationYesStringThe location of the resource group
assignmentsNoArrayAn array of rbac assignments
tagsNoObjectAn object with tag name/value pairs

Assignments

PropertyRequiredTypeDescription
roleYesStringThe name of the Role
objectNameYesStringThe name of the User, Group or ServicePrincipal
objectTypeYesStringThe type of object: User, Group or ServicePrincipal
scopeNoStringRequired if setting RBAC on resources within the resource group. Not required at resource group level.

Order for assignments

When the code is exported from Azure it is written to file sorted in the following order:

OrderProperty
1scope
2role
3objectName
4objectType

Best practice is to create assignments using the same order.

Scope is mostly null as it is not used for resource group assignments. These appear first in the order, followed by RBAC assigned to resources.

When creating the assignments they can be done in any order, but the next export which is ordered will show code changes.

Order for tags

Best practice is to create tags ordered alphabetically by name.

When creating the tags they can be done in any order, but the next export which is ordered will show code changes.

Scope

Role based assignments can be applied to resources by specifying the scope.

The scope or the resource group is known so only the scope after that is required.

e.g. Resource ID:

/subscriptions/fd84fdbc-ff81-4b9e-bbaa-96db46039ffb/resourceGroups/OSX-ARG-KEYVAULT-DEV/providers/Microsoft.KeyVault/vaults/osxkvappx

Scope:

/providers/Microsoft.KeyVault/vaults/osxkvappx

Example code:

---
assignments:
- role: Key Vault Reader
objectName: Susan.Fisher@osservantex.onmicrosoft.com
objectType: User
scope: "/providers/Microsoft.KeyVault/vaults/osxkvappx"