pythonazureazure-sdk-python

Azure Python SDK: Get Role Assignment Type (eligible vs active)

Using the Azure Python SDK, for each role assignment to a resource, I want to get the assignment type i.e. eligible assignment or active assignment.

The RoleAssignment Class does not provide this information.

Using the Azure Portal, going to PIM -> Azure resources -> (Selecting a resource) -> Assignments, I get a tab "Eligible assignments" and "Active assignment":

Assignment Tabs

I searched through all relevant Azure Python SDK services but could not find one, that provides me the type of an assignment (eligible vs active).

Alternative: If there is no solution provided with Azure Python SDK, is there an API endpoint provided that kind of information?

Solution

  • You need to use two separate API endpoints to get eligible and active role assignments of Azure resources.

    Eligible role assignments:

    GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?api-version=2020-10-01

    Active Role assignments:

    GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignmentScheduleInstances?api-version=2020-10-01

    I have one storage account with below Eligible role assignments:

    enter image description here

    To get eligible role assignments of this storage account, I ran below python code and got results successfully:

    from azure.identity import ClientSecretCredential
import requests

# Replace with your actual values
tenant_id = "tenantID"
client_id = "appID"
client_secret = "secret"

# Replace with your actual URL
url = "https://management.azure.com/subscriptions/<subId>/resourceGroups/<rg_name>/providers/Microsoft.Storage/storageAccounts/sristorageacc11/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?api-version=2020-10-01"

# Create a ClientSecretCredential instance
credential = ClientSecretCredential(
    tenant_id=tenant_id,
    client_id=client_id,
    client_secret=client_secret
)

# Get the access token for the Azure Management API
token = credential.get_token("https://management.azure.com/.default")

headers = {
    "Authorization": "Bearer " + token.token,
    "Content-Type": "application/json"
}

response = requests.get(url, headers=headers)

if response.status_code == 200:
    data = response.json()
    
    for item in data["value"]:
        principal_display_name = item["properties"]["expandedProperties"]["principal"]["displayName"]
        role_definition_display_name = item["properties"]["expandedProperties"]["roleDefinition"]["displayName"]
        principal_type = item["properties"]["expandedProperties"]["principal"]["type"]

        print("Principal Display Name:", principal_display_name)
        print("Principal Type:", principal_type)
        print("Role Definition Display Name:", role_definition_display_name)
        print("-" * 50)  # Separating lines for clarity   
else:
    print("Request failed with status code:", response.status_code)
    print("Response content:", response.content)

    Response:

    enter image description here

    Similarly, I have below Active role assignments for that storage account:

    enter image description here

    To get active role assignments of this storage account, I ran below python code by changing URL and got results successfully:

    from azure.identity import ClientSecretCredential
import requests

# Replace with your actual values
tenant_id = "tenantID"
client_id = "appID"
client_secret = "secret"

# Replace with your actual URL
url = "https://management.azure.com/subscriptions/<subId>/resourceGroups/<rg_name>/providers/Microsoft.Storage/storageAccounts/sristorageacc11/providers/Microsoft.Authorization/roleAssignmentScheduleInstances?api-version=2020-10-01"

# Create a ClientSecretCredential instance
credential = ClientSecretCredential(
    tenant_id=tenant_id,
    client_id=client_id,
    client_secret=client_secret
)

# Get the access token for the Azure Management API
token = credential.get_token("https://management.azure.com/.default")

headers = {
    "Authorization": "Bearer " + token.token,
    "Content-Type": "application/json"
}

response = requests.get(url, headers=headers)

if response.status_code == 200:
    data = response.json()
    
    for item in data["value"]:
        principal_display_name = item["properties"]["expandedProperties"]["principal"]["displayName"]
        role_definition_display_name = item["properties"]["expandedProperties"]["roleDefinition"]["displayName"]
        principal_type = item["properties"]["expandedProperties"]["principal"]["type"]

        print("Principal Display Name:", principal_display_name)
        print("Principal Type:", principal_type)
        print("Role Definition Display Name:", role_definition_display_name)
        print("-" * 50)  # Separating lines for clarity   
else:
    print("Request failed with status code:", response.status_code)
    print("Response content:", response.content)

    Response:

    enter image description here