Share via


az keyvault role assignment

Manage role assignments.

Commands

Name Description Type Status
az keyvault role assignment create

Create a new role assignment for a user, group, or service principal.

Core GA
az keyvault role assignment delete

Delete a role assignment.

Core GA
az keyvault role assignment list

List role assignments.

Core GA

az keyvault role assignment create

Create a new role assignment for a user, group, or service principal.

az keyvault role assignment create --role
                                   --scope
                                   [--assignee]
                                   [--assignee-object-id]
                                   [--assignee-principal-type {Application, DirectoryObjectOrGroup, DirectoryRoleTemplate, Everyone, ForeignGroup, Group, MSI, ServicePrincipal, Unknown, User}]
                                   [--hsm-name]
                                   [--id]
                                   [--name]

Required Parameters

--role

Role name or id.

--scope

Scope at which the role assignment or definition applies to, e.g., "/" or "/keys" or "/keys/{keyname}".

Optional Parameters

--assignee

Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.

--assignee-object-id

Use this parameter instead of '--assignee' to bypass graph permission issues. This parameter only works with object ids for users, groups, service principals, and managed identities. For managed identities use the principal id. For service principals, use the object id and not the app id.

--assignee-principal-type -t

The principal type of assignee.

Accepted values: Application, DirectoryObjectOrGroup, DirectoryRoleTemplate, Everyone, ForeignGroup, Group, MSI, ServicePrincipal, Unknown, User
--hsm-name

Name of the HSM.

--id

Full URI of the HSM. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the role assignment.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az keyvault role assignment delete

Delete a role assignment.

az keyvault role assignment delete [--assignee]
                                   [--assignee-object-id]
                                   [--hsm-name]
                                   [--id]
                                   [--ids]
                                   [--name]
                                   [--role]
                                   [--scope]

Optional Parameters

--assignee

Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.

--assignee-object-id

Use this parameter instead of '--assignee' to bypass graph permission issues. This parameter only works with object ids for users, groups, service principals, and managed identities. For managed identities use the principal id. For service principals, use the object id and not the app id.

--hsm-name

Name of the HSM.

--id

Full URI of the HSM. If specified all other 'Id' arguments should be omitted.

--ids

Space-separated role assignment ids.

--name -n

Name of the role assignment.

--role

Role name or id.

--scope

Scope at which the role assignment or definition applies to, e.g., "/" or "/keys" or "/keys/{keyname}".

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az keyvault role assignment list

List role assignments.

az keyvault role assignment list [--assignee]
                                 [--assignee-object-id]
                                 [--hsm-name]
                                 [--id]
                                 [--role]
                                 [--scope]

Optional Parameters

--assignee

Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.

--assignee-object-id

Use this parameter instead of '--assignee' to bypass graph permission issues. This parameter only works with object ids for users, groups, service principals, and managed identities. For managed identities use the principal id. For service principals, use the object id and not the app id.

--hsm-name

Name of the HSM.

--id

Full URI of the HSM. If specified all other 'Id' arguments should be omitted.

--role

Role name or id.

--scope

Scope at which the role assignment or definition applies to, e.g., "/" or "/keys" or "/keys/{keyname}".

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.