az keyvault role assignment
Manage role assignments.
Commands
Name | Description | Type | Status |
---|---|---|---|
az keyvault role assignment create |
Create a new role assignment for a user, group, or service principal. |
Core | GA |
az keyvault role assignment delete |
Delete a role assignment. |
Core | GA |
az keyvault role assignment list |
List role assignments. |
Core | GA |
az keyvault role assignment create
Create a new role assignment for a user, group, or service principal.
az keyvault role assignment create --role
--scope
[--assignee]
[--assignee-object-id]
[--assignee-principal-type {Application, DirectoryObjectOrGroup, DirectoryRoleTemplate, Everyone, ForeignGroup, Group, MSI, ServicePrincipal, Unknown, User}]
[--hsm-name]
[--id]
[--name]
Examples
Create a role assignment for a specified assignee with a defined role and scope in a Managed HSM using its name. (autogenerated)
az keyvault role assignment create --assignee fb2f-ac10--a04f-8b0d786ea37d --hsm-name mock-mhsm --role "Managed HSM Crypto User" --scope "/"
Required Parameters
Role name or id.
Scope at which the role assignment or definition applies to, e.g., "/" or "/keys" or "/keys/{keyname}".
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.
Use this parameter instead of '--assignee' to bypass graph permission issues. This parameter only works with object ids for users, groups, service principals, and managed identities. For managed identities use the principal id. For service principals, use the object id and not the app id.
The principal type of assignee.
Property | Value |
---|---|
Accepted values: | Application, DirectoryObjectOrGroup, DirectoryRoleTemplate, Everyone, ForeignGroup, Group, MSI, ServicePrincipal, Unknown, User |
Name of the HSM.
Property | Value |
---|---|
Parameter group: | Id Arguments |
Full URI of the HSM. If specified all other 'Id' arguments should be omitted.
Property | Value |
---|---|
Parameter group: | Id Arguments |
Name of the role assignment.
Global Parameters
Increase logging verbosity to show all debug logs.
Property | Value |
---|---|
Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
Property | Value |
---|---|
Default value: | False |
Output format.
Property | Value |
---|---|
Default value: | json |
Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Property | Value |
---|---|
Default value: | False |
az keyvault role assignment delete
Delete a role assignment.
az keyvault role assignment delete [--assignee]
[--assignee-object-id]
[--hsm-name]
[--id]
[--ids]
[--name]
[--role]
[--scope]
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.
Use this parameter instead of '--assignee' to bypass graph permission issues. This parameter only works with object ids for users, groups, service principals, and managed identities. For managed identities use the principal id. For service principals, use the object id and not the app id.
Name of the HSM.
Property | Value |
---|---|
Parameter group: | Id Arguments |
Full URI of the HSM. If specified all other 'Id' arguments should be omitted.
Property | Value |
---|---|
Parameter group: | Id Arguments |
Space-separated role assignment ids.
Name of the role assignment.
Role name or id.
Scope at which the role assignment or definition applies to, e.g., "/" or "/keys" or "/keys/{keyname}".
Global Parameters
Increase logging verbosity to show all debug logs.
Property | Value |
---|---|
Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
Property | Value |
---|---|
Default value: | False |
Output format.
Property | Value |
---|---|
Default value: | json |
Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Property | Value |
---|---|
Default value: | False |
az keyvault role assignment list
List role assignments.
az keyvault role assignment list [--assignee]
[--assignee-object-id]
[--hsm-name]
[--id]
[--role]
[--scope]
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.
Use this parameter instead of '--assignee' to bypass graph permission issues. This parameter only works with object ids for users, groups, service principals, and managed identities. For managed identities use the principal id. For service principals, use the object id and not the app id.
Name of the HSM.
Property | Value |
---|---|
Parameter group: | Id Arguments |
Full URI of the HSM. If specified all other 'Id' arguments should be omitted.
Property | Value |
---|---|
Parameter group: | Id Arguments |
Role name or id.
Scope at which the role assignment or definition applies to, e.g., "/" or "/keys" or "/keys/{keyname}".
Global Parameters
Increase logging verbosity to show all debug logs.
Property | Value |
---|---|
Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
Property | Value |
---|---|
Default value: | False |
Output format.
Property | Value |
---|---|
Default value: | json |
Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Property | Value |
---|---|
Default value: | False |