Share via


az keyvault role assignment

Manage role assignments.

Commands

Name Description Type Status
az keyvault role assignment create

Create a new role assignment for a user, group, or service principal.

Core GA
az keyvault role assignment delete

Delete a role assignment.

Core GA
az keyvault role assignment list

List role assignments.

Core GA

az keyvault role assignment create

Create a new role assignment for a user, group, or service principal.

az keyvault role assignment create --role
                                   --scope
                                   [--assignee]
                                   [--assignee-object-id]
                                   [--assignee-principal-type {Application, DirectoryObjectOrGroup, DirectoryRoleTemplate, Everyone, ForeignGroup, Group, MSI, ServicePrincipal, Unknown, User}]
                                   [--hsm-name]
                                   [--id]
                                   [--name]

Examples

Create a role assignment for a specified assignee with a defined role and scope in a Managed HSM using its name. (autogenerated)

az keyvault role assignment create --assignee fb2f-ac10--a04f-8b0d786ea37d --hsm-name mock-mhsm --role "Managed HSM Crypto User" --scope "/"

Required Parameters

--role

Role name or id.

--scope

Scope at which the role assignment or definition applies to, e.g., "/" or "/keys" or "/keys/{keyname}".

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--assignee

Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.

--assignee-object-id

Use this parameter instead of '--assignee' to bypass graph permission issues. This parameter only works with object ids for users, groups, service principals, and managed identities. For managed identities use the principal id. For service principals, use the object id and not the app id.

--assignee-principal-type -t

The principal type of assignee.

Property Value
Accepted values: Application, DirectoryObjectOrGroup, DirectoryRoleTemplate, Everyone, ForeignGroup, Group, MSI, ServicePrincipal, Unknown, User
--hsm-name

Name of the HSM.

Property Value
Parameter group: Id Arguments
--id

Full URI of the HSM. If specified all other 'Id' arguments should be omitted.

Property Value
Parameter group: Id Arguments
--name -n

Name of the role assignment.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az keyvault role assignment delete

Delete a role assignment.

az keyvault role assignment delete [--assignee]
                                   [--assignee-object-id]
                                   [--hsm-name]
                                   [--id]
                                   [--ids]
                                   [--name]
                                   [--role]
                                   [--scope]

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--assignee

Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.

--assignee-object-id

Use this parameter instead of '--assignee' to bypass graph permission issues. This parameter only works with object ids for users, groups, service principals, and managed identities. For managed identities use the principal id. For service principals, use the object id and not the app id.

--hsm-name

Name of the HSM.

Property Value
Parameter group: Id Arguments
--id

Full URI of the HSM. If specified all other 'Id' arguments should be omitted.

Property Value
Parameter group: Id Arguments
--ids

Space-separated role assignment ids.

--name -n

Name of the role assignment.

--role

Role name or id.

--scope

Scope at which the role assignment or definition applies to, e.g., "/" or "/keys" or "/keys/{keyname}".

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az keyvault role assignment list

List role assignments.

az keyvault role assignment list [--assignee]
                                 [--assignee-object-id]
                                 [--hsm-name]
                                 [--id]
                                 [--role]
                                 [--scope]

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--assignee

Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.

--assignee-object-id

Use this parameter instead of '--assignee' to bypass graph permission issues. This parameter only works with object ids for users, groups, service principals, and managed identities. For managed identities use the principal id. For service principals, use the object id and not the app id.

--hsm-name

Name of the HSM.

Property Value
Parameter group: Id Arguments
--id

Full URI of the HSM. If specified all other 'Id' arguments should be omitted.

Property Value
Parameter group: Id Arguments
--role

Role name or id.

--scope

Scope at which the role assignment or definition applies to, e.g., "/" or "/keys" or "/keys/{keyname}".

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False