51工具盒子英文:
Azure Python SDK: Get Role Assignment Type (eligible vs active)
问题 {#heading}
使用Azure Python SDK,对于每个分配给资源的角色分配,我想获取分配类型,即合格分配或活动分配。
RoleAssignment Class不提供此信息。
在Azure门户中,转到PIM -> Azure资源 -> (选择资源)-> 分配,我可以看到"合格分配"和"活动分配"选项卡:
我已经搜索了所有相关的Azure Python SDK服务,但找不到一个可以提供分配类型(合格 vs 活动)的方法。
备选方案:如果Azure Python SDK没有提供解决方案,是否提供了一个API端点来获取此类信息? 英文:
Using the Azure Python SDK, for each role assignment to a resource, I want to get the assignment type i.e. eligible assignment or active assignment.
The RoleAssignment Class does not provide this information.
Using the Azure Portal, going to PIM -> Azure resources -> (Selecting a resource) -> Assignments, I get a tab "Eligible assignments" and "Active assignment":
I searched through all relevant Azure Python SDK services but could not find one, that provides me the type of an assignment (eligible vs active).
Alternative: If there is no solution provided with Azure Python SDK, is there an API endpoint provided that kind of information?
答案1 {#1}
得分: 1
你需要使用两个单独的API端点来获取Azure资源的合格和活动角色分配。
合格的角色分配:
活动角色分配:
我有一个存储帐户,下面是合格角色分配:
要获取此存储帐户的合格角色分配,我运行了以下Python代码,并成功获得结果:
from azure.identity import ClientSecretCredential
import requests
用实际值替换以下值
tenant_id = "tenantID"
client_id = "appID"
client_secret = "secret"
用实际URL替换以下URL
url = "https://management.azure.com/subscriptions/<subId>/resourceGroups/<rg_name>/providers/Microsoft.Storage/storageAccounts/sristorageacc11/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?api-version=2020-10-01"
创建一个ClientSecretCredential实例
credential = ClientSecretCredential(
tenant_id=tenant_id,
client_id=client_id,
client_secret=client_secret
)
获取Azure管理API的访问令牌
token = credential.get_token("https://management.azure.com/.default")
headers = {
"Authorization": "Bearer " + token.token,
"Content-Type": "application/json"
}
response = requests.get(url, headers=headers)
if response.status_code == 200:
data = response.json()
for item in data["value"]:
principal_display_name = item["properties"]["expandedProperties"]["principal"]["displayName"]
role_definition_display_name = item["properties"]["expandedProperties"]["roleDefinition"]["displayName"]
principal_type = item["properties"]["expandedProperties"]["principal"]["type"]
print("Principal Display Name:", principal_display_name)
print("Principal Type:", principal_type)
print("Role Definition Display Name:", role_definition_display_name)
print("-" * 50) # 用于清晰分隔的线
else:
print("Request failed with status code:", response.status_code)
print("Response content:", response.content)
响应:
类似地,我有以下活动角色分配的存储帐户:
要获取此存储帐户的活动角色分配,我运行了以下Python代码,通过更改URL成功获得结果:
from azure.identity import ClientSecretCredential
import requests
用实际值替换以下值
tenant_id = "tenantID"
client_id = "appID"
client_secret = "secret"
用实际URL替换以下URL
url = "https://management.azure.com/subscriptions/<subId>/resourceGroups/<rg_name>/providers/Microsoft.Storage/storageAccounts/sristorageacc11/providers/Microsoft.Authorization/roleAssignmentScheduleInstances?api-version=2020-10-01"
创建一个ClientSecretCredential实例
credential = ClientSecretCredential(
tenant_id=tenant_id,
client_id=client_id,
client_secret=client_secret
)
获取Azure管理API的访问令牌
token = credential.get_token("https://management.azure.com/.default")
headers = {
"Authorization": "Bearer " + token.token,
"Content-Type": "application/json"
}
response = requests.get(url, headers=headers)
if response.status_code == 200:
data = response.json()
for item in data["value"]:
principal_display_name = item["properties"]["expandedProperties"]["principal"]["displayName"]
role_definition_display_name = item["properties"]["expandedProperties"]["roleDefinition"]["displayName"]
principal_type = item["properties"]["expandedProperties"]["principal"]["type"]
print("Principal Display Name:", principal_display_name)
print("Principal Type:", principal_type)
print("Role Definition Display Name:", role_definition_display_name)
print("-" * 50) # 用于清晰分隔的线
else:
print("Request failed with status code:", response.status_code)
print("Response content:", response.content)
响应:
英文:
You need to use two separate API endpoints to get eligible and active role assignments of Azure resources.
Eligible role assignments:
GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?api-version=2020-10-01
Active Role assignments:
GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignmentScheduleInstances?api-version=2020-10-01
I have one storage account with below Eligible role assignments:
To get eligible role assignments of this storage account, I ran below python code and got results successfully:
from azure.identity import ClientSecretCredential
import requests
Replace with your actual values
tenant_id = "tenantID"
client_id = "appID"
client_secret = "secret"
Replace with your actual URL
url = "https://management.azure.com/subscriptions/<subId>/resourceGroups/<rg_name>/providers/Microsoft.Storage/storageAccounts/sristorageacc11/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?api-version=2020-10-01"
Create a ClientSecretCredential instance
credential = ClientSecretCredential(
tenant_id=tenant_id,
client_id=client_id,
client_secret=client_secret
)
Get the access token for the Azure Management API
token = credential.get_token("https://management.azure.com/.default")
headers = {
"Authorization": "Bearer " + token.token,
"Content-Type": "application/json"
}
response = requests.get(url, headers=headers)
if response.status_code == 200:
data = response.json()
for item in data[&quot;value&quot;]:
principal_display_name = item[&quot;properties&quot;][&quot;expandedProperties&quot;][&quot;principal&quot;][&quot;displayName&quot;]
role_definition_display_name = item[&quot;properties&quot;][&quot;expandedProperties&quot;][&quot;roleDefinition&quot;][&quot;displayName&quot;]
principal_type = item[&quot;properties&quot;][&quot;expandedProperties&quot;][&quot;principal&quot;][&quot;type&quot;]
print(&quot;Principal Display Name:&quot;, principal_display_name)
print(&quot;Principal Type:&quot;, principal_type)
print(&quot;Role Definition Display Name:&quot;, role_definition_display_name)
print(&quot;-&quot; * 50) # Separating lines for clarity
else:
print("Request failed with status code:", response.status_code)
print("Response content:", response.content)
Response:
Similarly, I have below Active role assignments for that storage account:
To get active role assignments of this storage account, I ran below python code by changing URL and got results successfully:
from azure.identity import ClientSecretCredential
import requests
Replace with your actual values
tenant_id = "tenantID"
client_id = "appID"
client_secret = "secret"
Replace with your actual URL
url = "https://management.azure.com/subscriptions/<subId>/resourceGroups/<rg_name>/providers/Microsoft.Storage/storageAccounts/sristorageacc11/providers/Microsoft.Authorization/roleAssignmentScheduleInstances?api-version=2020-10-01"
Create a ClientSecretCredential instance
credential = ClientSecretCredential(
tenant_id=tenant_id,
client_id=client_id,
client_secret=client_secret
)
Get the access token for the Azure Management API
token = credential.get_token("https://management.azure.com/.default")
headers = {
"Authorization": "Bearer " + token.token,
"Content-Type": "application/json"
}
response = requests.get(url, headers=headers)
if response.status_code == 200:
data = response.json()
for item in data[&quot;value&quot;]:
principal_display_name = item[&quot;properties&quot;][&quot;expandedProperties&quot;][&quot;principal&quot;][&quot;displayName&quot;]
role_definition_display_name = item[&quot;properties&quot;][&quot;expandedProperties&quot;][&quot;roleDefinition&quot;][&quot;displayName&quot;]
principal_type = item[&quot;properties&quot;][&quot;expandedProperties&quot;][&quot;principal&quot;][&quot;type&quot;]
print(&quot;Principal Display Name:&quot;, principal_display_name)
print(&quot;Principal Type:&quot;, principal_type)
print(&quot;Role Definition Display Name:&quot;, role_definition_display_name)
print(&quot;-&quot; * 50) # Separating lines for clarity
else:
print("Request failed with status code:", response.status_code)
print("Response content:", response.content)
Response:
