When I use az login using service principal
e.g az login --service-principal -u “12121” -p “1212” --tenant “12121”
It will show the all the list of subscriptions which it has access like
[
{
"cloudName": "AzureCloud",
"homeTenantId": "123",
"id": "215645",
"isDefault": true,
"managedByTenants": [],
"name": "Sub1",
"state": "Enabled",
"tenantId": "123",
"user": {
"name": "123456",
"type": "servicePrincipal"
}
},
{
"cloudName": "AzureCloud",
"homeTenantId": "123",
"id": "rr",
"isDefault": false,
"managedByTenants": [
{
"tenantId": "123"
}
],
"name": "Sub2",
"state": "Enabled",
"tenantId": "123",
"user": {
"name": "123456",
"type": "servicePrincipal"
}
},
...
...
]
Among the list for some sub the SPN have direct reader access(RBAC) to the subscription. But for the other sub (lets say sub2
) the access is not directly given to the subscription level, instead the access has been given to resource(s) level.
Question: How to get all the list of resources within sub2
that have access provided to the service principal ?in other words, I have to find(list) what kind of access the service principal assigned to any/all the resources within sub2
.
I know azure cli doing this behind the scene to retrieve this information.That why it can show all the list of subscription after the successful login. But i don't know what that is
Is there any cli command or graph API to retrieve that information ?
P.S:I don't know the scope or resource where the SPN is assigned too
CodePudding user response:
If you want to list the role assignments for a specific user, you can use the az role assignment list command.
az role assignment list --assignee {assignee}
Note: To view role assignments for the current subscription and below, add the --all
parameter:
az role assignment list --assignee {assignee} --all
If you are already logged in with the service principal, you can omit the --assignee
parameter