Home > Blockchain >  How to find the list of individual resources that have access to a given SPN?
How to find the list of individual resources that have access to a given SPN?

Time:10-22

When I use az login using service principal

e.g az login --service-principal -u “12121” -p “1212” --tenant “12121”

It will show the all the list of subscriptions which it has access like

[
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "123",
    "id": "215645",
    "isDefault": true,
    "managedByTenants": [],
    "name": "Sub1",
    "state": "Enabled",
    "tenantId": "123",
    "user": {
      "name": "123456",
      "type": "servicePrincipal"
    }
  },
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "123",
    "id": "rr",
    "isDefault": false,
    "managedByTenants": [
      {
        "tenantId": "123"
      }
    ],
    "name": "Sub2",
    "state": "Enabled",
    "tenantId": "123",
    "user": {
      "name": "123456",
      "type": "servicePrincipal"
    }
  },
...
...
]

Among the list for some sub the SPN have direct reader access(RBAC) to the subscription. But for the other sub (lets say sub2) the access is not directly given to the subscription level, instead the access has been given to resource(s) level.

Question: How to get all the list of resources within sub2 that have access provided to the service principal ?in other words, I have to find(list) what kind of access the service principal assigned to any/all the resources within sub2.

I know azure cli doing this behind the scene to retrieve this information.That why it can show all the list of subscription after the successful login. But i don't know what that is

Is there any cli command or graph API to retrieve that information ?

P.S:I don't know the scope or resource where the SPN is assigned too

CodePudding user response:

If you want to list the role assignments for a specific user, you can use the az role assignment list command.

az role assignment list --assignee {assignee}

Note: To view role assignments for the current subscription and below, add the --all parameter:

az role assignment list --assignee {assignee} --all

If you are already logged in with the service principal, you can omit the --assignee parameter

  • Related