Search code examples
pythonazureazure-sdk-python

Azure Python SDK: Get Role Assignment Type (eligible vs active)


Using the Azure Python SDK, for each role assignment to a resource, I want to get the assignment type i.e. eligible assignment or active assignment.

The RoleAssignment Class does not provide this information.

Using the Azure Portal, going to PIM -> Azure resources -> (Selecting a resource) -> Assignments, I get a tab "Eligible assignments" and "Active assignment":

Assignment Tabs

I searched through all relevant Azure Python SDK services but could not find one, that provides me the type of an assignment (eligible vs active).

Alternative: If there is no solution provided with Azure Python SDK, is there an API endpoint provided that kind of information?


Solution

  • You need to use two separate API endpoints to get eligible and active role assignments of Azure resources.

    Eligible role assignments:

    GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?api-version=2020-10-01
    

    Active Role assignments:

    GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignmentScheduleInstances?api-version=2020-10-01
    

    I have one storage account with below Eligible role assignments:

    enter image description here

    To get eligible role assignments of this storage account, I ran below python code and got results successfully:

    from azure.identity import ClientSecretCredential
    import requests
    
    # Replace with your actual values
    tenant_id = "tenantID"
    client_id = "appID"
    client_secret = "secret"
    
    # Replace with your actual URL
    url = "https://management.azure.com/subscriptions/<subId>/resourceGroups/<rg_name>/providers/Microsoft.Storage/storageAccounts/sristorageacc11/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?api-version=2020-10-01"
    
    # Create a ClientSecretCredential instance
    credential = ClientSecretCredential(
        tenant_id=tenant_id,
        client_id=client_id,
        client_secret=client_secret
    )
    
    # Get the access token for the Azure Management API
    token = credential.get_token("https://management.azure.com/.default")
    
    headers = {
        "Authorization": "Bearer " + token.token,
        "Content-Type": "application/json"
    }
    
    response = requests.get(url, headers=headers)
    
    if response.status_code == 200:
        data = response.json()
        
        for item in data["value"]:
            principal_display_name = item["properties"]["expandedProperties"]["principal"]["displayName"]
            role_definition_display_name = item["properties"]["expandedProperties"]["roleDefinition"]["displayName"]
            principal_type = item["properties"]["expandedProperties"]["principal"]["type"]
    
            print("Principal Display Name:", principal_display_name)
            print("Principal Type:", principal_type)
            print("Role Definition Display Name:", role_definition_display_name)
            print("-" * 50)  # Separating lines for clarity   
    else:
        print("Request failed with status code:", response.status_code)
        print("Response content:", response.content)
    

    Response:

    enter image description here

    Similarly, I have below Active role assignments for that storage account:

    enter image description here

    To get active role assignments of this storage account, I ran below python code by changing URL and got results successfully:

    from azure.identity import ClientSecretCredential
    import requests
    
    # Replace with your actual values
    tenant_id = "tenantID"
    client_id = "appID"
    client_secret = "secret"
    
    # Replace with your actual URL
    url = "https://management.azure.com/subscriptions/<subId>/resourceGroups/<rg_name>/providers/Microsoft.Storage/storageAccounts/sristorageacc11/providers/Microsoft.Authorization/roleAssignmentScheduleInstances?api-version=2020-10-01"
    
    # Create a ClientSecretCredential instance
    credential = ClientSecretCredential(
        tenant_id=tenant_id,
        client_id=client_id,
        client_secret=client_secret
    )
    
    # Get the access token for the Azure Management API
    token = credential.get_token("https://management.azure.com/.default")
    
    headers = {
        "Authorization": "Bearer " + token.token,
        "Content-Type": "application/json"
    }
    
    response = requests.get(url, headers=headers)
    
    if response.status_code == 200:
        data = response.json()
        
        for item in data["value"]:
            principal_display_name = item["properties"]["expandedProperties"]["principal"]["displayName"]
            role_definition_display_name = item["properties"]["expandedProperties"]["roleDefinition"]["displayName"]
            principal_type = item["properties"]["expandedProperties"]["principal"]["type"]
    
            print("Principal Display Name:", principal_display_name)
            print("Principal Type:", principal_type)
            print("Role Definition Display Name:", role_definition_display_name)
            print("-" * 50)  # Separating lines for clarity   
    else:
        print("Request failed with status code:", response.status_code)
        print("Response content:", response.content)
    

    Response:

    enter image description here