Tuesday, June 28, 2022

[FIXED] How to find the list of individual resources that have access to a given SPN?

      , ,      No comments   

Issue

When I use az login using service principal

e.g az login --service-principal -u “12121” -p “1212” --tenant “12121”

It will show the all the list of subscriptions which it has access like

[
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "123",
    "id": "215645",
    "isDefault": true,
    "managedByTenants": [],
    "name": "Sub1",
    "state": "Enabled",
    "tenantId": "123",
    "user": {
      "name": "123456",
      "type": "servicePrincipal"
    }
  },
  {
    "cloudName": "AzureCloud",
    "homeTenantId": "123",
    "id": "rr",
    "isDefault": false,
    "managedByTenants": [
      {
        "tenantId": "123"
      }
    ],
    "name": "Sub2",
    "state": "Enabled",
    "tenantId": "123",
    "user": {
      "name": "123456",
      "type": "servicePrincipal"
    }
  },
...
...
]

Among the list for some sub the SPN have direct reader access(RBAC) to the subscription. But for the other sub (lets say sub2) the access is not directly given to the subscription level, instead the access has been given to resource(s) level.

Question: How to get all the list of resources within sub2 that have access provided to the service principal ?in other words, I have to find(list) what kind of access the service principal assigned to any/all the resources within sub2.

I know azure cli doing this behind the scene to retrieve this information.That why it can show all the list of subscription after the successful login. But i don't know what that is

Is there any cli command or graph API to retrieve that information ?

P.S:I don't know the scope or resource where the SPN is assigned too


Solution

If you want to list the role assignments for a specific user, you can use the az role assignment list command.

az role assignment list --assignee {assignee}

Note: To view role assignments for the current subscription and below, add the --all parameter:

az role assignment list --assignee {assignee} --all

If you are already logged in with the service principal, you can omit the --assignee parameter



Answered By - Martin Brandl
Answer Checked By - Candace Johnson (PHPFixing Volunteer)

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...