Azure Python SDK: 获取角色分配类型(可用 vs 活动)

huangapple go评论120阅读模式
英文:

Azure Python SDK: Get Role Assignment Type (eligible vs active)

问题

使用Azure Python SDK,对于每个分配给资源的角色分配,我想获取分配类型,即合格分配或活动分配。

RoleAssignment Class不提供此信息。

在Azure门户中,转到PIM -> Azure资源 -> (选择资源)-> 分配,我可以看到“合格分配”和“活动分配”选项卡:

Azure Python SDK: 获取角色分配类型(可用 vs 活动)

我已经搜索了所有相关的Azure Python SDK服务,但找不到一个可以提供分配类型(合格 vs 活动)的方法。

备选方案:如果Azure Python SDK没有提供解决方案,是否提供了一个API端点来获取此类信息?

英文:

Using the Azure Python SDK, for each role assignment to a resource, I want to get the assignment type i.e. eligible assignment or active assignment.

The RoleAssignment Class does not provide this information.

Using the Azure Portal, going to PIM -> Azure resources -> (Selecting a resource) -> Assignments, I get a tab "Eligible assignments" and "Active assignment":

Azure Python SDK: 获取角色分配类型(可用 vs 活动)

I searched through all relevant Azure Python SDK services but could not find one, that provides me the type of an assignment (eligible vs active).

Alternative: If there is no solution provided with Azure Python SDK, is there an API endpoint provided that kind of information?

答案1

得分: 1

你需要使用两个单独的API端点来获取Azure资源的合格和活动角色分配。

合格的角色分配:

GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?api-version=2020-10-01

活动角色分配:

GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignmentScheduleInstances?api-version=2020-10-01

我有一个存储帐户,下面是合格角色分配:

Azure Python SDK: 获取角色分配类型(可用 vs 活动)

要获取此存储帐户的合格角色分配,我运行了以下Python代码,并成功获得结果:

from azure.identity import ClientSecretCredential
import requests

# 用实际值替换以下值
tenant_id = "tenantID"
client_id = "appID"
client_secret = "secret"

# 用实际URL替换以下URL
url = "https://management.azure.com/subscriptions/<subId>/resourceGroups/<rg_name>/providers/Microsoft.Storage/storageAccounts/sristorageacc11/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?api-version=2020-10-01"

# 创建一个ClientSecretCredential实例
credential = ClientSecretCredential(
    tenant_id=tenant_id,
    client_id=client_id,
    client_secret=client_secret
)

# 获取Azure管理API的访问令牌
token = credential.get_token("https://management.azure.com/.default")

headers = {
    "Authorization": "Bearer " + token.token,
    "Content-Type": "application/json"
}

response = requests.get(url, headers=headers)

if response.status_code == 200:
    data = response.json()
    
    for item in data["value"]:
        principal_display_name = item["properties"]["expandedProperties"]["principal"]["displayName"]
        role_definition_display_name = item["properties"]["expandedProperties"]["roleDefinition"]["displayName"]
        principal_type = item["properties"]["expandedProperties"]["principal"]["type"]

        print("Principal Display Name:", principal_display_name)
        print("Principal Type:", principal_type)
        print("Role Definition Display Name:", role_definition_display_name)
        print("-" * 50)  # 用于清晰分隔的线   
else:
    print("Request failed with status code:", response.status_code)
    print("Response content:", response.content)

响应:

Azure Python SDK: 获取角色分配类型(可用 vs 活动)

类似地,我有以下活动角色分配的存储帐户:

Azure Python SDK: 获取角色分配类型(可用 vs 活动)

要获取此存储帐户的活动角色分配,我运行了以下Python代码,通过更改URL成功获得结果:

from azure.identity import ClientSecretCredential
import requests

# 用实际值替换以下值
tenant_id = "tenantID"
client_id = "appID"
client_secret = "secret"

# 用实际URL替换以下URL
url = "https://management.azure.com/subscriptions/<subId>/resourceGroups/<rg_name>/providers/Microsoft.Storage/storageAccounts/sristorageacc11/providers/Microsoft.Authorization/roleAssignmentScheduleInstances?api-version=2020-10-01"

# 创建一个ClientSecretCredential实例
credential = ClientSecretCredential(
    tenant_id=tenant_id,
    client_id=client_id,
    client_secret=client_secret
)

# 获取Azure管理API的访问令牌
token = credential.get_token("https://management.azure.com/.default")

headers = {
    "Authorization": "Bearer " + token.token,
    "Content-Type": "application/json"
}

response = requests.get(url, headers=headers)

if response.status_code == 200:
    data = response.json()
    
    for item in data["value"]:
        principal_display_name = item["properties"]["expandedProperties"]["principal"]["displayName"]
        role_definition_display_name = item["properties"]["expandedProperties"]["roleDefinition"]["displayName"]
        principal_type = item["properties"]["expandedProperties"]["principal"]["type"]

        print("Principal Display Name:", principal_display_name)
        print("Principal Type:", principal_type)
        print("Role Definition Display Name:", role_definition_display_name)
        print("-" * 50)  # 用于清晰分隔的线   
else:
    print("Request failed with status code:", response.status_code)
    print("Response content:", response.content)

响应:

Azure Python SDK: 获取角色分配类型(可用 vs 活动)

英文:

You need to use two separate API endpoints to get eligible and active role assignments of Azure resources.

Eligible role assignments:

GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?api-version=2020-10-01

Active Role assignments:

GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignmentScheduleInstances?api-version=2020-10-01

I have one storage account with below Eligible role assignments:

Azure Python SDK: 获取角色分配类型(可用 vs 活动)

To get eligible role assignments of this storage account, I ran below python code and got results successfully:

from azure.identity import ClientSecretCredential
import requests

# Replace with your actual values
tenant_id = &quot;tenantID&quot;
client_id = &quot;appID&quot;
client_secret = &quot;secret&quot;

# Replace with your actual URL
url = &quot;https://management.azure.com/subscriptions/&lt;subId&gt;/resourceGroups/&lt;rg_name&gt;/providers/Microsoft.Storage/storageAccounts/sristorageacc11/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?api-version=2020-10-01&quot;

# Create a ClientSecretCredential instance
credential = ClientSecretCredential(
    tenant_id=tenant_id,
    client_id=client_id,
    client_secret=client_secret
)

# Get the access token for the Azure Management API
token = credential.get_token(&quot;https://management.azure.com/.default&quot;)

headers = {
    &quot;Authorization&quot;: &quot;Bearer &quot; + token.token,
    &quot;Content-Type&quot;: &quot;application/json&quot;
}

response = requests.get(url, headers=headers)

if response.status_code == 200:
    data = response.json()
    
    for item in data[&quot;value&quot;]:
        principal_display_name = item[&quot;properties&quot;][&quot;expandedProperties&quot;][&quot;principal&quot;][&quot;displayName&quot;]
        role_definition_display_name = item[&quot;properties&quot;][&quot;expandedProperties&quot;][&quot;roleDefinition&quot;][&quot;displayName&quot;]
        principal_type = item[&quot;properties&quot;][&quot;expandedProperties&quot;][&quot;principal&quot;][&quot;type&quot;]

        print(&quot;Principal Display Name:&quot;, principal_display_name)
        print(&quot;Principal Type:&quot;, principal_type)
        print(&quot;Role Definition Display Name:&quot;, role_definition_display_name)
        print(&quot;-&quot; * 50)  # Separating lines for clarity   
else:
    print(&quot;Request failed with status code:&quot;, response.status_code)
    print(&quot;Response content:&quot;, response.content)

Response:

Azure Python SDK: 获取角色分配类型(可用 vs 活动)

Similarly, I have below Active role assignments for that storage account:

Azure Python SDK: 获取角色分配类型(可用 vs 活动)

To get active role assignments of this storage account, I ran below python code by changing URL and got results successfully:

from azure.identity import ClientSecretCredential
import requests

# Replace with your actual values
tenant_id = &quot;tenantID&quot;
client_id = &quot;appID&quot;
client_secret = &quot;secret&quot;

# Replace with your actual URL
url = &quot;https://management.azure.com/subscriptions/&lt;subId&gt;/resourceGroups/&lt;rg_name&gt;/providers/Microsoft.Storage/storageAccounts/sristorageacc11/providers/Microsoft.Authorization/roleAssignmentScheduleInstances?api-version=2020-10-01&quot;

# Create a ClientSecretCredential instance
credential = ClientSecretCredential(
    tenant_id=tenant_id,
    client_id=client_id,
    client_secret=client_secret
)

# Get the access token for the Azure Management API
token = credential.get_token(&quot;https://management.azure.com/.default&quot;)

headers = {
    &quot;Authorization&quot;: &quot;Bearer &quot; + token.token,
    &quot;Content-Type&quot;: &quot;application/json&quot;
}

response = requests.get(url, headers=headers)

if response.status_code == 200:
    data = response.json()
    
    for item in data[&quot;value&quot;]:
        principal_display_name = item[&quot;properties&quot;][&quot;expandedProperties&quot;][&quot;principal&quot;][&quot;displayName&quot;]
        role_definition_display_name = item[&quot;properties&quot;][&quot;expandedProperties&quot;][&quot;roleDefinition&quot;][&quot;displayName&quot;]
        principal_type = item[&quot;properties&quot;][&quot;expandedProperties&quot;][&quot;principal&quot;][&quot;type&quot;]

        print(&quot;Principal Display Name:&quot;, principal_display_name)
        print(&quot;Principal Type:&quot;, principal_type)
        print(&quot;Role Definition Display Name:&quot;, role_definition_display_name)
        print(&quot;-&quot; * 50)  # Separating lines for clarity   
else:
    print(&quot;Request failed with status code:&quot;, response.status_code)
    print(&quot;Response content:&quot;, response.content)

Response:

Azure Python SDK: 获取角色分配类型(可用 vs 活动)

huangapple
  • 本文由 发表于 2023年8月10日 23:47:53
  • 转载请务必保留本文链接:https://go.coder-hub.com/76877362.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定