Skip to content

Latest commit

 

History

History
106 lines (69 loc) · 4.38 KB

quickstart-role-assignments-bicep.md

File metadata and controls

106 lines (69 loc) · 4.38 KB
Raw
title description services author manager ms.service ms.topic ms.custom ms.date ms.author
Quickstart: Assign an Azure role using Bicep - Azure RBAC
Learn how to grant access to Azure resources for a user at resource group scope using Bicep and Azure role-based access control (Azure RBAC).
role-based-access-control,azure-resource-manager
rolyon
amycolannino
role-based-access-control
quickstart
subject-armqs, mode-arm, devx-track-bicep
12/01/2023
rolyon

Quickstart: Assign an Azure role using Bicep

Azure role-based access control (Azure RBAC) is the way that you manage access to Azure resources. In this quickstart, you create a resource group and grant a user access to create and manage virtual machines in the resource group. This quickstart uses Bicep to grant the access.

[!INCLUDE About Bicep]

Prerequisites

To assign Azure roles and remove role assignments, you must have:

  • If you don't have an Azure subscription, create a free account before you begin.
  • Microsoft.Authorization/roleAssignments/write and Microsoft.Authorization/roleAssignments/delete permissions, such as Role Based Access Control Administrator.
  • To assign a role, you must specify three elements: security principal, role definition, and scope. For this quickstart, the security principal is you or another user in your directory, the role definition is Virtual Machine Contributor, and the scope is a resource group that you specify.

Review the Bicep file

The Bicep file used in this quickstart is from Azure Quickstart Templates. The Bicep file has two parameters and a resources section. In the resources section, notice that it has the three elements of a role assignment: security principal, role definition, and scope.

:::code language="bicep" source="~/quickstart-templates/quickstarts/microsoft.authorization/rbac-builtinrole-resourcegroup/main.bicep":::

The resource defined in the Bicep file is:

Deploy the Bicep file

  1. Save the Bicep file as main.bicep to your local computer.

  2. Deploy the Bicep file using either Azure CLI or Azure PowerShell.

    CLI

    az group create --name exampleRG --location eastus
az deployment group create --resource-group exampleRG --template-file main.bicep --parameters roleDefinitionID=9980e02c-c2be-4d73-94e8-173b1dc7cf3c principalId=<principal-id>

    PowerShell

    New-AzResourceGroup -Name exampleRG -Location eastus
New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep -roleDefinitionID "9980e02c-c2be-4d73-94e8-173b1dc7cf3c" -principalId "<principal-id>"

Note

Replace <principal-id> with the principal ID assigned to the role.

When the deployment finishes, you should see a message indicating the deployment succeeded.

Review deployed resources

Use the Azure portal, Azure CLI, or Azure PowerShell to list the deployed resources in the resource group.

CLI

az role assignment list --resource-group exampleRG

PowerShell

Get-AzRoleAssignment -ResourceGroupName exampleRG

Clean up resources

When no longer needed, use the Azure portal, Azure CLI, or Azure PowerShell to remove the role assignment. For more information, see Remove Azure role assignments.

Use the Azure portal, Azure CLI, or Azure PowerShell to delete the resource group.

CLI

az group delete --name exampleRG

PowerShell

Remove-AzResourceGroup -Name exampleRG

Next steps

[!div class="nextstepaction"] Tutorial: Grant a user access to Azure resources using Azure PowerShell