如何使用RBAC API获取所有角色分配的列表

Question

我正在向以下API发出GET请求

https://management.azure.com/subscriptions/{{subscriptionId}}/providers/Microsoft.Authorization/roleAssignments?api-version=2017-10-01-preview

这给了我以下的响应格式

{
            "properties": {
                "roleDefinitionId": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
                "principalId": "fdef6f38-b48f-4358-8482-b243ea935082",
                "principalType": "User",
                "scope": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31/resourceGroups/GE-RGrp-Kentico",
                "createdOn": "2017-08-21T11:38:53.7973201Z",
                "updatedOn": "2017-08-21T11:38:53.7973201Z",
                "createdBy": "f418e9e8-becc-41d8-ab47-66a4c50403b5",
                "updatedBy": "f418e9e8-becc-41d8-ab47-66a4c50403b5"
            },
            "id": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31/resourceGroups/GE-RGrp-Kentico/providers/Microsoft.Authorization/roleAssignments/5e6caac9-c5fd-42f0-86c6-9e96b127be51",
            "type": "Microsoft.Authorization/roleAssignments",
            "name": "5e6caac9-c5fd-42f0-86c6-9e96b127be51"
        }

但是,当我执行CLI调用时,我会得到以下响应

> az  role assignment list

{
    "id": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31/providers/Microsoft.Authorization/roleAssignments/4096c146-b6f8-4f92-a700-a47742a5b321",
    "name": "4096c146-b6f8-4f92-a700-a47742a5b321",
    "properties": {
      "additionalProperties": {
        "createdBy": "c2024d65-cf17-45fd-b34b-09cd5c21cac7",
        "createdOn": "2017-11-07T22:03:12.4998370Z",
        "updatedBy": "c2024d65-cf17-45fd-b34b-09cd5c21cac7",
        "updatedOn": "2017-11-07T22:03:12.4998370Z"
      },
      "principalId": "780925c0-a487-4529-9eb2-837aa67a4d8a",
      "principalName": "xcavanap@genesisenergy.co.nz",
      "roleDefinitionId": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd",
      "roleDefinitionName": "Security Admin",
      "scope": "/subscriptions/5a9c0639-4045-4c23-8418-fc091e8d1e31"
    },

上面的回应确实有

"roleDefinitionName": "Security Admin"

但我希望通过API获得相同的响应,请帮助!!

Answer 1

根据角色分配 - 列表 REST API，响应中没有 roleDefinitionName。您可以向 azure 团队提供反馈。如果想要获取 roleDefinitionName，我们可以使用Role Definitions - Get By Id来做到这一点。

{
  "value": [
    {
      "properties": {
        "roleDefinitionId": "/subscriptions/subId/providers/Microsoft.Authorization/roleDefinitions/roledefinitionId",
        "principalId": "Pid",
        "scope": "/subscriptions/subId/resourcegroups/rgname"
      },
      "id": "/subscriptions/subId/resourcegroups/rgname/providers/Microsoft.Authorization/roleAssignments/roleassignmentId",
      "type": "Microsoft.Authorization/roleAssignments",
      "name": "raId"
    }
  ]
}

更新：

不幸的是，角色分配 - 列表 REST API响应中没有 roleDefinitionName 和principalName 。

对于“ principalName ”，我们可以使用服务主体 - 获取REST API 来获取它。objectId值是您从角色分配 - 列表 REST API获取的principalId

更新2：

graph.windows.net 的访问令牌似乎与 management.azure.com 不同？我如何找到图表的标记？

获取的访问令牌资源应该是https://graph.windows.net 以下是获取访问令牌的c#代码演示

string authority = "https://login.microsoftonline.com/{0}";
string graphResourceId = "https://graph.windows.net";
string tenantId = "tenantId";
string clientId = "clientId";
string secretKey = "secretKey";
authority = String.Format(authority, tenantId);
AuthenticationContext authContext = new AuthenticationContext(authority);
var accessToken = authContext.AcquireTokenAsync(graphResourceId, new ClientCredential(clientId, secretKey)).Result.AccessToken;

注意： 您还需要在azure门户中授予Windows Azure Active Directory的[读取目录数据]权限