azure – What is the Default RBAC Scope Used When Assigning a Role in Azure with the CLI?

azureazure-clientra-id

This is the documentation for the az role assignment create command: https://docs.microsoft.com/en-us/cli/azure/role/assignment?view=azure-cli-latest#az-role-assignment-create

--score is an optional parameter. This is what the documentation says about it:

Scope at which the role assignment or definition applies to, e.g., /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

As you can see, it doesn't say what the default value for this parameter is. I can't find it anywhere, so I found myself forced to ask here.

Best Answer

https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-cli#step-4-assign-role

Apparently, when the --scope parameter is not provided its value depends on whether the --resource-group parameter is provided or not. If you provide that parameter, then it's like if you specified the resource group scope. Else, the subscription scope is assumed.

Related Solutions

Azure – Entity Not Found error while creating an OS disk from a Snapshot in different location in Azure

Creating a disk from a Snapshot in different location does not support on Azure.

You should copy the snapshot to westus2 storage account, then you could create a snapshot in westus2 from the storage account. You could use the following scripts to do this.

##generate SAS URI for a managed snapsho
sasExpiryDuration=1800
sas=$(az snapshot grant-access --resource-group $resourceGroupName --name $snapshotName --duration-in-seconds $sasExpiryDuration --query [accessSas] -o tsv)

##create storage account in westus2 and get the storage account key
##copy the snapshot to a storage account using SAS URI.
az storage blob copy start --destination-blob $destinationVHDFileName --destination-container $storageContainerName --account-name $storageAccountName --account-key $storageAccountKey --source-uri $sas

##wait for a moment after the copy finished
az snapshot create -g MyResourceGroup -n MySnapshot --source https://vhd1234.blob.core.windows.net/vhds/osdisk1234.vhd

Just an example below, it works for me.

sasExpiryDuration=1800
sas=$(az snapshot grant-access --resource-group shui2 --name shui --duration-in-seconds $sasExpiryDuration --query [accessSas] -o tsv)
az storage blob copy start --destination-blob shuitest.vhd --destination-container vhds --account-name shui123 --account-key ****** --source-uri $sas
az snapshot create -g shui3 -n shui2 --source https://shui123.blob.core.windows.net/vhds/shuitest.vhd

Azure CLI – Troubleshooting Role Creation Issues

From the look of it you are not assigning role to anything and the syntax might also be wrong.

az ad sp create-for-rbac -n "MyApp" --role contributor --scopes /subscriptions/{SubID}

Hope this helps.

Best Answer

Related Solutions

Azure – Entity Not Found error while creating an OS disk from a Snapshot in different location in Azure

Azure CLI – Troubleshooting Role Creation Issues

Related Topic