az keyvault role assignment

Manage role assignments.

Commands

az keyvault role assignment create

Create a new role assignment for a user, group, or service principal.

az keyvault role assignment delete

Delete a role assignment.

az keyvault role assignment list

List role assignments.

az keyvault role assignment create

Create a new role assignment for a user, group, or service principal.

az keyvault role assignment create --role
                                   --scope
                                   [--assignee]
                                   [--assignee-object-id]
                                   [--assignee-principal-type {Application, DirectoryObjectOrGroup, DirectoryRoleTemplate, Everyone, ForeignGroup, Group, MSI, ServicePrincipal, Unknown, User}]
                                   [--hsm-name]
                                   [--id]
                                   [--name]
                                   [--subscription]

Required Parameters

--role

Role name or id.

--scope

Scope at which the role assignment or definition applies to, e.g., "/" or "/keys" or "/keys/{keyname}".

Optional Parameters

--assignee

Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.

--assignee-object-id

Use this parameter instead of '--assignee' to bypass graph permission issues. This parameter only works with object ids for users, groups, service principals, and managed identities. For managed identities use the principal id. For service principals, use the object id and not the app id.

--assignee-principal-type -t

The principal type of assignee.

accepted values: Application, DirectoryObjectOrGroup, DirectoryRoleTemplate, Everyone, ForeignGroup, Group, MSI, ServicePrincipal, Unknown, User
--hsm-name

Name of the HSM.

--id

Id of the HSM. If specified all other 'Id' arguments should be omitted.

--name -n

Name of the role assignment.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az keyvault role assignment delete

Delete a role assignment.

az keyvault role assignment delete [--assignee]
                                   [--assignee-object-id]
                                   [--hsm-name]
                                   [--id]
                                   [--ids]
                                   [--name]
                                   [--role]
                                   [--scope]
                                   [--subscription]

Optional Parameters

--assignee

Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.

--assignee-object-id

Use this parameter instead of '--assignee' to bypass graph permission issues. This parameter only works with object ids for users, groups, service principals, and managed identities. For managed identities use the principal id. For service principals, use the object id and not the app id.

--hsm-name

Name of the HSM.

--id

Id of the HSM. If specified all other 'Id' arguments should be omitted.

--ids

Space-separated role assignment ids.

--name -n

Name of the role assignment.

--role

Role name or id.

--scope

Scope at which the role assignment or definition applies to, e.g., "/" or "/keys" or "/keys/{keyname}".

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az keyvault role assignment list

List role assignments.

az keyvault role assignment list [--assignee]
                                 [--assignee-object-id]
                                 [--hsm-name]
                                 [--id]
                                 [--query-examples]
                                 [--role]
                                 [--scope]
                                 [--subscription]

Optional Parameters

--assignee

Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.

--assignee-object-id

Use this parameter instead of '--assignee' to bypass graph permission issues. This parameter only works with object ids for users, groups, service principals, and managed identities. For managed identities use the principal id. For service principals, use the object id and not the app id.

--hsm-name

Name of the HSM.

--id

Id of the HSM. If specified all other 'Id' arguments should be omitted.

--query-examples

Recommend JMESPath string for you. You can copy one of the query and paste it after --query parameter within double quotation marks to see the results. You can add one or more positional keywords so that we can give suggestions based on these key words.

--role

Role name or id.

--scope

Scope at which the role assignment or definition applies to, e.g., "/" or "/keys" or "/keys/{keyname}".

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.