使用 Azure CLI 列出 Azure 角色分配List Azure role assignments using Azure CLI

Azure 基于角色的访问控制 (Azure RBAC) 是用于管理 Azure 资源访问权限的授权系统。Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. 若要确定用户、组、服务主体或托管标识有权访问的资源,请列出其角色分配。To determine what resources users, groups, service principals, or managed identities have access to, you list their role assignments. 本文介绍如何使用 Azure CLI 列出角色分配。Azure 基于角色的访问控制 (Azure RBAC) 是用于管理 Azure 资源访问权限的授权系统。Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. 若要确定用户、组、服务主体或托管标识有权访问的资源,请列出其角色分配。To determine what resources users, groups, service principals, or managed identities have access to, you list their role assignments. This article describes how to list role assignments using Azure CLI.

备注

先决条件Prerequisites

列出用户的角色分配List role assignments for a user

若要列出特定用户的角色分配,请使用 az role assignment listTo list the role assignments for a specific user, use az role assignment list:

az role assignment list --assignee {assignee}

默认情况下,将仅显示当前订阅的角色分配。By default, only role assignments for the current subscription will be displayed. 若要查看当前订阅和以下订阅的角色分配,请添加 --all 参数。To view role assignments for the current subscription and below, add the --all parameter. 若要查看继承的角色分配,请添加 --include-inherited 参数。To view inherited role assignments, add the --include-inherited parameter.

以下示例列出的角色分配直接分配给 patlong@contoso.com 用户:The following example lists the role assignments that are assigned directly to the patlong@contoso.com user:

az role assignment list --all --assignee patlong@contoso.com --output json --query '[].{principalName:principalName, roleDefinitionName:roleDefinitionName, scope:scope}'
[
  {
    "principalName": "patlong@contoso.com",
    "roleDefinitionName": "Backup Operator",
    "scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales"
  },
  {
    "principalName": "patlong@contoso.com",
    "roleDefinitionName": "Virtual Machine Contributor",
    "scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales"
  }
]

列出资源组的角色分配List role assignments for a resource group

若要列出存在于资源组范围的角色分配,请使用 az role assignment listTo list the role assignments that exist at a resource group scope, use az role assignment list:

az role assignment list --resource-group {resourceGroup}

以下示例列出 pharma-sales 资源组的角色分配:The following example lists the role assignments for the pharma-sales resource group:

az role assignment list --resource-group pharma-sales --output json --query '[].{principalName:principalName, roleDefinitionName:roleDefinitionName, scope:scope}'
[
  {
    "principalName": "patlong@contoso.com",
    "roleDefinitionName": "Backup Operator",
    "scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales"
  },
  {
    "principalName": "patlong@contoso.com",
    "roleDefinitionName": "Virtual Machine Contributor",
    "scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales"
  },
  
  ...

]

列出订阅的角色分配List role assignments for a subscription

若要列出订阅范围内的所有角色分配,请使用 az role assignment listTo list all role assignments at a subscription scope, use az role assignment list. 若要获取订阅 ID,可以在 Azure 门户中的“订阅”边栏选项卡上找到它,也可以使用 az account listTo get the subscription ID, you can find it on the Subscriptions blade in the Azure portal or you can use az account list.

az role assignment list --subscription {subscriptionNameOrId}

示例:Example:

az role assignment list --subscription 00000000-0000-0000-0000-000000000000 --output json --query '[].{principalName:principalName, roleDefinitionName:roleDefinitionName, scope:scope}'
[
  {
    "principalName": "admin@contoso.com",
    "roleDefinitionName": "Owner",
    "scope": "/subscriptions/00000000-0000-0000-0000-000000000000"
  },
  {
    "principalName": "Subscription Admins",
    "roleDefinitionName": "Owner",
    "scope": "/subscriptions/00000000-0000-0000-0000-000000000000"
  },
  {
    "principalName": "alain@contoso.com",
    "roleDefinitionName": "Reader",
    "scope": "/subscriptions/00000000-0000-0000-0000-000000000000"
  },

  ...

]

列出管理组的角色分配List role assignments for a management group

若要列出管理组范围内的所有角色分配,请使用 az role assignment listTo list all role assignments at a management group scope, use az role assignment list. 若要获取管理组 ID,可以在 Azure 门户中的“管理组”边栏选项卡上找到它,也可以使用 az account management-group listTo get the management group ID, you can find it on the Management groups blade in the Azure portal or you can use az account management-group list.

az role assignment list --scope /providers/Microsoft.Management/managementGroups/{groupId}

示例:Example:

az role assignment list --scope /providers/Microsoft.Management/managementGroups/sales-group --output json --query '[].{principalName:principalName, roleDefinitionName:roleDefinitionName, scope:scope}'
[
  {
    "principalName": "admin@contoso.com",
    "roleDefinitionName": "Owner",
    "scope": "/providers/Microsoft.Management/managementGroups/sales-group"
  },
  {
    "principalName": "alain@contoso.com",
    "roleDefinitionName": "Reader",
    "scope": "/providers/Microsoft.Management/managementGroups/sales-group"
  }
]

列出托管标识的角色分配List role assignments for a managed identity

  1. 获取系统分配的或用户分配的托管标识的主体 ID。Get the principal ID of the system-assigned or user-assigned managed identity.

    若要获取用户分配的托管标识的主体 ID,可以使用 az ad sp listaz identity listTo get the principal ID of a user-assigned managed identity, you can use az ad sp list or az identity list.

    az ad sp list --display-name "{name}" --query [].objectId --output tsv
    

    若要获取系统分配的托管标识的主体 ID,可以使用 az ad sp listTo get the principal ID of a system-assigned managed identity, you can use az ad sp list.

    az ad sp list --display-name "{vmname}" --query [].objectId --output tsv
    
  2. 若要列出角色分配,请使用 az role assignment listTo list the role assignments, use az role assignment list.

    默认情况下,将仅显示当前订阅的角色分配。By default, only role assignments for the current subscription will be displayed. 若要查看当前订阅和以下订阅的角色分配,请添加 --all 参数。To view role assignments for the current subscription and below, add the --all parameter. 若要查看继承的角色分配,请添加 --include-inherited 参数。To view inherited role assignments, add the --include-inherited parameter.

    az role assignment list --assignee {objectId}
    

后续步骤Next steps