Table: azure_role_assignment - Query Azure Role Assignments using SQL
Azure Role Assignments are a critical component of Azure's access control capabilities. They determine what actions a security principal (like a user, group, or service principal) can perform on a specific Azure resource. Each role assignment is a combination of a security principal, a role definition, and a scope.
Table Usage Guide
The azure_role_assignment
table provides insights into role assignments within Azure. As a security administrator, you can explore details of role assignments through this table, including the assigned roles, the associated security principals, and the scope of the assignments. Use it to monitor and manage access control within your Azure environment, ensuring that only the appropriate users, groups, or service principals have access to specific resources.
Examples
Basic info
Explore which roles are assigned to different principals in your Azure environment. This can help you manage access control and understand who has permissions to what resources, enhancing your security posture.
select name, id, principal_id, principal_typefrom azure_role_assignment;
select name, id, principal_id, principal_typefrom azure_role_assignment;
List of role assignments which has permission at root level
Discover the segments that are assigned roles with root level access. This is useful for auditing security and access controls in your Azure environment.
select name, id, scopefrom azure_role_assignmentwhere scope = '/';
select name, id, scopefrom azure_role_assignmentwhere scope = '/';
List of role assignments which has subscription level permission and full access to the subscription
This query is useful for identifying roles that have full access permissions at the subscription level within your Azure environment. It helps in maintaining security and managing access by revealing potential over-permissions.
select ra.name as roll_assignment_name, rd.role_namefrom azure_role_assignment ra join azure_role_definition rd on ra.role_definition_id = rd.id cross join jsonb_array_elements(rd.permissions) as permwhere ra.scope like '/subscriptions/%' and perm -> 'actions' = '["*"]';
select ra.name as roll_assignment_name, rd.role_namefrom azure_role_assignment ra join azure_role_definition rd on ra.role_definition_id = rd.id, json_each(rd.permissions) as permwhere ra.scope like '/subscriptions/%' and json_extract(perm.value, '$.actions') = '["*"]';
Role assignments at the resource group scope
Retrieve all role assignments that grant permissions at a specific resource group level.
select name, scope, type, principal_id.principal_typefrom azure_role_assignmentwhere scope = '/subscriptions/abcdef12-3456-7890-abcd-ef1234567890/resourceGroups/my-rg'
select name, scope, type, principal_id.principal_typefrom azure_role_assignmentwhere scope = '/subscriptions/abcdef12-3456-7890-abcd-ef1234567890/resourceGroups/my-rg'
Role assignments at the management group scope
List all role assignments that apply at the management group level, determining access across multiple subscriptions.
select name, scope, type, principal_id.principal_typefrom azure_role_assignmentwhere scope = '/providers/Microsoft.Management/managementGroups/12345678-90ab-cdef-1234-567890abcdef'
select name, scope, type, principal_id.principal_typefrom azure_role_assignmentwhere scope = '/providers/Microsoft.Management/managementGroups/12345678-90ab-cdef-1234-567890abcdef'
Role assignments at the storage account scope
Identify role assignments that provide permissions at a storage account level, enabling access control for storage resources.
select name, scope, type, principal_id.principal_typefrom azure_role_assignmentwhere scope = '/subscriptions/abcdef12-3456-7890-abcd-ef1234567890/resourceGroups/nist-test_group/providers/Microsoft.Storage/storageAccounts/testimmutablecontainer'
select name, scope, type, principal_id.principal_typefrom azure_role_assignmentwhere scope = '/subscriptions/abcdef12-3456-7890-abcd-ef1234567890/resourceGroups/nist-test_group/providers/Microsoft.Storage/storageAccounts/testimmutablecontainer'
Schema for azure_role_assignment
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
cloud_environment | text | The Azure Cloud Environment. | |
created_on | timestamp with time zone | Time it was created. | |
id | text | = | Contains ID to identify a role assignment uniquely. |
name | text | The friendly name that identifies the role assignment. | |
principal_id | text | Contains the principal id. | |
principal_type | text | Principal type of the assigned principal ID. | |
role_definition_id | text | Name of the assigned role definition. | |
scope | text | = | Current state of the role assignment. |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
subscription_id | text | =, !=, ~~, ~~*, !~~, !~~* | The Azure Subscription ID in which the resource is located. |
title | text | Title of the resource. | |
type | text | Contains the resource type. | |
updated_on | timestamp with time zone | Time it was updated. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azure
You can pass the configuration to the command with the --config
argument:
steampipe_export_azure --config '<your_config>' azure_role_assignment