steampipe plugin install azure

Table: azure_role_definition - Query Azure Role Definitions using SQL

Azure Role Definition is a resource within Microsoft Azure that represents a collection of permissions. It's used to provide access to Azure resources that the role is assigned to. Role Definitions help you manage access to your Azure resources by providing a way to group together permissions into roles.

Table Usage Guide

The azure_role_definition table provides insights into Role Definitions within Microsoft Azure. As a DevOps engineer, explore role-specific details through this table, including permissions, trust policies, and associated metadata. Utilize it to manage access to your Azure resources, group together permissions into roles, and gain insights into role-specific details.

Examples

List the custom roles

Explore which custom roles have been defined in your Azure environment. This is beneficial to understand and manage the unique permissions and restrictions applied within your system.

select
name,
description,
role_name,
role_type,
title
from
azure_role_definition
where
role_type = 'CustomRole';
select
name,
description,
role_name,
role_type,
title
from
azure_role_definition
where
role_type = 'CustomRole';

List of roles whose assignable scope is set to root('/') scope

Explore the roles in your Azure environment that have been given broad permissions, as indicated by their assignable scope being set to root. This can be useful for identifying potential security risks and ensuring that permissions are appropriately restricted.

select
name,
role_name,
scope
from
azure_role_definition,
jsonb_array_elements_text(assignable_scopes) as scope
where
scope = '/';
Error: The corresponding SQLite query is unavailable.

Permissions of all custom roles

Explore which permissions are assigned to all custom roles within your Azure environment. This can help in maintaining security standards and ensuring that roles are not granted excessive permissions.

select
name,
role_name,
role_type,
permission -> 'actions' as action,
permission -> 'dataActions' as data_action,
permission -> 'notActions' as no_action,
permission -> 'notDataActions' as not_data_actions
from
azure_role_definition
cross join jsonb_array_elements(permissions) as permission
where
role_type = 'CustomRole';
select
name,
role_name,
role_type,
json_extract(permission.value, '$.actions') as action,
json_extract(permission.value, '$.dataActions') as data_action,
json_extract(permission.value, '$.notActions') as no_action,
json_extract(permission.value, '$.notDataActions') as not_data_actions
from
azure_role_definition,
json_each(permissions) as permission
where
role_type = 'CustomRole';

Permissions of all custom roles

Explore the permissions assigned to all custom roles in your Azure environment. This can help you understand access controls and identify potential security risks.

select
name,
role_name,
role_type,
permission -> 'actions' as action,
permission -> 'dataActions' as data_action,
permission -> 'notActions' as no_action,
permission -> 'notDataActions' as not_data_actions
from
azure_role_definition
cross join jsonb_array_elements(permissions) as permission
where
role_type = 'CustomRole';
select
ard.name,
ard.role_name,
ard.role_type,
json_extract(permission.value, '$.actions') as action,
json_extract(permission.value, '$.dataActions') as data_action,
json_extract(permission.value, '$.notActions') as no_action,
json_extract(permission.value, '$.notDataActions') as not_data_actions
from
azure_role_definition ard,
json_each(ard.permissions) as permission
where
ard.role_type = 'CustomRole';

Permissions of all custom roles

Analyze the permissions assigned to all custom roles in your Azure environment. This can help in identifying roles with excessive permissions, thereby assisting in maintaining a principle of least privilege.

select
name,
role_name,
role_type,
permission -> 'actions' as action,
permission -> 'dataActions' as data_action,
permission -> 'notActions' as no_action,
permission -> 'notDataActions' as not_data_actions
from
azure_role_definition
cross join jsonb_array_elements(permissions) as permission
where
role_type = 'CustomRole';
select
ard.name,
ard.role_name,
ard.role_type,
json_extract(permission.value, '$.actions') as action,
json_extract(permission.value, '$.dataActions') as data_action,
json_extract(permission.value, '$.notActions') as no_action,
json_extract(permission.value, '$.notDataActions') as not_data_actions
from
azure_role_definition ard,
json_each(ard.permissions) as permission
where
ard.role_type = 'CustomRole';

Control examples

Schema for azure_role_definition

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
assignable_scopesjsonbA list of assignable scopes for which the role definition can be assigned.
cloud_environmenttextThe Azure Cloud Environment.
descriptiontextDescription of the role definition.
idtextContains ID to identify a role definition uniquely.
nametext=The friendly name that identifies the role definition.
permissionsjsonbA list of actions, which can be accessed.
role_nametextCurrent state of the role definition.
role_typetextName of the role definition.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
subscription_idtext=, !=, ~~, ~~*, !~~, !~~*The Azure Subscription ID in which the resource is located.
titletextTitle of the resource.
typetextContains the resource type.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azure

You can pass the configuration to the command with the --config argument:

steampipe_export_azure --config '<your_config>' azure_role_definition