Unofficial CLI to list and enable Azure Privileged Identity Management (PIM) roles
Usage: az-pim [OPTIONS] <COMMAND>
Commands:
list List active or eligible assignments
activate Activate eligible role assignments
deactivate Deactivate eligible role assignments
delete Delete eligible role assignments
role Manage Azure role-based access control (Azure RBAC)
init Setup shell tab completions
Options:
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity
--quiet
Only show errors
-h, --help
Print help
-V, --version
Print version
List active or eligible assignments
Usage: list [OPTIONS]
Options:
--active
List active assignments
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity
--filter <FILTER>
Filter to apply on the operation
Specifying `as-target` will return results for the current user.
Specifying `at-scope` will return results at or above the specified scope.
[default: as-target]
[possible values: at-scope, as-target]
--quiet
Only show errors
--subscription <SUBSCRIPTION>
Specify scope at the subscription level
--resource-group <RESOURCE_GROUP>
Specify scope at the Resource Group level
This argument requires `subscription` to be set.
--provider <PROVIDER>
Specify scope at the Resource Provider level
This argument requires `subscription` and `resource_group` to be set.
--scope <SCOPE>
Specify the full scope directly
-h, --help
Print help (see a summary with '-h')
$ az-pim list
[
{
"role": "Owner",
"scope": "/subscriptions/00000000-0000-0000-0000-000000000000",
"scope_name": "My Subscription"
},
{
"role": "Storage Blob Data Contributor",
"scope": "/subscriptions/00000000-0000-0000-0000-000000000000",
"scope_name": "My Subscription"
}
]
$ az-pim list --active
[
{
"role": "Storage Blob Data Contributor",
"scope": "/subscriptions/00000000-0000-0000-0000-000000000000",
"scope_name": "My Subscription"
}
]
$
Activate eligible role assignments
Usage: activate [OPTIONS] <COMMAND>
Commands:
role Activate a specific role
set Activate a set of roles
interactive Activate roles interactively
Options:
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity
--quiet
Only show errors
-h, --help
Print help
Activate a specific role
Usage: role [OPTIONS] <ROLE> <JUSTIFICATION>
Arguments:
<ROLE>
Name of the role to activate
<JUSTIFICATION>
Justification for the request
Options:
--duration <DURATION>
Duration for the role to be active
Examples include '8h', '8 hours', '1h30m', '1 hour 30 minutes', '1h30m'
[default: "8 hours"]
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity
--quiet
Only show errors
--wait <WAIT>
Duration to wait for the roles to be activated
Examples include '8h', '8 hours', '1h30m', '1 hour 30 minutes', '1h30m'
--subscription <SUBSCRIPTION>
Specify scope at the subscription level
--resource-group <RESOURCE_GROUP>
Specify scope at the Resource Group level
This argument requires `subscription` to be set.
--provider <PROVIDER>
Specify scope at the Resource Provider level
This argument requires `subscription` and `resource_group` to be set.
--scope <SCOPE>
Specify the full scope directly
-h, --help
Print help (see a summary with '-h')
$ az-pim activate role Owner "developing pim" --subscription 00000000-0000-0000-0000-000000000000
2024-06-27T16:55:27.676291Z INFO az_pim: activating Owner in My Subscription (/subscriptions/00000000-0000-0000-0000-000000000000)
$
Activate a set of roles
This command can be used to activate multiple roles at once. It can be used with a config file or by specifying roles on the command line.
Usage: set [OPTIONS] <JUSTIFICATION>
Arguments:
<JUSTIFICATION>
Justification for the request
Options:
--duration <DURATION>
Duration for the role to be active
Examples include '8h', '8 hours', '1h30m', '1 hour 30 minutes', '1h30m'
[default: "8 hours"]
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity
--config <CONFIG>
Path to a JSON config file containing a set of roles to activate
Example config file: ` [ { "role": "Owner", "scope": "/subscriptions/00000000-0000-0000-0000-000000000000" }, { "role": "Owner", "scope": "/subscriptions/00000000-0000-0000-0000-000000000001" } ] `
--quiet
Only show errors
--role <ROLE=SCOPE>
Specify a role to activate
Specify multiple times to include multiple key/value pairs
--concurrency <CONCURRENCY>
Concurrency rate
Specify how many roles to activate concurrently. This can be used to speed up activation of roles.
[default: 4]
--wait <WAIT>
Duration to wait for the roles to be activated
Examples include '8h', '8 hours', '1h30m', '1 hour 30 minutes', '1h30m'
-h, --help
Print help (see a summary with '-h')
$ az-pim activate set 'continued development' --role 'Owner=My Subscription'
2024-06-27T17:23:03.981067Z INFO azure_pim_cli: activating Owner in My Subscription (/subscriptions/00000000-0000-0000-0000-000000000000)
$ cat config.json
[
{
"role": "Owner",
"scope_name": "My Subscription"
},
{
"role": "Storage Blob Data Contributor",
"scope_name": "My Subscription"
}
]
$ az-pim activate set 'continued development' --config ./config.json
2024-06-27T17:23:03.981067Z INFO azure_pim_cli: activating Owner in My Subscription (/subscriptions/00000000-0000-0000-0000-000000000000)
2024-06-27T17:23:03.981067Z INFO azure_pim_cli: activating Storabe Blob Data Contributor in My Subscription (/subscriptions/00000000-0000-0000-0000-000000000000)
$ az-pim list | jq 'map(select(.role | contains("Contributor")))' | az-pim activate set "deploying new code" --config /dev/stdin
2024-06-27T17:23:03.981067Z INFO azure_pim_cli: activating Storabe Blob Data Contributor in My Subscription (/subscriptions/00000000-0000-0000-0000-000000000000)
$
Activate roles interactively
Usage: interactive [OPTIONS]
Options:
--justification <JUSTIFICATION>
Justification for the request
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity
--concurrency <CONCURRENCY>
Concurrency rate
Specify how many roles to activate concurrently. This can be used to speed up activation of roles.
[default: 4]
--quiet
Only show errors
--duration <DURATION>
Duration for the role to be active
Examples include '8h', '8 hours', '1h30m', '1 hour 30 minutes', '1h30m'
[default: "8 hours"]
--wait <WAIT>
Duration to wait for the roles to be activated
Examples include '8h', '8 hours', '1h30m', '1 hour 30 minutes', '1h30m'
-h, --help
Print help (see a summary with '-h')
Deactivate eligible role assignments
Usage: deactivate [OPTIONS] <COMMAND>
Commands:
role Deactivate a specific role
set Deactivate a set of roles
interactive Deactivate roles interactively
Options:
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity
--quiet
Only show errors
-h, --help
Print help
Deactivate a specific role
Usage: role [OPTIONS] <ROLE>
Arguments:
<ROLE>
Name of the role to deactivate
Options:
--subscription <SUBSCRIPTION>
Specify scope at the subscription level
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity
--quiet
Only show errors
--resource-group <RESOURCE_GROUP>
Specify scope at the Resource Group level
This argument requires `subscription` to be set.
--provider <PROVIDER>
Specify scope at the Resource Provider level
This argument requires `subscription` and `resource_group` to be set.
--scope <SCOPE>
Specify the full scope directly
-h, --help
Print help (see a summary with '-h')
$ az-pim deactivate role "Storage Queue Data Contributor" --subscription 00000000-0000-0000-0000-000000000000
2024-06-27T17:57:53.462674Z INFO az_pim: deactivating Storage Queue Data Contributor in My Subscription (/subscriptions/00000000-0000-0000-0000-000000000000)
$
Deactivate a set of roles
Usage: set [OPTIONS]
Options:
--config <CONFIG>
Path to a JSON config file containing a set of roles to deactivate
Example config file: ` [ { "role": "Owner", "scope": "/subscriptions/00000000-0000-0000-0000-000000000000" }, { "role": "Owner", "scope": "/subscriptions/00000000-0000-0000-0000-000000000001" } ] `
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity
--quiet
Only show errors
--role <ROLE=SCOPE>
Specify a role to deactivate
Specify multiple times to include multiple key/value pairs
--concurrency <CONCURRENCY>
Concurrency rate
Specify how many roles to deactivate concurrently. This can be used to speed up activation of roles.
[default: 4]
-h, --help
Print help (see a summary with '-h')
$ az-pim deactivate set --role "Owner=My Subscription"
2024-06-27T17:57:53.462674Z INFO az_pim: deactivating Owner in My Subscription (/subscriptions/00000000-0000-0000-0000-000000000000)
$ # deactivate all roles by listing active roles, then deactivating all of them
$ az-pim list | az-pim deactivate set --config /dev/stdin
2024-06-27T17:57:53.462674Z INFO az_pim: deactivating Storage Blob Data Contributor in My Subscription (/subscriptions/00000000-0000-0000-0000-000000000000)
$
Deactivate roles interactively
Usage: interactive [OPTIONS]
Options:
--concurrency <CONCURRENCY>
Concurrency rate
Specify how many roles to deactivate concurrently. This can be used to speed up deactivation of roles.
[default: 4]
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity
--quiet
Only show errors
-h, --help
Print help (see a summary with '-h')
Delete eligible role assignments
Usage: delete [OPTIONS] <COMMAND>
Commands:
orphaned-entries Delete assignments that objects in Microsoft Graph cannot be found
Options:
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity
--quiet
Only show errors
-h, --help
Print help
Delete assignments that objects in Microsoft Graph cannot be found
Usage: orphaned-entries [OPTIONS]
Options:
--subscription <SUBSCRIPTION>
Specify scope at the subscription level
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity
--quiet
Only show errors
--resource-group <RESOURCE_GROUP>
Specify scope at the Resource Group level
This argument requires `subscription` to be set.
--provider <PROVIDER>
Specify scope at the Resource Provider level
This argument requires `subscription` and `resource_group` to be set.
--scope <SCOPE>
Specify the full scope directly
--nested
Delete nested assignments
--yes
Always respond yes to confirmations
-h, --help
Print help (see a summary with '-h')
Manage Azure role-based access control (Azure RBAC)
Usage: role [OPTIONS] <COMMAND>
Commands:
assignment Manage role assignments
definition Manage role definitions
resources Commands related to resources in Azure
Options:
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity
--quiet
Only show errors
-h, --help
Print help
Manage role assignments
Usage: assignment [OPTIONS] <COMMAND>
Commands:
list List assignments
delete Delete an assignment
delete-set Delete a set of assignments
delete-orphaned-entries Delete assignments that objects in Microsoft Graph cannot be found
Options:
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity
--quiet
Only show errors
-h, --help
Print help
List assignments
Usage: list [OPTIONS]
Options:
--subscription <SUBSCRIPTION>
Specify scope at the subscription level
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity
--quiet
Only show errors
--resource-group <RESOURCE_GROUP>
Specify scope at the Resource Group level
This argument requires `subscription` to be set.
--provider <PROVIDER>
Specify scope at the Resource Provider level
This argument requires `subscription` and `resource_group` to be set.
--scope <SCOPE>
Specify the full scope directly
-h, --help
Print help (see a summary with '-h')
$ az-pim role assignment list --subscription 00000000-0000-0000-0000-000000000000
[
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/my-resource-group/providers/Microsoft.Storage/storageAccounts/mystorageaccount/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000001",
"name": "00000000-0000-0000-0000-000000000001",
"properties": {
"createdOn": "2024-07-03T17:06:36.5812308Z",
"createdBy": "00000000-0000-0000-0000-000000000002",
"updatedOn": "2024-07-03T17:06:36.5812308Z",
"updatedBy": "00000000-0000-0000-0000-000000000003",
"roleDefinitionId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000004",
"principalId": "00000000-0000-0000-0000-000000000005",
"principalType": "ServicePrincipal",
"scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/my-resource-group/providers/Microsoft.Storage/storageAccounts/mystorageaccount"
},
"type": "Microsoft.Authorization/roleAssignments"
}
]
$
Delete an assignment
Usage: delete [OPTIONS] <ASSIGNMENT_NAME>
Arguments:
<ASSIGNMENT_NAME>
Assignment name
Options:
--subscription <SUBSCRIPTION>
Specify scope at the subscription level
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity
--quiet
Only show errors
--resource-group <RESOURCE_GROUP>
Specify scope at the Resource Group level
This argument requires `subscription` to be set.
--provider <PROVIDER>
Specify scope at the Resource Provider level
This argument requires `subscription` and `resource_group` to be set.
--scope <SCOPE>
Specify the full scope directly
-h, --help
Print help (see a summary with '-h')
$ az-pim role assignment delete 00000000-0000-0000-0000-000000000000 --subscription 00000000-0000-0000-0000-000000000001
$
Delete a set of assignments
Usage: delete-set [OPTIONS] <CONFIG>
Arguments:
<CONFIG>
Path to a JSON config file containing a set of assignments to delete
Options:
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity
--quiet
Only show errors
-h, --help
Print help
$ az-pim role assignment list --subscription 00000000-0000-0000-0000-000000000000 | jq 'map(select(.object | .==null)) [].id' | az-pim role assignment delete-set /dev/stdin
2024-07-09T18:54:48.903483Z INFO azure_pim_cli: listing assignments assignments
2024-07-09T18:19:32.222267Z INFO azure_pim_cli: deleting assignment 00000000-0000-0000-0000-000000000001 from /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.Storage/storageAccounts/mystorageaccount
2024-07-09T18:19:32.222267Z INFO azure_pim_cli: deleting assignment 00000000-0000-0000-0000-000000000002 from /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.Storage/storageAccounts/mystorageaccount
$
Delete assignments that objects in Microsoft Graph cannot be found
Usage: delete-orphaned-entries [OPTIONS]
Options:
--subscription <SUBSCRIPTION>
Specify scope at the subscription level
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity
--quiet
Only show errors
--resource-group <RESOURCE_GROUP>
Specify scope at the Resource Group level
This argument requires `subscription` to be set.
--provider <PROVIDER>
Specify scope at the Resource Provider level
This argument requires `subscription` and `resource_group` to be set.
--scope <SCOPE>
Specify the full scope directly
--nested
Delete nested assignments
--yes
Always respond yes to confirmations
-h, --help
Print help (see a summary with '-h')
$ az-pim role assignment delete-orphaned-entries --subscription 00000000-0000-0000-0000-000000000001
2024-07-09T19:54:45.843289Z INFO azure_pim_cli: listing assignments
2024-07-09T19:54:48.142932Z INFO azure_pim_cli: listing role definitions
2024-07-09T19:54:48.421671Z INFO az_pim: Are you sure you want to delete role: "Storage Queue Data Contributor" principal:00000000-0000-0000-0000-000000000000 (type: ServicePrincipal) scope:/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.Storage/storageAccounts/mystorageaccount? (y/n):
y
$
Manage role definitions
Usage: definition [OPTIONS] <COMMAND>
Commands:
list List the definitions for the specific scope
Options:
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity
--quiet
Only show errors
-h, --help
Print help
List the definitions for the specific scope
Usage: list [OPTIONS]
Options:
--subscription <SUBSCRIPTION>
Specify scope at the subscription level
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity
--quiet
Only show errors
--resource-group <RESOURCE_GROUP>
Specify scope at the Resource Group level
This argument requires `subscription` to be set.
--provider <PROVIDER>
Specify scope at the Resource Provider level
This argument requires `subscription` and `resource_group` to be set.
--scope <SCOPE>
Specify the full scope directly
-h, --help
Print help (see a summary with '-h')
$ az-pim role definition list --subscription 00000000-0000-0000-0000-000000000000
[
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000001",
"name": "00000000-0000-0000-0000-000000000001",
"properties": {
"assignableScopes": [
"/"
],
"createdOn": "2018-11-29T18:46:55.0492387Z",
"updatedOn": "2018-11-29T18:46:55.0492387Z",
"description": "my custom role",
"permissions": [
{
"actions": [
"Microsoft.Compute/*/read",
"Microsoft.Network/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "my custom name",
"type": "CustomRole"
},
"type": "Microsoft.Authorization/roleDefinitions"
},
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000007",
"name": "00000000-0000-0000-0000-000000000007",
"properties": {
"assignableScopes": [
"/"
],
"createdOn": "2017-12-21T00:01:24.7972312Z",
"updatedOn": "2021-11-11T20:13:54.9397456Z",
"description": "Allows for read, write and delete access to Azure Storage blob containers and data",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
],
"notDataActions": []
}
],
"roleName": "Storage Blob Data Contributor",
"type": "BuiltInRole"
},
"type": "Microsoft.Authorization/roleDefinitions"
}
]
$
Commands related to resources in Azure
Usage: resources [OPTIONS] <COMMAND>
Commands:
list List the child resources of a resource which you have eligible access
Options:
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity
--quiet
Only show errors
-h, --help
Print help
List the child resources of a resource which you have eligible access
Usage: list [OPTIONS]
Options:
--subscription <SUBSCRIPTION>
Specify scope at the subscription level
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity
--quiet
Only show errors
--resource-group <RESOURCE_GROUP>
Specify scope at the Resource Group level
This argument requires `subscription` to be set.
--provider <PROVIDER>
Specify scope at the Resource Provider level
This argument requires `subscription` and `resource_group` to be set.
--scope <SCOPE>
Specify the full scope directly
-h, --help
Print help (see a summary with '-h')
$ az-pim role resources list --subscription 00000000-0000-0000-0000-000000000000
[
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/DefaultResourceGroup-EUS",
"name": "DefaultResourceGroup-EUS",
"type": "resourcegroup"
},
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/DefaultResourceGroup-SUK",
"name": "DefaultResourceGroup-SUK",
"type": "resourcegroup"
}
]
Setup shell tab completions
This command will generate shell completions for the specified shell.
Usage: init [OPTIONS] <SHELL>
Arguments:
<SHELL>
[possible values: bash, elvish, fish, powershell, zsh]
Options:
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity
--quiet
Only show errors
-h, --help
Print help (see a summary with '-h')
$ # In bash shell
$ eval $(az-pim init bash)
$ # In zsh shell
$ source <(az-pim init zsh)