How to retrieve role condition from ARM API
I am using the Terraform azapi provider to pull ARM objects using the Azure API.
Specifically, I am trying to pull role definitions. Using this API version: Microsoft.Authorization/roleDefinitions@2022-04-01, I am able to get all information about a role definition EXCEPT for the condition. My question is how do I get the condition field? I can see the condition field when using resource graph explorer to view roles, but not in the retrieved ARM API objects.
2 answers
-
Jose Benjamin Solis Nolasco 8,561 Reputation points • Volunteer Moderator
Welcome to Microsoft Q&A
Hello @Neel Manthani I hope you are doing well,
The reason you are not seeing the
conditionfield in the API response is due to the specific API version you are targeting.While API version
2022-04-01was the milestone release that brought Attribute-Based Access Control (ABAC) conditions to General Availability for Role Assignments, the schema for Role Definitions did not immediately expose the corresponding built-in condition properties.According to the Azure REST API changelog, the
conditionandconditionVersionfields were not added to theMicrosoft.Authorization/roleDefinitionsschema until the2022-05-01-previewAPI version. Resource Graph Explorer uses newer/internal API versions by default, which is why you can see the field there but not in your Terraform outputs.How to resolve this: Update your
azapiTerraform configuration to use the newer API version:Change your type string to
Microsoft.Authorization/roleDefinitions@2022-05-01-preview(or a newer available version).Note that the condition field is not located at the root of
properties. Because a role definition can have multiple permission sets, the condition is nested inside thepermissionsarray.Once you update the API version, you will find the condition field in the retrieved JSON object at this path:
properties.permissions[0].condition😊 If my answer helped you resolve your issue, please consider marking it as the correct answer. This helps others in the community find solutions more easily.
-
Jose Benjamin Solis Nolasco 8,561 Reputation points • Volunteer Moderator
@Neel Manthani Just following up do you need more guidance or assistance?
-
Neel Manthani 0 Reputation points
Thanks Jose, that partially fixed the issue, but now I'm finding that one desired role in particular is not being retrieved, namely the "Foundational RP Contributor" role. Interestingly, it appears in resource graph explorer queries, but does not display when running the az role definition list --name "Foundational RP Contributor".
What is the reason for this discrepancy?
Sign in to comment -
-
Pravallika KV 17,025 Reputation points • Microsoft External Staff • Moderator
Hi @Neel Manthani ,
When you call the ARM API for role definitions (
Microsoft.Authorization/roleDefinitions@2022-04-01), the payload represents the definition of permissions (for example,actions,dataActions, etc.).The RBAC
condition(and relatedconditionVersion) is not a property of role definitions in ARM. It’s a property that exists only on role assignments (Microsoft.Authorization/roleAssignments), i.e., it’s evaluated as part of “who has which permissions, under what condition”.So, even though you may see
conditionwhen using Resource Graph Explorer (because it can aggregate/compute RBAC view data), the raw roleDefinitions ARM objects won’t includecondition.If your goal is to retrieve the condition, you should query role assignments for the relevant scope(s) and filter for the role definition you care about. In other words:
- Use
Microsoft.Authorization/roleAssignmentsto list role assignments - Read the
condition/conditionVersionfields from those role assignment objects return it. To accesscondition, you need to query roleAssignments instead.
- Use
