Written by: Ismaël Diakité
Date Published: 19 November 2023
Managing Azure Role Assignments with C# and ARM Client
In this tutorial, we'll explore how to programmatically manage Azure role assignments using C# and the Azure Resource Manager (ARM) client. This is particularly useful for automating permissions and access control in Azure environment.
Prerequisites
Before you start, ensure you have the following:
- An active Azure subscription.
- Azure Active Directory (AAD) app registration with a client secret (service principal).
- The AAD app needs to have sufficient permissions to manage resources in your subscription.
- Visual Studio or a similar .NET development environment.
Step 1: Set Up Azure Authentication
First, we'll create a ClientSecretCredential
object for authenticating with Azure using the tenant ID, client ID, and client secret of your service principal.
string tenantId = "YOUR TENANT ID HERE";
string clientId = "YOUR CLIENT ID HERE";
string clientSecret = "YOUR CLIENT SECRET HERE";
ClientSecretCredential credential = new ClientSecretCredential(tenantId, clientId, clientSecret);
Replace "YOUR TENANT ID HERE"
, "YOUR CLIENT ID HERE"
, and "YOUR CLIENT SECRET HERE"
with your actual Azure credentials.
Step 2: Initialize ARM Client
Next, create an ArmClient
object using the credential:
ArmClient client = new ArmClient(credential);
Step 3: Find Role Definition
To assign a role, you need its definition ID. Here, we'll find the ID of the "Contributor" role:
string subscriptionId = "YOUR SUBSCRIPTION ID HERE";
string scope = $"/subscriptions/{subscriptionId}";
var roleDefinitionsOperations = client
.GetAuthorizationRoleDefinitions(new ResourceIdentifier(scope))
.GetAllAsync()
.GetAsyncEnumerator();
string roleAssignmentIdToAssign = string.Empty;
while (await roleDefinitionsOperations.MoveNextAsync())
{
if (roleDefinitionsOperations.Current.Data.RoleName.Equals("Contributor"))
{
roleAssignmentIdToAssign = roleDefinitionsOperations.Current.Data.Name;
break;
}
}
Step 4: Create a Role Assignment
Now, create a role assignment to a group or a user, in our case, a group:
string groupId = "YOUR GROUP ID HERE";
string roleDefinitionIdToAssign = $"/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/{roleAssignmentIdToAssign}";
string roleAssignmentName = Guid.NewGuid().ToString();
RoleAssignmentCreateOrUpdateContent content = new RoleAssignmentCreateOrUpdateContent(new ResourceIdentifier(roleDefinitionIdToAssign), Guid.Parse(groupId))
{
PrincipalType = RoleManagementPrincipalType.Group,
};
ResourceIdentifier scopeId = new ResourceIdentifier(scope);
RoleAssignmentCollection collection = client.GetRoleAssignments(scopeId);
ArmOperation<RoleAssignmentResource> lro = await collection.CreateOrUpdateAsync(WaitUntil.Completed, roleAssignmentName, content);
RoleAssignmentResource result = lro.Value;
Step 5: Delete the Role Assignment
Finally, delete the role assignment:
var roleAssignmentToDelete = collection
.Where(collection => collection.Data.Name == roleAssignmentName)
.FirstOrDefault();
ArmOperation<RoleAssignmentResource> lroDelete = await roleAssignmentToDelete.DeleteAsync(WaitUntil.Completed);
Conclusion
In this tutorial, we've demonstrated how to create and delete Azure role assignments using C# and the ARM client. This approach is essential for automating and managing access controls in Azure.
Full Source Code
The complete source code for this project can be found at the following GitHub repository: RoleAssignProject