az keyvault role definition

Manage role definitions.

Commands

Name	Description	Type	Status
az keyvault role definition create	Create a custom role definition.	Core	GA
az keyvault role definition delete	Delete a role definition.	Core	GA
az keyvault role definition list	List role definitions.	Core	GA
az keyvault role definition show	Show the details of a role definition.	Core	GA
az keyvault role definition update	Update a role definition.	Core	GA

az keyvault role definition create

Edit

Create a custom role definition.

az keyvault role definition create --hsm-name
                                   --role-definition
                                   [--acquire-policy-token]
                                   [--change-reference]

Examples

Create a role by a JSON string.

az keyvault role definition create --hsm-name MyHSM --role-definition '{
    "roleName": "My Custom Role",
    "description": "The description of the custom rule.",
    "actions": [],
    "notActions": [],
    "dataActions": [
        "Microsoft.KeyVault/managedHsm/keys/read/action"
    ],
    "notDataActions": []
}'

Create a role from a file containing a JSON description.

az keyvault role definition create --hsm-name MyHSM --role-definition @keyvault-role.json

Required Parameters

--hsm-name

Name of the HSM.

Property	Value
Parameter group:	Id Arguments

--role-definition

Description of a role as JSON, or a path to a file containing a JSON description.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--acquire-policy-token

Acquiring an Azure Policy token automatically for this resource operation.

Property	Value
Parameter group:	Global Policy Arguments

--change-reference

The related change reference ID for this resource operation.

Property	Value
Parameter group:	Global Policy Arguments

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

az keyvault role definition delete

Edit

Delete a role definition.

az keyvault role definition delete --hsm-name
                                   [--acquire-policy-token]
                                   [--change-reference]
                                   [--name]
                                   [--role-id]

Required Parameters

--hsm-name

Name of the HSM.

Property	Value
Parameter group:	Id Arguments

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--acquire-policy-token

Acquiring an Azure Policy token automatically for this resource operation.

Property	Value
Parameter group:	Global Policy Arguments

--change-reference

The related change reference ID for this resource operation.

Property	Value
Parameter group:	Global Policy Arguments

--name -n

The role definition name. This is a GUID in the "name" property of a role definition.

--role-id

The role definition ID.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

az keyvault role definition list

Edit

List role definitions.

az keyvault role definition list [--custom-role-only {false, true}]
                                 [--hsm-name]
                                 [--scope]

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--custom-role-only

Only show custom role definitions.

Property	Value
Default value:	False
Accepted values:	false, true

--hsm-name

Name of the HSM.

Property	Value
Parameter group:	Id Arguments

--scope

Scope at which the role assignment or definition applies to, e.g., "/" or "/keys" or "/keys/{keyname}".

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

az keyvault role definition show

Edit

Show the details of a role definition.

az keyvault role definition show --hsm-name
                                 [--name]
                                 [--role-id]

Required Parameters

--hsm-name

Name of the HSM.

Property	Value
Parameter group:	Id Arguments

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--name -n

The role definition name. This is a GUID in the "name" property of a role definition.

--role-id

The role definition ID.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

az keyvault role definition update

Edit

Update a role definition.

az keyvault role definition update --hsm-name
                                   --role-definition
                                   [--acquire-policy-token]
                                   [--change-reference]

Examples

Update a role by a JSON string.

az keyvault role definition update --hsm-name MyHSM --role-definition '{
    "roleName": "My Custom Role",
    "name": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "id": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "description": "The description of the custom rule.",
    "actions": [],
    "notActions": [],
    "dataActions": [
        "Microsoft.KeyVault/managedHsm/keys/read/action",
        "Microsoft.KeyVault/managedHsm/keys/write/action",
        "Microsoft.KeyVault/managedHsm/keys/backup/action",
        "Microsoft.KeyVault/managedHsm/keys/create"
    ],
    "notDataActions": []
}'

Update a role from a file containing a JSON description.

az keyvault role definition update --hsm-name MyHSM --role-definition @keyvault-role.json

Required Parameters

--hsm-name

Name of the HSM.

Property	Value
Parameter group:	Id Arguments

--role-definition

Description of a role as JSON, or a path to a file containing a JSON description.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--acquire-policy-token

Acquiring an Azure Policy token automatically for this resource operation.

Property	Value
Parameter group:	Global Policy Arguments

--change-reference

The related change reference ID for this resource operation.

Property	Value
Parameter group:	Global Policy Arguments

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

Property	Value
Default value:	False

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property	Value
Default value:	False

--output -o

Output format.

Property	Value
Default value:	json
Accepted values:	json, jsonc, none, table, tsv, yaml, yamlc

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property	Value
Default value:	False

Feedback

Was this page helpful?