Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/demoray/azure-pim-cli

Unofficial CLI to list and enable Azure Privileged Identity Management (PIM) roles
https://github.com/demoray/azure-pim-cli

Last synced: about 2 months ago
JSON representation

Unofficial CLI to list and enable Azure Privileged Identity Management (PIM) roles

Host: GitHub
URL: https://github.com/demoray/azure-pim-cli
Owner: demoray
License: mit
Created: 2024-06-03T22:07:30.000Z (4 months ago)
Default Branch: main
Last Pushed: 2024-07-24T14:54:11.000Z (2 months ago)
Last Synced: 2024-07-24T23:43:22.496Z (2 months ago)
Language: Rust
Homepage:
Size: 319 KB
Stars: 10
Watchers: 3
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# Azure PIM CLI

Unofficial CLI to list and enable Azure Privileged Identity Management (PIM) roles

```
Usage: az-pim [OPTIONS]

Commands:
list List active or eligible assignments
activate Activate eligible role assignments
deactivate Deactivate eligible role assignments
delete Delete eligible role assignments
role Manage Azure role-based access control (Azure RBAC)
init Setup shell tab completions

Options:
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity

--quiet
Only show errors

-h, --help
Print help

-V, --version
Print version

```
## az-pim list

```
List active or eligible assignments

Usage: list [OPTIONS]

Options:
--active
List active assignments

--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity

--filter
Filter to apply on the operation

Specifying `as-target` will return results for the current user.

Specifying `at-scope` will return results at or above the specified scope.

[default: as-target]
[possible values: at-scope, as-target]

--quiet
Only show errors

--subscription
Specify scope at the subscription level

--resource-group
Specify scope at the Resource Group level

This argument requires `subscription` to be set.

--provider
Specify scope at the Resource Provider level

This argument requires `subscription` and `resource_group` to be set.

--scope
Specify the full scope directly

-h, --help
Print help (see a summary with '-h')

```
### Example Usage

```
$ az-pim list
[
{
"role": "Owner",
"scope": "/subscriptions/00000000-0000-0000-0000-000000000000",
"scope_name": "My Subscription"
},
{
"role": "Storage Blob Data Contributor",
"scope": "/subscriptions/00000000-0000-0000-0000-000000000000",
"scope_name": "My Subscription"
}
]
$ az-pim list --active
[
{
"role": "Storage Blob Data Contributor",
"scope": "/subscriptions/00000000-0000-0000-0000-000000000000",
"scope_name": "My Subscription"
}
]
$
```

## az-pim activate

```
Activate eligible role assignments

Usage: activate [OPTIONS]

Commands:
role Activate a specific role
set Activate a set of roles
interactive Activate roles interactively

Options:
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity

--quiet
Only show errors

-h, --help
Print help

```
### az-pim activate role

```
Activate a specific role

Usage: role [OPTIONS]

Arguments:

Name of the role to activate

Justification for the request

Options:
--duration
Duration for the role to be active

Examples include '8h', '8 hours', '1h30m', '1 hour 30 minutes', '1h30m'

[default: "8 hours"]

--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity

--quiet
Only show errors

--wait
Duration to wait for the roles to be activated

Examples include '8h', '8 hours', '1h30m', '1 hour 30 minutes', '1h30m'

--subscription
Specify scope at the subscription level

--resource-group
Specify scope at the Resource Group level

This argument requires `subscription` to be set.

--provider
Specify scope at the Resource Provider level

This argument requires `subscription` and `resource_group` to be set.

--scope
Specify the full scope directly

-h, --help
Print help (see a summary with '-h')

```
#### Example Usage

```
$ az-pim activate role Owner "developing pim" --subscription 00000000-0000-0000-0000-000000000000
2024-06-27T16:55:27.676291Z INFO az_pim: activating Owner in My Subscription (/subscriptions/00000000-0000-0000-0000-000000000000)
$
```

### az-pim activate set

```
Activate a set of roles

This command can be used to activate multiple roles at once. It can be used with a config file or by specifying roles on the command line.

Usage: set [OPTIONS]

Arguments:

Justification for the request

Options:
--duration
Duration for the role to be active

Examples include '8h', '8 hours', '1h30m', '1 hour 30 minutes', '1h30m'

[default: "8 hours"]

--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity

--config
Path to a JSON config file containing a set of roles to activate

Example config file: ` [ { "role": "Owner", "scope": "/subscriptions/00000000-0000-0000-0000-000000000000" }, { "role": "Owner", "scope": "/subscriptions/00000000-0000-0000-0000-000000000001" } ] `

--quiet
Only show errors

--role
Specify a role to activate

Specify multiple times to include multiple key/value pairs

--concurrency
Concurrency rate

Specify how many roles to activate concurrently. This can be used to speed up activation of roles.

[default: 4]

--wait
Duration to wait for the roles to be activated

Examples include '8h', '8 hours', '1h30m', '1 hour 30 minutes', '1h30m'

-h, --help
Print help (see a summary with '-h')

```
#### Example Usage

```
$ az-pim activate set 'continued development' --role 'Owner=My Subscription'
2024-06-27T17:23:03.981067Z INFO azure_pim_cli: activating Owner in My Subscription (/subscriptions/00000000-0000-0000-0000-000000000000)
$ cat config.json
[
{
"role": "Owner",
"scope_name": "My Subscription"
},
{
"role": "Storage Blob Data Contributor",
"scope_name": "My Subscription"
}
]
$ az-pim activate set 'continued development' --config ./config.json
2024-06-27T17:23:03.981067Z INFO azure_pim_cli: activating Owner in My Subscription (/subscriptions/00000000-0000-0000-0000-000000000000)
2024-06-27T17:23:03.981067Z INFO azure_pim_cli: activating Storabe Blob Data Contributor in My Subscription (/subscriptions/00000000-0000-0000-0000-000000000000)
$ az-pim list | jq 'map(select(.role | contains("Contributor")))' | az-pim activate set "deploying new code" --config /dev/stdin
2024-06-27T17:23:03.981067Z INFO azure_pim_cli: activating Storabe Blob Data Contributor in My Subscription (/subscriptions/00000000-0000-0000-0000-000000000000)
$
```

### az-pim activate interactive

```
Activate roles interactively

Usage: interactive [OPTIONS]

Options:
--justification
Justification for the request

--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity

--concurrency
Concurrency rate

Specify how many roles to activate concurrently. This can be used to speed up activation of roles.

[default: 4]

--quiet
Only show errors

--duration
Duration for the role to be active

Examples include '8h', '8 hours', '1h30m', '1 hour 30 minutes', '1h30m'

[default: "8 hours"]

--wait
Duration to wait for the roles to be activated

Examples include '8h', '8 hours', '1h30m', '1 hour 30 minutes', '1h30m'

-h, --help
Print help (see a summary with '-h')

```
## az-pim deactivate

```
Deactivate eligible role assignments

Usage: deactivate [OPTIONS]

Commands:
role Deactivate a specific role
set Deactivate a set of roles
interactive Deactivate roles interactively

Options:
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity

--quiet
Only show errors

-h, --help
Print help

```
### az-pim deactivate role

```
Deactivate a specific role

Usage: role [OPTIONS]

Arguments:

Name of the role to deactivate

Options:
--subscription
Specify scope at the subscription level

--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity

--quiet
Only show errors

--resource-group
Specify scope at the Resource Group level

This argument requires `subscription` to be set.

--provider
Specify scope at the Resource Provider level

This argument requires `subscription` and `resource_group` to be set.

--scope
Specify the full scope directly

-h, --help
Print help (see a summary with '-h')

```
#### Example Usage

```
$ az-pim deactivate role "Storage Queue Data Contributor" --subscription 00000000-0000-0000-0000-000000000000
2024-06-27T17:57:53.462674Z INFO az_pim: deactivating Storage Queue Data Contributor in My Subscription (/subscriptions/00000000-0000-0000-0000-000000000000)
$
```

### az-pim deactivate set

```
Deactivate a set of roles

Usage: set [OPTIONS]

Options:
--config
Path to a JSON config file containing a set of roles to deactivate

Example config file: ` [ { "role": "Owner", "scope": "/subscriptions/00000000-0000-0000-0000-000000000000" }, { "role": "Owner", "scope": "/subscriptions/00000000-0000-0000-0000-000000000001" } ] `

--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity

--quiet
Only show errors

--role
Specify a role to deactivate

Specify multiple times to include multiple key/value pairs

--concurrency
Concurrency rate

Specify how many roles to deactivate concurrently. This can be used to speed up activation of roles.

[default: 4]

-h, --help
Print help (see a summary with '-h')

```
#### Example Usage

```
$ az-pim deactivate set --role "Owner=My Subscription"
2024-06-27T17:57:53.462674Z INFO az_pim: deactivating Owner in My Subscription (/subscriptions/00000000-0000-0000-0000-000000000000)
$ # deactivate all roles by listing active roles, then deactivating all of them
$ az-pim list | az-pim deactivate set --config /dev/stdin
2024-06-27T17:57:53.462674Z INFO az_pim: deactivating Storage Blob Data Contributor in My Subscription (/subscriptions/00000000-0000-0000-0000-000000000000)
$
```

### az-pim deactivate interactive

```
Deactivate roles interactively

Usage: interactive [OPTIONS]

Options:
--concurrency
Concurrency rate

Specify how many roles to deactivate concurrently. This can be used to speed up deactivation of roles.

[default: 4]

--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity

--quiet
Only show errors

-h, --help
Print help (see a summary with '-h')

```
## az-pim delete

```
Delete eligible role assignments

Usage: delete [OPTIONS]

Commands:
orphaned-entries Delete assignments that objects in Microsoft Graph cannot be found

Options:
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity

--quiet
Only show errors

-h, --help
Print help

```
### az-pim delete orphaned-entries

```
Delete assignments that objects in Microsoft Graph cannot be found

Usage: orphaned-entries [OPTIONS]

Options:
--subscription
Specify scope at the subscription level

--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity

--quiet
Only show errors

--resource-group
Specify scope at the Resource Group level

This argument requires `subscription` to be set.

--provider
Specify scope at the Resource Provider level

This argument requires `subscription` and `resource_group` to be set.

--scope
Specify the full scope directly

--nested
Delete nested assignments

--yes
Always respond yes to confirmations

-h, --help
Print help (see a summary with '-h')

```
## az-pim role

```
Manage Azure role-based access control (Azure RBAC)

Usage: role [OPTIONS]

Commands:
assignment Manage role assignments
definition Manage role definitions
resources Commands related to resources in Azure

Options:
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity

--quiet
Only show errors

-h, --help
Print help

```
### az-pim role assignment

```
Manage role assignments

Usage: assignment [OPTIONS]

Commands:
list List assignments
delete Delete an assignment
delete-set Delete a set of assignments
delete-orphaned-entries Delete assignments that objects in Microsoft Graph cannot be found

Options:
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity

--quiet
Only show errors

-h, --help
Print help

```
#### az-pim role assignment list

```
List assignments

Usage: list [OPTIONS]

Options:
--subscription
Specify scope at the subscription level

--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity

--quiet
Only show errors

--resource-group
Specify scope at the Resource Group level

This argument requires `subscription` to be set.

--provider
Specify scope at the Resource Provider level

This argument requires `subscription` and `resource_group` to be set.

--scope
Specify the full scope directly

-h, --help
Print help (see a summary with '-h')

```
##### Example Usage

```
$ az-pim role assignment list --subscription 00000000-0000-0000-0000-000000000000
[
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/my-resource-group/providers/Microsoft.Storage/storageAccounts/mystorageaccount/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000001",
"name": "00000000-0000-0000-0000-000000000001",
"properties": {
"createdOn": "2024-07-03T17:06:36.5812308Z",
"createdBy": "00000000-0000-0000-0000-000000000002",
"updatedOn": "2024-07-03T17:06:36.5812308Z",
"updatedBy": "00000000-0000-0000-0000-000000000003",
"roleDefinitionId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000004",
"principalId": "00000000-0000-0000-0000-000000000005",
"principalType": "ServicePrincipal",
"scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/my-resource-group/providers/Microsoft.Storage/storageAccounts/mystorageaccount"
},
"type": "Microsoft.Authorization/roleAssignments"
}
]
$
```

#### az-pim role assignment delete

```
Delete an assignment

Usage: delete [OPTIONS]

Arguments:

Assignment name

Options:
--subscription
Specify scope at the subscription level

--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity

--quiet
Only show errors

--resource-group
Specify scope at the Resource Group level

This argument requires `subscription` to be set.

--provider
Specify scope at the Resource Provider level

This argument requires `subscription` and `resource_group` to be set.

--scope
Specify the full scope directly

-h, --help
Print help (see a summary with '-h')

```
##### Example Usage

```
$ az-pim role assignment delete 00000000-0000-0000-0000-000000000000 --subscription 00000000-0000-0000-0000-000000000001
$
```

#### az-pim role assignment delete-set

```
Delete a set of assignments

Usage: delete-set [OPTIONS]

Arguments:

Path to a JSON config file containing a set of assignments to delete

Options:
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity

--quiet
Only show errors

-h, --help
Print help

```
##### Example Usage

```
$ az-pim role assignment list --subscription 00000000-0000-0000-0000-000000000000 | jq 'map(select(.object | .==null)) [].id' | az-pim role assignment delete-set /dev/stdin
2024-07-09T18:54:48.903483Z INFO azure_pim_cli: listing assignments assignments
2024-07-09T18:19:32.222267Z INFO azure_pim_cli: deleting assignment 00000000-0000-0000-0000-000000000001 from /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.Storage/storageAccounts/mystorageaccount
2024-07-09T18:19:32.222267Z INFO azure_pim_cli: deleting assignment 00000000-0000-0000-0000-000000000002 from /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.Storage/storageAccounts/mystorageaccount
$
```

#### az-pim role assignment delete-orphaned-entries

```
Delete assignments that objects in Microsoft Graph cannot be found

Usage: delete-orphaned-entries [OPTIONS]

Options:
--subscription
Specify scope at the subscription level

--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity

--quiet
Only show errors

--resource-group
Specify scope at the Resource Group level

This argument requires `subscription` to be set.

--provider
Specify scope at the Resource Provider level

This argument requires `subscription` and `resource_group` to be set.

--scope
Specify the full scope directly

--nested
Delete nested assignments

--yes
Always respond yes to confirmations

-h, --help
Print help (see a summary with '-h')

```
##### Example Usage

```
$ az-pim role assignment delete-orphaned-entries --subscription 00000000-0000-0000-0000-000000000001
2024-07-09T19:54:45.843289Z INFO azure_pim_cli: listing assignments
2024-07-09T19:54:48.142932Z INFO azure_pim_cli: listing role definitions
2024-07-09T19:54:48.421671Z INFO az_pim: Are you sure you want to delete role: "Storage Queue Data Contributor" principal:00000000-0000-0000-0000-000000000000 (type: ServicePrincipal) scope:/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.Storage/storageAccounts/mystorageaccount? (y/n):
y
$
```

### az-pim role definition

```
Manage role definitions

Usage: definition [OPTIONS]

Commands:
list List the definitions for the specific scope

Options:
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity

--quiet
Only show errors

-h, --help
Print help

```
#### az-pim role definition list

```
List the definitions for the specific scope

Usage: list [OPTIONS]

Options:
--subscription
Specify scope at the subscription level

--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity

--quiet
Only show errors

--resource-group
Specify scope at the Resource Group level

This argument requires `subscription` to be set.

--provider
Specify scope at the Resource Provider level

This argument requires `subscription` and `resource_group` to be set.

--scope
Specify the full scope directly

-h, --help
Print help (see a summary with '-h')

```
##### Example Usage

```
$ az-pim role definition list --subscription 00000000-0000-0000-0000-000000000000
[
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000001",
"name": "00000000-0000-0000-0000-000000000001",
"properties": {
"assignableScopes": [
"/"
],
"createdOn": "2018-11-29T18:46:55.0492387Z",
"updatedOn": "2018-11-29T18:46:55.0492387Z",
"description": "my custom role",
"permissions": [
{
"actions": [
"Microsoft.Compute/*/read",
"Microsoft.Network/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "my custom name",
"type": "CustomRole"
},
"type": "Microsoft.Authorization/roleDefinitions"
},
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000007",
"name": "00000000-0000-0000-0000-000000000007",
"properties": {
"assignableScopes": [
"/"
],
"createdOn": "2017-12-21T00:01:24.7972312Z",
"updatedOn": "2021-11-11T20:13:54.9397456Z",
"description": "Allows for read, write and delete access to Azure Storage blob containers and data",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
],
"notDataActions": []
}
],
"roleName": "Storage Blob Data Contributor",
"type": "BuiltInRole"
},
"type": "Microsoft.Authorization/roleDefinitions"
}
]
$
```

### az-pim role resources

```
Commands related to resources in Azure

Usage: resources [OPTIONS]

Commands:
list List the child resources of a resource which you have eligible access

Options:
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity

--quiet
Only show errors

-h, --help
Print help

```
#### az-pim role resources list

```
List the child resources of a resource which you have eligible access

Usage: list [OPTIONS]

Options:
--subscription
Specify scope at the subscription level

--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity

--quiet
Only show errors

--resource-group
Specify scope at the Resource Group level

This argument requires `subscription` to be set.

--provider
Specify scope at the Resource Provider level

This argument requires `subscription` and `resource_group` to be set.

--scope
Specify the full scope directly

-h, --help
Print help (see a summary with '-h')

```
##### Example Usage

```
$ az-pim role resources list --subscription 00000000-0000-0000-0000-000000000000
[
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/DefaultResourceGroup-EUS",
"name": "DefaultResourceGroup-EUS",
"type": "resourcegroup"
},
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/DefaultResourceGroup-SUK",
"name": "DefaultResourceGroup-SUK",
"type": "resourcegroup"
}
]
```

## az-pim init

```
Setup shell tab completions

This command will generate shell completions for the specified shell.

Usage: init [OPTIONS]

Arguments:

[possible values: bash, elvish, fish, powershell, zsh]

Options:
--verbose...
Increase logging verbosity. Provide repeatedly to increase the verbosity

--quiet
Only show errors

-h, --help
Print help (see a summary with '-h')

```
### Example Usage

```
$ # In bash shell
$ eval $(az-pim init bash)
$ # In zsh shell
$ source <(az-pim init zsh)
```