1

Context

I am willing to get a resource details with the Azure REST API. And more particularly, I want to get the IAM associated with a resource.

Problem

So, I searched in the doc reference and found that endpoint: https://learn.microsoft.com/en-us/rest/api/resources/resources/get which provides an identity response attribute that meets my needs.

However, I can't find any information about the required path parameter parentResourcePath. What does that parameter mean and how can I get its value for a specific resource ?

Also, when I tried going through the resources group path, I can get a path to the resource details but without the parentResourcePath parameter, and the response doesn't include the identity attribute.

Finally, am I going the right way (using GET resource API) ? And if so, where can I find that parentResourcePath value ?

Kalyan Chanumolu-MSFT
  • 1,063
  • 6
  • 12
Mehdi Benmoha
  • 3,694
  • 3
  • 23
  • 43

2 Answers2

1

Actually, you have a better choice - Resources - Get By Id.

The /subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{parentResourcePath}/{resourceType}/{resourceName} in the api Resources - Get named resourceId which used in the Resources - Get By Id.

But if you combinate the properties manually, it is not easy, Azure has many different resource providers, resourcetype.

Generally, you could find the resourceId in your resource in the portal -> Properties. Also, the response of this API will include the identity which you need.

Sample:

Get a web app resource.

The resourceId is like /subscriptions/xxxxxxx/resourceGroups/joywebapp/providers/Microsoft.Web/sites/joywebapp2.

You can click Try it in the doc to try the api.

Response:

enter image description here

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
  • Thanks for your answer, but the `UserAssignedIdentities` property doesn't exist in the get Resources endpoint. Even though it's in the documentation – Mehdi Benmoha May 27 '19 at 08:42
  • @MehdiBenmoha Are you sure? Per my test, it also works. See: https://i.stack.imgur.com/hGZlp.png – Joy Wang May 27 '19 at 08:49
  • Yes, here's my output from the Get Resource endpoint: https://i.imgur.com/R8J3EHj.png – Mehdi Benmoha May 27 '19 at 08:55
  • @MehdiBenmoha Did you add your User Assigned Identity to your web app? In your web app in the portal -> Identity -> User assigned (preview) -> Add. If you don't bind them together, it will not appear in that. – Joy Wang May 27 '19 at 08:57
  • @MehdiBenmoha I think you may not understand the usage of the managed identity, if you create a managed identity in the portal, it will create a service principal in your azure ad tenant automatically. If you want to use it with a web app, you need to add it like the steps above. If you just use it as a normal service principal, it only represents itself, not the web app. – Joy Wang May 27 '19 at 09:08
  • Oh ok, I get it. I can't see any managed identity from the portal. But my question was more about fetching the IAM Access control associated to a resource. I am accepting this answer for now. – Mehdi Benmoha May 27 '19 at 09:12
0

Well I made it throught the Role assignment list for scope endpoint, giving the subscription/resourcegroup/resource in the scope. And the output contains a principalId attribute that seems to point to a user or group or service principal.

Ref: https://learn.microsoft.com/en-us/rest/api/authorization/roleassignments/listforscope

Mehdi Benmoha
  • 3,694
  • 3
  • 23
  • 43
  • This reply is not the same thing as your question at all. I think my reply is correct enough, could you accept it? – Joy Wang May 27 '19 at 08:52