Role Assignment
Introduction
Section titled “Introduction”Azure Role Assignments grant an identity (user, group, or service principal) the permissions defined by a role definition at a specific scope. Together with Role Definitions, Role Assignments form the foundation of Azure RBAC. They are commonly used to grant managed identities access to storage accounts, key vaults, and other Azure resources in infrastructure automation scenarios. For more information, see Assign Azure roles using the Azure CLI.
LocalStack for Azure provides a local environment for building and testing applications that make use of Azure Role Assignments. The supported APIs are available on our API Coverage section, which provides information on the extent of Role Assignments’ integration with LocalStack.
Getting started
Section titled “Getting started”This guide walks you through assigning a built-in role to a managed identity, listing assignments, and removing the assignment.
Launch LocalStack using your preferred method. For more information, see Introduction to LocalStack for Azure. Once the container is running, enable Azure CLI interception by running:
azlocal start-interceptionThis command points the az CLI away from the public Azure management REST API and toward the LocalStack for Azure emulator API.
To revert this configuration, run:
azlocal stop-interceptionThis reconfigures the az CLI to send commands to the official Azure management REST API.
Create a resource group
Section titled “Create a resource group”Create a resource group to hold all resources created in this guide:
az group create --name rg-rbac-demo --location westeurope{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-rbac-demo", "location": "westeurope", "managedBy": null, "name": "rg-rbac-demo", "properties": { "provisioningState": "Succeeded" }, "tags": null, "type": "Microsoft.Resources/resourceGroups"}Create a user-assigned managed identity
Section titled “Create a user-assigned managed identity”Create a user-assigned managed identity to use as the role assignee:
az identity create \ --name my-identity \ --resource-group rg-rbac-demo{ "clientId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-rbac-demo/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-identity", "isolationScope": "None", "location": "westeurope", "name": "my-identity", "principalId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "resourceGroup": "rg-rbac-demo", "systemData": null, "tags": {}, "tenantId": "00000000-0000-0000-0000-000000000000", "type": "Microsoft.ManagedIdentity/userAssignedIdentities"}Capture the identity’s principal ID:
PRINCIPAL_ID=$(az identity show \ --name my-identity \ --resource-group rg-rbac-demo \ --query principalId \ --output tsv)Assign a built-in role
Section titled “Assign a built-in role”Assign the Contributor role to the identity at the resource group scope:
SUBSCRIPTION_ID=$(az account show --query id --output tsv)az role assignment create \ --assignee "$PRINCIPAL_ID" \ --role Contributor \ --scope "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/rg-rbac-demo"{ "condition": null, "conditionVersion": null, "createdBy": null, "createdOn": null, "delegatedManagedIdentityResourceId": null, "description": null, "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-rbac-demo/providers/Microsoft.Authorization/roleAssignments/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "name": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "principalId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "principalType": "ServicePrincipal", "roleDefinitionId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", "scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-rbac-demo", "type": "Microsoft.Authorization/roleAssignments", "updatedBy": null, "updatedOn": null}List role assignments
Section titled “List role assignments”List all role assignments scoped to the resource group:
az role assignment list \ --scope "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/rg-rbac-demo"[ { "condition": null, "conditionVersion": null, "createdBy": null, "createdOn": null, "delegatedManagedIdentityResourceId": null, "description": null, "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-rbac-demo/providers/Microsoft.Authorization/roleAssignments/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "name": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "principalId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "principalName": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "principalType": "ServicePrincipal", "roleDefinitionId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", "roleDefinitionName": "Contributor", "scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-rbac-demo", "type": "Microsoft.Authorization/roleAssignments", "updatedBy": null, "updatedOn": null }]Filter by assignee
Section titled “Filter by assignee”Filter the role assignments to show only assignments for the managed identity’s principal ID:
az role assignment list \ --assignee "$PRINCIPAL_ID" \ --all[ { "condition": null, "conditionVersion": null, "createdBy": null, "createdOn": null, "delegatedManagedIdentityResourceId": null, "description": null, "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-rbac-demo/providers/Microsoft.Authorization/roleAssignments/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "name": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "principalId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "principalName": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "principalType": "ServicePrincipal", "roleDefinitionId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", "roleDefinitionName": "Contributor", "scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-rbac-demo", "type": "Microsoft.Authorization/roleAssignments", "updatedBy": null, "updatedOn": null }]List all role assignments for the subscription
Section titled “List all role assignments for the subscription”List every role assignment across the entire subscription:
az role assignment list --all[ { "condition": null, "conditionVersion": null, "createdBy": null, "createdOn": null, "delegatedManagedIdentityResourceId": null, "description": null, "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-rbac-demo/providers/Microsoft.Authorization/roleAssignments/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "name": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "principalId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "principalName": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "principalType": "ServicePrincipal", "roleDefinitionId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", "roleDefinitionName": "Contributor", "scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-rbac-demo", "type": "Microsoft.Authorization/roleAssignments", "updatedBy": null, "updatedOn": null }]Assign a Storage Blob Data Owner role on a storage account
Section titled “Assign a Storage Blob Data Owner role on a storage account”Create a storage account and assign the Storage Blob Data Owner role to the managed identity at the storage account scope.
This is a common pattern in infrastructure automation where a function app or container needs full access to a specific storage account.
az storage account create \ --name strblobdataowner \ --resource-group rg-rbac-demo \ --location westeurope \ --sku Standard_LRSCapture the storage account resource ID:
STORAGE_ID=$(az storage account show \ --name strblobdataowner \ --resource-group rg-rbac-demo \ --query id \ --output tsv)Assign Storage Blob Data Owner at the storage account scope:
az role assignment create \ --assignee "$PRINCIPAL_ID" \ --role "Storage Blob Data Owner" \ --scope "$STORAGE_ID"{ "condition": null, "conditionVersion": null, "createdBy": null, "createdOn": null, "delegatedManagedIdentityResourceId": null, "description": null, "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-rbac-demo/providers/Microsoft.Storage/storageAccounts/strblobdataowner/providers/Microsoft.Authorization/roleAssignments/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "name": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "principalId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "principalType": "ServicePrincipal", "roleDefinitionId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b", "scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-rbac-demo/providers/Microsoft.Storage/storageAccounts/strblobdataowner", "type": "Microsoft.Authorization/roleAssignments", "updatedBy": null, "updatedOn": null}List assignments scoped to the storage account to verify:
az role assignment list --scope "$STORAGE_ID"[ { "condition": null, "conditionVersion": null, "createdBy": null, "createdOn": null, "delegatedManagedIdentityResourceId": null, "description": null, "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-rbac-demo/providers/Microsoft.Storage/storageAccounts/strblobdataowner/providers/Microsoft.Authorization/roleAssignments/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "name": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "principalId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "principalName": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "principalType": "ServicePrincipal", "roleDefinitionId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b", "roleDefinitionName": "Storage Blob Data Owner", "scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-rbac-demo/providers/Microsoft.Storage/storageAccounts/strblobdataowner", "type": "Microsoft.Authorization/roleAssignments", "updatedBy": null, "updatedOn": null }]Delete a role assignment
Section titled “Delete a role assignment”Delete the role assignment and confirm it no longer appears in the list:
az role assignment delete \ --assignee "$PRINCIPAL_ID" \ --role Contributor \ --scope "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/rg-rbac-demo"Enabling RBAC enforcement
Section titled “Enabling RBAC enforcement”By default, Azure RBAC on LocalStack is not enforced: role assignments and role definitions are stored, but every operation succeeds regardless of the assigned roles. Set LS_AZURE_ENFORCE_RBAC to true, yes, or 1 when starting the emulator to turn on enforcement.
With enforcement enabled:
- Control plane: every ARM request, across all Azure services and resource types, is checked against the caller’s role assignments at the target scope and denied with a
403if unauthorized. - Data plane: checked for Blob, Queue, and Table Storage, RBAC-mode Key Vault vaults (secrets and certificates only), and Event Grid publish/receive. Denials match the shape Azure returns for each service, for example a Storage
AuthorizationPermissionMismatchXML error or a Key VaultForbiddenByRbacerror. - Not covered yet, even with enforcement enabled: Storage File, the Service Bus data plane, Cosmos DB’s data plane, and Microsoft Entra database authentication for Azure SQL, PostgreSQL, and MySQL flexible servers. Requests to these continue to succeed regardless of role assignments.
The default SDK/Terraform service principal and the az CLI’s any-app principal are always treated as a Global Administrator and subscription Owner, and bypass data-plane checks by default too. To observe a deny, use a managed identity or service principal that assumes neither role — for example, the identity created in Create a user-assigned managed identity without a role assigned at the target scope.
Features
Section titled “Features”- Role assignment creation: Create role assignments by specifying an assignee principal ID, role name or ID, and scope.
- Assignment listing: List role assignments at subscription scope, resource group scope, or filtered by assignee.
- Assignee filtering: Filter assignments by principal ID or display name.
- Subscription-wide listing: Retrieve all role assignments across a subscription via
--all. - Role assignment deletion: Delete assignments by role name, assignee, and scope.
- Custom role support: Assign custom role definitions alongside built-in roles.
Limitations
Section titled “Limitations”- RBAC enforcement is opt-in: By default, role assignments are stored but not evaluated, and all operations succeed regardless of assigned roles. Set
LS_AZURE_ENFORCE_RBACto enable enforcement. - Condition-based assignments: Attribute-based access control (ABAC) conditions in assignments are accepted at the model level but are not evaluated.
- Deny assignments:
Microsoft.Authorization/denyAssignmentsare not supported. - Management group scopes: Assignments at management group scope are not supported.
Samples
Section titled “Samples”The following sample demonstrates how to use Azure Role Assignments with LocalStack for Azure:
API Coverage
Section titled “API Coverage”| Operation ▲ | Implemented ▼ |
|---|