def test_role_assignment(self):
client = KeyVaultAccessControlClient(self.managed_hsm["url"],
self.credential)
scope = KeyVaultRoleScope.GLOBAL
definitions = [d for d in client.list_role_definitions(scope)]
# assign an arbitrary role to the service principal authenticating these requests
definition = definitions[0]
principal_id = self.get_service_principal_id()
name = self.get_replayable_uuid("some-uuid")
created = client.create_role_assignment(scope,
definition.id,
principal_id,
role_assignment_name=name)
assert created.name == name
assert created.principal_id == principal_id
assert created.role_definition_id == definition.id
assert created.scope == scope
# should be able to get the new assignment
got = client.get_role_assignment(scope, name)
assert got.name == name
assert got.principal_id == principal_id
assert got.role_definition_id == definition.id
assert got.scope == scope
# new assignment should be in the list of all assignments
matching_assignments = [
a for a in client.list_role_assignments(scope)
if a.role_assignment_id == created.role_assignment_id
]
assert len(matching_assignments) == 1
# delete the assignment
deleted = client.delete_role_assignment(scope, created.name)
assert deleted.name == created.name
assert deleted.role_assignment_id == created.role_assignment_id
assert deleted.scope == scope
assert deleted.role_definition_id == created.role_definition_id
assert not any(a.role_assignment_id == created.role_assignment_id
for a in client.list_role_assignments(scope))
not_data_actions=[KeyVaultDataAction.CREATE_HSM_KEY])
]
unique_definition_name = role_definition.name
updated_definition = client.set_role_definition(scope=scope,
name=unique_definition_name,
role_name=role_name,
permissions=new_permissions)
print("Role definition '{}' updated successfully.".format(
updated_definition.role_name))
# Now let's create a role assignment to apply our role definition to our service principal.
# Since we don't provide the name keyword argument to create_role_definition, a unique role assignment name (a GUID)
# is generated for us.
print("\n.. Create a role assignment")
principal_id = os.environ["AZURE_CLIENT_ID"]
definition_id = updated_definition.id
role_assignment = client.create_role_assignment(scope=scope,
definition_id=definition_id,
principal_id=principal_id)
print("Role assignment created successfully.")
# Let's delete the role assignment.
print("\n.. Delete a role assignment")
client.delete_role_assignment(scope=scope, name=role_assignment.name)
print("Role assignment deleted successfully.")
# Finally, let's delete the role definition as well.
print("\n.. Delete a role definition")
client.delete_role_definition(scope=scope, name=definition_id)
print("Role definition deleted successfully.")