Verify reader role for a service principal

Edit online

You can verify whether a service principal has the Reader role on an Azure subscription, use the following Python script:

from azure.identity import DefaultAzureCredential
from azure.mgmt.authorization import AuthorizationManagementClient
from azure.core.exceptions import AzureError

def check_subscription_roles(subscription_id):
    """
    Check if subscription has Reader, Contributor, or Owner role.
    Returns True if any of these roles exist, False otherwise.
    """
    ROLE_IDS = {
        "Reader": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
        "Contributor": "b24988ac-6180-42a0-ab88-20f7382dd24c",
        "Owner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
    }
    try:
        credential = DefaultAzureCredential()
        auth_client = AuthorizationManagementClient(credential, subscription_id)
        for assignment in auth_client.role_assignments.list_for_subscription():
            role_def_id = assignment.role_definition_id
            for role_name, role_id in ROLE_IDS.items():
                if role_id in role_def_id:
                    print(f"āœ“ Found {role_name} role for subscription: {subscription_id}")
                    return True  # Return immediately when any role is found
        return False  # No matching roles found
    except AzureError as e:
        print(f"Azure Error:: {e}")
        return False
    except Exception as e:
        print(f"Error:: {e}")
        return False

# Main execution
if __name__ == "__main__":
    subscription_id = "<your-subscription-id-here>"
    result = check_subscription_roles(subscription_id)
    if result:
        print("\nāœ“ True - Required reader role exists\n")
        exit(0)
    else:
        print("\nāœ— False - No required role found\n")
        exit(1)

Prerequisites

Install Python, pip, and Azure CLI in your environment based on the Operating system. The rest of the following commands are cross-platform compatible.

Install dependencies

Run the following command: 
pip3 install azure-identity azure-mgmt-authorization

Login by using the service principal

Run the following command and replace placeholders with your credentials: 
az login --service-principal \
--username <client-id> \
--password <client-secret> \
--tenant <tenant-id>

Save the preceding Python script with file name as check_azure_reader.py`. Replace <your-subscription-id-here> in the Python script with your actual subscription ID. The script returns True or False and prints if the reader role exists or not.

Run the script

Run the script by using the following Python command: 
python3 check_azure_reader.py
Note: The Python and pip command can vary (python or python3 and pip or pip3) based on the version of the Python that is installed in your environment. python3 and pip3 explicitly refer to Python 3.

Troubleshooting

If pip install fails with externally-managed-environment error, use a virtual environment by using the following commands.

  1. virtual environment, run the following command: 
    python3 -m venv azure-env
  2. To activate a virtual environment, run the following commands:
    • On macOS or Linux: 
      source azure-env/bin/activate
    • On Windows: 
      azure-env\Scripts\activate
  3. To install the packages, run the following command: 
    pip3 install azure-identity azure-mgmt-authorization
  4. To run your script, run the following command: 
    python3 check_azure_reader.py
  5. To deactivate virtual environment, run the following command: 
    deactivate