az role assignment list

CreatingAServicePrincipal

If you just want to get started asap with a service principal and azure with a client secret and permissive RBAC settings, then just run the following commands (redacted as required)

Why use a Service Principal anyways

When it comes to running some commands adhoc off the command line, a human user account based on a user principal account is fine. But for any serious use case, this would not qualify as a sustainable devops practice. Typically this is done by calling the az login command from a terminal which invokes a web-based login process in the background. For automation, a service principal account is required to run tasks such as:

Continuous Integration tasks (eg blob storage access)
Continuous Deployment tasks (eg deployment of a vm)
Infrastructure as Code Deployments (eg using terraform)
Running scheduled tasks
Accessing Azure Key vault or Azure Blob storage from a running application in application code using the Azure SDKs

Anatomy of a Service Principal

A service principal does not exist in isolation. In fact, a service principal is a 'security principal' or identity that represents an active directory application in a given tenant. By default, a security principal will be created in the default tenant along with the application object. As azure active directory is multi-tenant, further service principals can be created for additional tenants should the requirement arise.

Service Principal and authentication

Authentication with a service principal can be through using

A client secret
A client certificate (X.509 self-signed certificate)

Generally, I prefer the creation of an azure service principal with a client certificate which has been self-signed.

From a security perspective, it is vital to keep both secrets and certificates secure. This can be done by encrypting the data with mozilla sops .

Azure Terraform Provider

Terraform is a highly declarative language for defining infrastructure and I normally prefer it for creating all kinds of infrastructure.

Terraform still requires a service principal to get started - chicken and egg situation.

The service principal for the azuread_service_principal terraform module requires the User Account Administrator role. From a security perspective, using such a highly priveleged service principal requires careful scrutiny.

Creating an Azure Application

Prerequisites.

Azure CLI - The installation instructions of az cli on ubuntu can be found here

Login with a user principal

This will return the following information revealing the user, default tenant and default subscription information.

Ensure the Correct Azure Subscription is selected

If you need to use a specific subscription other than the default one when logged in, it can be set as follows

Note: You can check what subscriptions are available by running az account list .

Create the azure application

Docs for az ad app create

The extract below shows some of the important fields from the http response including the appId and objectId .

Note: You can check what apps are already created by running

Creating the Service Principal

The service principal is created next and associated with the previously created app. The appId or objectId can be used to assign the service principal

Docs for az ad spn create

Extract from the json response:

Credentials creation with a client secret

So far no credentials have been created for the service principal. Let's take a look...

Docs for az ad sp credential list

The response is an empty list which confirms roles are not yet assigned

Create new credentials with a client secret

The response is as follows:

Once these credentials are returned, you will need to store them somewhere secure for later retrieval, ideally, in an encrypted format.

Running the following command again will reveal the credentials:

Note: If you are a user of terraform azure provider , the credentials above correspond to the following naming in terraform:

Credentials creation with a client certificate

Creating a certificate using the azure cli.

The easy way to do this is to have the azure cli create a certificate for you. Let's append new credentials by creating a public cert and private key with the azure cli.

Note: With the --append argument, the previous secret based credentials will not be overridden. Omit --append if you want to use a client certificate only and override previous credentials.

The output is as follows:

The value for fileWithCertAndPrivateKey contains the path to the public certificate and the private key. This file should be stored somewhere safely and ideally in an encrypted format. It is the key to the kingdom. Although, we will be reducing the dominion of that kingdom later by employing RBAC and setting roles on the service principal.

Creating a certificate with your own certificate authority

You can also create your own certificate and private key using your own certificate authority for creating the service principal credentials.

In this guide, I will create a certificate authority to create the azure service principal certificate. If you already have your own certificate authority then you can skip this step. Basically, this means using your own PKI (public key infrastructure).

You can keep the files ca.pem and ca-key.pem for further uses of as your certificate authority. The ca-key.pem is the private key ancd should be kept very safe, ideally in an encrypted format.

The next step is to create the new service principal private key and certificate

As a result of running the last command, a private key file cert-key.pem and public cert cert.pem will be generated. Be sure to store these files away, in a safe location, ideally encrypted. Azure requires having these two files concatenated together to login as a service principal. The login process is demonstrated later

Now we are ready to create the service principal with the self-signed certificate as follows:

Given the complexity of creating your own public key infrastructure and generating the certs, it is probably easier to just create a certificate using the azure cli as outlined earlier .

Roles assignment and RBAC

Role Based Access Control allows devops and software engineers to create service principals following the least privilege principle. Here are two ways to approach assigning roles to an azure service principal:

Assign built-in roles
Assign a custom role definition

After the service principal has been associated to the app in the default tenant, no roles have yet been assigned to the service principal. Roles are the way in which access control works in Azure. Let's take a look at the roles assigned so far.

Docs for az role assignment list

Assigning a built-in role to a service principal

The Contributor built-in role is highly permissive - avoid using it when possible. It would be better to assign the minimal roles necessary. For example, if an application only requires read access to an azure blob storage container, then the Storage Blob Data Reader is all that is required. Assigning multiple restrictive built-in roles is also possible and better than applying the highly permissive Contributor role.

The --scope argument allows one to reduce the access levels of the service principal even further. It can be restricted to specific subscription(s) and even more fine grained to specific resource group(s).

By using a sensible combination of roles and scopes, the overall security of operations in the cloud is enhanced. In the unlikely event that a service principal becomes comprimised, the potential for malicious activitty is reduced to the smallest range of resources.

Assigning a custom role definition to a service principal

An entirely custom role can be built up from scratch and assigned to a service principal. This is a very powerful approach to RBAC for a service principal because it gives the cloud operator fine-grained control of what permissions are granted.

Once the credentials creation step and rbac assignment steps are complete, the service principal is then ready to use and it can be tested to verify that it is working correctly.

While still logged in as a user principal, you can get set some of the variables in the terminal before running an azure logout.

At this stage, logout with your user principal account.

Logging in with a client secret

Logging in with an azure generated client cert.

When you ran the az cli command to create credentials to a client cert as outlined in above , the json response included a key pair "fileWithCertAndPrivateKey": "<path_to_pem>" . This file path contains the private key and public certificate in a single file.

To login, just pass the file path in the password field of the az login command as follows:

Logging in with a self-signed client cert

Assuming that cert-key.pem is the private key and cert.pem is the public certificate, azure requires that those certs are concatenated into a single file and the path of the newly created concatenated cert file passed in the password field for login.

Now that you have your service principal setup, it's time to use it for some terraform automation.

Career Model
Proactive Mentorship
Productivity
Review Model
Work:Life Balance
3D Printing
Announcements
Conferences

How to find all the Azure Built-In Roles for Azure RBAC with Azure CLI, PowerShell, Docs, or AzAdvertizer

Here are a bunch of ways you can find which roles are built into Azure. This will come in super handy when you need to assign a role to a service principal or user with Azure CLI commands like this:

Query the big honking json
Query all, but only return Name and Id in a nice table
Filter by name contains:

This one filters for roles with “Map” in the name:

Azure PowerShell

https://docs.microsoft.com/en-us/powershell/module/az.resources/get-azroledefinition?view=azps-3.8.0

This page has all the built in roles: https://docs.microsoft.com/azure/role-based-access-control/built-in-roles

AzAdvertizer

Just found this site today by Julian Hayward. It’s a great way to find roles

https://www.azadvertizer.net/azrolesadvertizer_all.html

Manage Azure Role Assignments Like a Pro with PowerShell

Azure Governance Future Trends and Predictions - AzureIs.Fun

Today’s blog post is a little bit different. I have a couple of examples of how you can use PowerShell snippets and simple commandlets to get or set role assignmnets in your Azure Subscriptions.

PowerShell examples for managing Azure Role assignments

List all role assignments in a subscription, get all role assignments for a specific resource group, get all role assignments for a specific user, add a role assignment to a user, remove a role assignment for a user, remove all role assignments for a specific user, list all built-in roles, list all custom roles, create a custom role, update a custom role, delete a custom role, list all users or groups assigned to a specific role, list all permissions granted by a specific role, list all resource groups that a user has access to, create a role assignment for a service principal, powershell script to manage azure role assignments.

And now there is a script that combines some of these examples into one usable function:

I hope this was useful. Let me know if you liked the format of this blog and if you want me to include more of these examples.

Vukasin Terzic

Recent Update

Writing your first Azure Terraform Configuration
Transition from ARM Templates to Terraform with AI
Getting started with Terraform for Azure
Terraform Configuration Essentials: File Types, State Management, and Provider Selection
Dynamically Managing Azure NSG Rules with PowerShell

Trending Tags

Retrieve azure resource group cost with powershell api.

The Future Of Azure Governance: Trends and Predictions

Azure Cost Optimization: 30 Ways to Save Money and Increase Efficiency

As organizations continue to migrate their applications and workloads to the cloud, managing and controlling cloud costs has become an increasingly critical issue. While Azure provides a robust s...

Custom PowerShell API for Azure Naming Policy

To continue our PowerShell API series, we have another example of a highly useful API that you can integrate into your environment. Choosing names for Azure resources can be a challenging task. ...

Assigning Service Principals to Groups and Roles with the Azure CLI

The more I use Azure the more often I find myself needing to assign various managed identities / service principals to various groups and roles, and while that can be done in the Portal, it's cumbersome and I'd prefer to automate it.

So in this post I'll sharing a few Azure CLI commands that should prove useful whenever you're configuring Service Principals.

Getting a service principal's object id

Suppose you know the name of the service principal, but not the "object id", which is required for assigning it to groups and roles. You can use a filter with the az ad sp list command to find that service principal and then a query to pick out just the object id.

Note that you should avoid trying to use the query parameter to find the matching name, as that will likely not find it as it only applies to the first page of results .

Note that the object id is different from the app id. If you do need the app id for any reason you just need to change the query parameter:

Adding to a group

Suppose we want to add the service principal to a group. We need the group id to do that, and if we need to look it up, we can do so with the az ad group list command and using a filter .

Then the az ad group member add command allows us to add the object id of our service principal to the group.

Creating a role assignment

If we want to create a role assignment, then as well as knowing the user we're assigning the role to and the name of the role, we also need to provide a " scope " for that to apply to. This is typically a long / delimited path to an Azure resource. So for a KeyVault it might look like this:

You can of course construct this string yourself, but actually this is quite often just the "ID" of the resource as returned by the Azure CLI. So we could get the above value with the following command:

And now that we have the scope, we can simply use the az role assignment create to assign the role to our service principal, and we can pass the role name directly (in this example it's "Key Vault Administrator"):

Hope this proves useful to you.

PowerShell Basics: Query Azure Role Based Access Control Assignments

The scenario: what role based access control does somebody have, azure deny assignments.

A great way to learn PowerShell is to set up a scenario in the Azure portal, then try different PowerShell commands to see if you can get the same results. In this article, we'll use Azure Role Based Access control, as it's both visible in the Azure Portal and we have some PowerShell commands for it.

If you're taking over an existing Azure environment, or if you organization has been running Azure for a while without enforced consistency of your Role Based Access Control, you might want to explore your existing RBAC assignments at scale or query the permissions for a specific user. RBAC assignments display in the Access control (IAM) blade of Azure resources, resource groups, subscriptions. Because you can assign a role to a user (or group) on an individual resource, their roles and permissions across your Azure environment may vary, and it's time consuming to check the IAM blade of everything.

Fortunately, we can use PowerShell commands and different display formats, to get the data we want. For the purposes of learning PowerShell, you can use the Azure portal to set up RBAC for different test users (and as part of group memberships) on your resources, resource groups and subscription, so you know what results the PowerShell commands should return.

To keep things simple, I'm running these commands in Cloud Shell inside the Azure Portal.

PowerShell: Get-AzRoleAssignment

Azure RBAC is supported by a number of PowerShell commands, but for this scenario our friend is “ Get-AzRoleAssignment “.

Looking at the structure of PowerShell, because this is a “ Get ” command, it's going to query Azure for some information and return the results to us. “ AzRoleAssignment ” is the base for this command. The command also has a “ New- ” variation, for adding a new assignment, and a “ Remove- ” variation for removing a role assignment.

Note: If you see older blogs or scripts using “Get-AzureRmRoleAssignment”, that was an earlier name for this command before the Az updates. You can often replace the AzureRm bit with just Az, but not in every case as some commands have been deprecated.

If you have multiple subscriptions, Cloud Shell will default to one of them, and your commands will query that subscription and it's associated resources. You can run “ Get-AzContext ” to see which subscription is selected, and run “ Set-AzContext -SubscriptionName “My other subscription”” to change to a different one. (Note I've placed the actual name of my other subscription in it's own set of brackets because it has spaces in it).

Let's start by just running this command and getting a list of all of the RBAC assignments:

Next, let's narrow that down so we are only looking for role assignments for one particular user. The Get-AzRoleAssignment command has a range of different parameters we can add which will act as a filter. We'll use SignInName , which you can find in the user's details in Azure Active Directory , if you don't know the exact format (and replace my steve.l example name):

This gives us a long list of Steve's role assignments:

The default display for Get-AzRoleAssignment for a single user

Now I want to play with the formatting to make it a little more readable onscreen.

I can format the output of this PowerShell command a few different ways, including as a list or as a table. The output above show sme all of the information that is returned by the query though, so I can use that to further refine the display:

I'm using the ‘pipe' character of | (which is Shift + on my keyboard), then the short version of the “ format-list ” command, then I'm listing just the properties I want to be displayed (DisplayName, RoleDefinitionName and Scope). The pipe tells the first command to send it's output to the second command.

Get-AzRoleAssignment with the output formatted as a list

For more formatting command examples, visit Using Format Commands to Change Output View .

Hmm, that could still be a pretty long list if Steve had more role assignments. Let's try a table view instead with “ format-table ” or FT for short:

Get-AzRoleAssignment formatted as a table

That's better! So, Steve has a pretty high level of access at the top level of my subscription (Owner) plus a Log Analytics Reader role assignment which isn't needed – I can go and tidy that up. But if I run that same command for a different user, I'm seeing a different scope:

Azure RBAC at the management group level

Sonia's account is showing the scope as the SCuffSubsMG, not the subscription ID. That's because her Owner access to the current subscription is determined by a role assignment that has been added at the management group level, and as this subscription belongs to that management group, the role assignment is inherited too.

There's one more important thing we need to include – what if our user is a member of a group that has been assigned a role? Our commands so far won't include that. We need to add “ -ExpandPrincipalGroups “.

Get-AzRoleAssignment with ExpandPrincipalGroups for group membership role assignments

Now I can see that as well as being listed as an individual with the Virtual Machine Contributor role to VM CA01, Sarah is also a member of the IT_KeyVaultAdmins group, who have Key Vault Administrator access to the KV-BNE-01 key vault.

There's one type of Azure role assignment that won't display with Get-AzRoleAssignment, and that's an Azure deny assignment . You can't manually assign someone a deny assignment – they are created and used by Azure to protect system-managed resources. Azure Blueprints and Azure managed apps are the only way that they can be created.

You can query where they are being used in your subscription, by using the Get-AzDenyAssignment command.

Now you've learnt about the capabilities and structure of this command, go and explore with different command parameters. If you get stuck, visit List Azure role assignments using PowerShell or Remove Azure role assignments for more inspiration.

Get-AzRoleAssignment has the full command syntax, parameters, inputs and outputs.

And many of the basic PowerShell concepts we've explored here, like Get/Set/Remove and output formatting, are applicable to a ton of other PowerShell commands too. You're now on your way to understanding and exploring more of PowerShell, especially for scenarios where you can't easily retrieve the same information in the Azure portal.

This article was originally published by Microsoft's SQL Server Blog . You can find the original article here .

What's the difference between Azure AD Graph, Azure Resource Graph and Microsoft Graph?
Using Azure Automation with Multiple Tenants
Unlocking Azure Secrets: Using Identities for Key Vault Access
Tracking the Source of ADFS Account Lockouts
Threat matrix for storage

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Get-Az Role Assignment

Lists Azure RBAC role assignments at the specified scope. By default it lists all role assignments in the selected Azure subscription. Use respective parameters to list assignments to a specific user, or to list assignments on a specific resource group or resource.

The cmdlet may call below Microsoft Graph API according to input parameters:

GET /users/{id}
GET /servicePrincipals/{id}
GET /groups/{id}
GET /directoryObjects/{id}
POST /directoryObjects/getByIds

Please notice that this cmdlet will mark ObjectType as Unknown in output if the object of role assignment is not found or current account has insufficient privileges to get object type.

Description

Use the Get-AzRoleAssignment command to list all role assignments that are effective on a scope. Without any parameters, this command returns all the role assignments made under the subscription. This list can be filtered using filtering parameters for principal, role and scope. The subject of the assignment must be specified. To specify a user, use SignInName or Microsoft Entra ObjectId parameters. To specify a security group, use Microsoft Entra ObjectId parameter. And to specify a Microsoft Entra application, use ServicePrincipalName or ObjectId parameters. The role that is being assigned must be specified using the RoleDefinitionName parameter. The scope at which access is being granted may be specified. It defaults to the selected subscription. The scope of the assignment can be specified using one of the following parameter combinations a. Scope - This is the fully qualified scope starting with /subscriptions/<subscriptionId>. This will filter assignments that are effective at that particular scope i.e. all assignments at that scope and above. b. ResourceGroupName - Name of any resource group under the subscription. This will filter assignments effective at the specified resource group c. ResourceName, ResourceType, ResourceGroupName and (optionally) ParentResource - Identifies a particular resource under the subscription and will filter assignments effective at that resource scope. To determine what access a particular user has in the subscription, use the ExpandPrincipalGroups switch. This will list all roles assigned to the user, and to the groups that the user is member of. Use the IncludeClassicAdministrators switch to also display the subscription admins and co-admins.

List all role assignments in the subscription

Gets all role assignments made to user [email protected], and the groups of which he is member, at the testRG scope or above.

Gets all role assignments of the specified service principal

Gets role assignments at the 'site1' website scope.

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure

-ExpandPrincipalGroups

If specified, returns roles directly assigned to the user and to the groups of which the user is a member (transitively). Supported only for a user principal.

-IncludeClassicAdministrators

If specified, also lists subscription classic administrators (co-admins, service admins, etc.) role assignments.

The Microsoft Entra ObjectId of the User, Group or Service Principal. Filters all assignments that are made to the specified principal.

-ParentResource

The parent resource in the hierarchy of the resource specified using ResourceName parameter. Must be used in conjunction with ResourceGroupName, ResourceType, and ResourceName parameters.

-ResourceGroupName

The resource group name. Lists role assignments that are effective at the specified resource group. When used in conjunction with ResourceName, ResourceType, and ParentResource parameters, the command lists assignments effective at resources within the resource group.

-ResourceName

The resource name. For e.g. storageaccountprod. Must be used in conjunction with ResourceGroupName, ResourceType, and (optionally)ParentResource parameters.

-ResourceType

The resource type. For e.g. Microsoft.Network/virtualNetworks. Must be used in conjunction with ResourceGroupName, ResourceName, and (optionally)ParentResource parameters.

-RoleDefinitionId

Id of the Role that is assigned to the principal.

-RoleDefinitionName

Role that is assigned to the principal i.e. Reader, Contributor, Virtual Network Administrator, etc.

The Scope of the role assignment. In the format of relative URI. For e.g. /subscriptions/9004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/TestRG. It must start with "/subscriptions/{id}". The command filters all assignments that are effective at that scope.

-ServicePrincipalName

The ServicePrincipalName of the service principal. Filters all assignments that are made to the specified Microsoft Entra application.

-SignInName

The email address or the user principal name of the user. Filters all assignments that are made to the specified user.

-SkipClientSideScopeValidation

If specified, skip client side scope validation.

PSRoleAssignment

Keywords: azure, azurerm, arm, resource, management, manager, resource, group, template, deployment

Additional resources

Gain insights into your Azure role assignments on subscription level

List Azure role assignments and custom role definitions recursively with PowerShell and Azure CLI.

Jump to recipe

Azure Role-Based Access Control (RBAC)

Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. Using RBAC in Azure for granular permissions makes it easy to assign permissions to users, groups, service principals, or managed identities. You can assign only the amount of access that users need to perform their jobs, thereby adhering to the principle of least privilege.

You have a ton of builtin roles to choose from, and you can also create your own custom roles if none of the builtin roles fit your use case.

I will not write a thesis on Azure RBAC, as you can find the necessary information on the Azure RBAC documentation page . I will, however, highlight a few shortcomings and how I worked around some of them.

List Azure role definitions

You can list role definitions in the portal , with Azure CLI , or PowerShell .

All these links read List all roles . That is a bit misleading, as they only list the roles in your current scope with any inherited from above (management groups). Any custom roles created in different subscriptions than the current one (or the one provided in scope parameter) will not be listed. A best practice is to create custom roles higher up in management groups so that they are inherited by all subscriptions below. This is not always done, and you might end up with custom roles in different subscriptions.

List Azure role assignments

You can list role assignments in the portal , with PowerShell , or with Azure CLI . There are different ways of listing role assignments, but no way to list all role assignments in your hierarchy recursively. You can list role assignments at a certain scope, with inherited assignments included. You can also find all role assignments for a specific user or group in Azure AD .

Shortcomings

As far as I can see, there are a few shortcomings. These are not critical, and there are other issues with the RBAC model, but I will not go into them here.

There is no central listing of role assignments for all scopes
There is no central listing of custom role definitions for all scopes
Role assignments and role definitions are not linked in any way other than in backend. If you try to delete a custom role definition still in use, you get an error message. You have to find all role assignments using the custom role definition and delete them first.
Role assignments and role definitions are not listed in Azure AD

Recently I was tasked with cleaning some clickOps’ed custom role definitions and converting them to Terraform. I needed to find all custom role definitions and all role assignments in all subscriptions in all management groups. I also needed to find all role assignments using the custom role definitions I was going to delete. Because of reasons I needed to create new role definitions, and could not import them into Terraform. Because of the shortcomings mentioned above, I had to write a script to list all role definitions and role assignments for all scopes.

I did not want to click through all of the subscriptions and management groups, so I wrote a script to do it for me.

Azure Governance Visualizer

At this point I would be remiss not to mention the Azure Governance Visualizer . It is a great tool created by Julian Hayward for visualizing your total Azure Governance. It lists all custom role definitions and every other detail you would need from your environment regarding RBAC and lot of other useful information. In this case it is too complex, and I wanted to focus on the RBAC part. Anyway, check it out if you need a great tool for visualizing your Azure Governance.

Log in with both Azure CLI and PowerShell

Recursively find all management groups and subscriptions, list all custom roles in all subscriptions, list all role assignments with relevant custom roles in all subscriptions, write everything to json files for documentation or investigation, prerequisites.

A user with Reader role on the management group level to list all management groups.
A user with Reader role on the subscription level to list all subscriptions and their assignments/definitions.
Azure PowerShell installed
Azure CLI installed

The script can be found in all its glory in GitHub . I will explain the different sections below.

I did not want the script to force a login of both PowerShell and Azure CLI every time I ran it. Therefore I needed some logic to check for login status and login if necessary.

Since there could be several management groups in different levels, I need to recursively find the management groups to list all subscriptions.

This part is a simple loop through all subscriptions and list all custom role definitions. I could have used the PowerShell cmdlet Get-AzRoleDefinition , but I wanted to use the Azure CLI command az role definition list to get some more relevant information. The other actions done for each subscription are also done in the same foreach loop.

This part is a simple loop through all custom roles in the current subscription and list all assignments. Exports them if required with exportAssignments parameter.

This part is a simple conversion from PowerShell objects to json with ConvertTo-Json and dumpt to json file.

Azure PowerShell

Some parameters are necessary in this script to make it dynamic.

topLvlMgmtGroup - [String] Id of your top level management group to start recursive listing.
customRolesOnly - [String] Set to true if exporting only custom roles. Defaults to true .
excludeRegexPattern - [String] Any exclusion RegEx pattern to use. Remember escape chars!
rolesFolder - [String] Folder where role definitions will be exported. Defaults to output .
exportAssignments - [Switch] Whether to export assignments to file or not.
subscription - [String] Subscription Id or name for when exporting in a single subscription.

Resulting json

Running the script results in some output to json files.

Role Definitions

It makes sense to only export custom role definitions, because the builtin ones are already pretty well documented.

For each custom role definition found, one file will be written. This is an example role and all guids are randomly generated.

Role Assignments

All role assignments will be exported if the relevant parameter is set.

Output to a single assignments.json:

I had some fun with this task, and maybe created an over engineered solution. Also I had the chance to practice my PowerShell-skills, which is a welcomed exercise!

Please let me know if you have a one-liner for this that I can use in the future 🙂

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

Notifications

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account