README
¶
pimctl
pimctl manages Azure PIM resource roles. It lists eligible assignments, activates roles, deactivates active assignments, and shows what is active now.
Scope
pimctl supports Azure resource role PIM. It does not manage Entra roles or PIM for Groups.
Quickstart
List roles you can activate:
pimctl list
Activate a role:
pimctl activate \
--subscription "Production" \
--resource-group rg-app \
--role Contributor \
--reason "Investigating incident"
Check active assignments:
pimctl status
Find the assignment_id for an active assignment:
pimctl status --verbose
pimctl status --json
Default status output stays short. Use --verbose or --json when you need the ID for a script or deactivation.
Deactivate an active assignment:
pimctl deactivate <assignment-id>
Add a reason if you want one recorded with the request:
pimctl deactivate <assignment-id> --reason "Incident resolved"
In a terminal, pimctl deactivate opens a picker.
Success means Azure accepted the deactivation request. The assignment may still appear in pimctl status for a short time.
For scripts:
pimctl list --json
pimctl status --json
pimctl deactivate <assignment-id> --json
Configuration
Config is optional. By default, pimctl reads:
~/.config/pimctl/config.yaml
Example:
default_duration: 2h
subscription_id: 00000000-0000-0000-0000-000000000000
Environment variables use the PIMCTL_ prefix:
export PIMCTL_DEFAULT_DURATION=2h
export PIMCTL_SUBSCRIPTION_ID=00000000-0000-0000-0000-000000000000
License
MIT
Directories