Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] az role assignment list/delete: Support --assignee-object-id #30436

Open
jiasli opened this issue Nov 28, 2024 · 2 comments · May be fixed by #30469
Open

[Feature Request] az role assignment list/delete: Support --assignee-object-id #30436

jiasli opened this issue Nov 28, 2024 · 2 comments · May be fixed by #30469
Assignees
@jiasli
Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team Feature Candidate feature-request RBAC az role Similar-Issue
Milestone
Backlog

Comments

@jiasli
Copy link
Member

jiasli commented Nov 28, 2024

Related command
az role assignment list
az role assignment delete

Is your feature request related to a problem? Please describe.
#5273 added --assignee-object-id to az role assignment create to bypass the Microsoft Graph query, but --assignee-object-id is not added to az role assignment list and az role assignment delete. These commands still require resolving --assignee via Microsoft Graph.

If the logged-in account does not have permission to query Microsoft Graph, CLI can still recover and treat the provided ID as object ID:

azure-cli/src/azure-cli/azure/cli/command_modules/role/custom.py

Lines 1569 to 1576 in f76cfd2

except GraphError:
logger.warning('Failed to query %s by invoking Graph API. '
'If you don\'t have permission to query Graph API, please '
'specify --assignee-object-id and --assignee-principal-type.', assignee)
if fallback_to_object_id and is_guid(assignee):
logger.warning('Assuming %s as an object ID.', assignee)
return assignee, None
raise

But, if CLI has no network connection to Microsoft Graph endpoint or fails to get an access token for Microsoft Graph (#30428), it has no way to recover.

Describe the solution you'd like
az role assignment list and az role assignment delete should support --assignee-object-id like az role assignment create, in order to fully bypass Microsoft Graph query.

Describe alternatives you've considered

Additional context
@microsoft-github-policy-service microsoft-github-policy-service bot added Auto-Assign Auto assign by bot RBAC az role labels Nov 28, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Nov 28, 2024
@yonzhan
Copy link
Collaborator

yonzhan commented Nov 28, 2024
edited
Loading

Feature Request of role assignment

@github-actions GitHub Actions
Copy link

Here are some similar issues that might help you. Please check if they can solve your problem.

@yonzhan yonzhan added this to the Backlog milestone Nov 28, 2024
@yonzhan yonzhan added feature-request and removed question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Nov 28, 2024
This was referenced Nov 28, 2024
Open
Open
@jiasli jiasli linked a pull request Dec 5, 2024 that will close this issue
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team Feature Candidate feature-request RBAC az role Similar-Issue
Projects
None yet
Milestone
Backlog
Development

Successfully merging a pull request may close this issue.

[Role] az role assignment list/delete: Support --assignee-object-id jiasli/azure-cli
2 participants
@jiasli @yonzhan