the given role assignment condition is invalid

[1stewart]

Describe the bug az role assignment create --role "Contributor" --assignee-object-id 3d5dab4e-3726-4783-bfa6-6937955da4b0 --condition "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:Name] stringEquals 'foo'" --condition-version "2.0"

works (from the documentation: https://docs.microsoft.com/en-us/cli/azure/role/assignment?view=azure-cli-latest

az role assignment create --role "Contributor" --assignee-object-id 3d5dab4e-3726-4783-bfa6-6937955da4b0 --condition "@Resource[Microsoft.ServiceBus/namespaces/queues:Name] stringEquals 'foo'" --condition-version "2.0" --debug

doesn't work with the error: BadRequestError: The given role assignment condition is invalid.

I got the resource name based on finding Microsoft.Storage/storageAccounts/blobServices/containers at https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/2018-07-01/storageaccounts/blobservices/containers and working through the ServiceBus documentation to its format. Since conditions aren't well documented, I'm not sure how else to get the format it should be in, so may be user error due to misunderstanding the syntax.

To Reproduce Try and give a role assignment with a condition matching the resource Microsoft.ServiceBus/namespaces/queues

17:16:55 *REDACTED*@MAC4592[1]$:az role assignment create --role "Contributor" --assignee-object-id 3d5dab4e-3726-4783-bfa6-6937955da4b0 --condition "@Resource[Microsoft.ServiceBus/namespaces/queues:Name] stringEquals 'foo'" --condition-version "2.0" --debug
Command arguments: ['role', 'assignment', 'create', '--role', 'Contributor', '--assignee-object-id', '3d5dab4e-3726-4783-bfa6-6937955da4b0', '--condition', "@Resource[Microsoft.ServiceBus/namespaces/queues:Name] stringEquals 'foo'", '--condition-version', '2.0', '--debug']
Event: Cli.PreExecute []
Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x10f46c040>, <function OutputProducer.on_global_arguments at 0x10f4cb0d0>, <function CLIQuery.on_global_arguments at 0x10f4f58b0>]
Failed to load '@Resource[Microsoft.ServiceBus/namespaces/queues:Name] stringEquals 'foo'', assume not a file
Event: CommandInvoker.OnPreCommandTableCreate []
Modules found from index for 'role': ['azure.cli.command_modules.role']
Loading command modules:
Name                  Load Time    Groups  Commands
role                      0.005        17        61
Total (1)                 0.005        17        61
These extensions are not installed and will be skipped: ['azext_ai_examples']
Loading extensions:
Name                  Load Time    Groups  Commands  Directory
Total (0)                 0.000         0         0
Loaded 17 groups, 61 commands.
Found a match in the command table.
Raw command  : role assignment create
Command table: role assignment create
Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x10fa480d0>]
az_command_data_logger : command args: role assignment create --role {} --assignee-object-id {} --condition {} --condition-version {} --debug
metadata file logging enabled - writing logs to '/Users/stewart.lord/.azure/commands'.
Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x10fa77790>, <function register_global_query_examples_argument.<locals>.register_query_examples at 0x10fadb3a0>]
Event: CommandInvoker.OnPostArgumentLoad []
Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x10fadb430>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x10fadb550>]
Event: CommandInvoker.OnCommandTableLoaded []
Event: CommandInvoker.OnPreParseArgs []
Attempting to read file Resource[Microsoft.ServiceBus/namespaces/queues:Name] stringEquals 'foo'
File Error: Failed to open Resource[Microsoft.ServiceBus/namespaces/queues:Name] stringEquals 'foo', assume not a file
Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x10f4cb160>, <function CLIQuery.handle_query_parameter at 0x10f4f5940>, <function register_global_query_examples_argument.<locals>.handle_example_parameter at 0x10fac9a60>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x10fadb4c0>]
Getting management service client client_type=AuthorizationManagementClient
msrest.universal_http.requests : Configuring retry: max_retries=4, backoff_factor=0.8, max_backoff=90
msrest.async_paging : Paging async iterator protocol is not available for RoleDefinitionPaged
attempting to read file /Users/stewart.lord/.azure/accessTokens.json as utf-8-sig
adal-python : fb1dceb4-b5f5-4c2a-8833-513349c6c3cf - Authority:Performing instance discovery: ...
adal-python : fb1dceb4-b5f5-4c2a-8833-513349c6c3cf - Authority:Performing static instance discovery
adal-python : fb1dceb4-b5f5-4c2a-8833-513349c6c3cf - Authority:Authority validated via static instance discovery
adal-python : fb1dceb4-b5f5-4c2a-8833-513349c6c3cf - TokenRequest:Getting token with client credentials.
adal-python : fb1dceb4-b5f5-4c2a-8833-513349c6c3cf - TokenRequest:No user_id passed for cache query
adal-python : fb1dceb4-b5f5-4c2a-8833-513349c6c3cf - CacheDriver:finding with query keys: {'_clientId': '...'}
adal-python : fb1dceb4-b5f5-4c2a-8833-513349c6c3cf - CacheDriver:Looking for potential cache entries: {'_clientId': '...'}
adal-python : fb1dceb4-b5f5-4c2a-8833-513349c6c3cf - CacheDriver:Found 0 potential entries.
urllib3.connectionpool : Starting new HTTPS connection (1): login.microsoftonline.com:443
urllib3.connectionpool : https://login.microsoftonline.com:443 "POST /*REDACTED*/oauth2/token HTTP/1.1" 200 1585
adal-python : fb1dceb4-b5f5-4c2a-8833-513349c6c3cf - OAuth2Client:Get Token Server returned this correlation_id: fb1dceb4-b5f5-4c2a-8833-513349c6c3cf
adal-python : fb1dceb4-b5f5-4c2a-8833-513349c6c3cf - CacheDriver:Adding entry AccessTokenId: b'*REDACTED*'
adal-python : fb1dceb4-b5f5-4c2a-8833-513349c6c3cf - CacheDriver:Added entry is MRRT
msrest.http_logger : Request URL: 'https://management.azure.com/subscriptions/*REDACTED*/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName%20eq%20%27Contributor%27&api-version=2018-01-01-preview'
msrest.http_logger : Request method: 'GET'
msrest.http_logger : Request headers:
msrest.http_logger :     'Accept': 'application/json'
msrest.http_logger :     'accept-language': 'en-US'
msrest.http_logger :     'User-Agent': 'python/3.8.6 (macOS-10.15.5-x86_64-i386-64bit) msrest/0.6.18 msrest_azure/0.6.3 azure-mgmt-authorization/0.61.0 Azure-SDK-For-Python AZURECLI/2.14.0 (HOMEBREW)'
msrest.http_logger : Request body:
msrest.http_logger : None
msrest.universal_http : Configuring redirects: allow=True, max=30
msrest.universal_http : Configuring request: timeout=100, verify=True, cert=None
msrest.universal_http : Configuring proxies: ''
msrest.universal_http : Evaluate proxies against ENV settings: True
urllib3.connectionpool : Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool : https://management.azure.com:443 "GET /subscriptions/*REDACTED*/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName%20eq%20%27Contributor%27&api-version=2018-01-01-preview HTTP/1.1" 200 None
msrest.http_logger : Response status: 200
msrest.http_logger : Response headers:
msrest.http_logger :     'Cache-Control': 'no-cache'
msrest.http_logger :     'Pragma': 'no-cache'
msrest.http_logger :     'Transfer-Encoding': 'chunked'
msrest.http_logger :     'Content-Type': 'application/json; charset=utf-8'
msrest.http_logger :     'Content-Encoding': 'gzip'
msrest.http_logger :     'Expires': '-1'
msrest.http_logger :     'Vary': 'Accept-Encoding'
msrest.http_logger :     'x-ms-request-id': 'a65f97a3-761e-475a-b995-afc78606aa2e'
msrest.http_logger :     'X-Content-Type-Options': 'nosniff'
msrest.http_logger :     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
msrest.http_logger :     'Set-Cookie': 'x-ms-gateway-slice=Production; path=/; secure; samesite=none; httponly'
msrest.http_logger :     'x-ms-ratelimit-remaining-subscription-reads': '11999'
msrest.http_logger :     'x-ms-correlation-request-id': 'a1f54a0c-a0d6-40a5-91b6-39c7d2c00c3c'
msrest.http_logger :     'x-ms-routing-request-id': 'UKSOUTH:20201027T172304Z:a1f54a0c-a0d6-40a5-91b6-39c7d2c00c3c'
msrest.http_logger :     'Date': 'Tue, 27 Oct 2020 17:23:04 GMT'
msrest.http_logger : Response content:
msrest.http_logger : {"value":[{"properties":{"roleName":"Contributor","type":"BuiltInRole","description":"Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC.","assignableScopes":["/"],"permissions":[{"actions":["*"],"notActions":["Microsoft.Authorization/*/Delete","Microsoft.Authorization/*/Write","Microsoft.Authorization/elevateAccess/Action","Microsoft.Blueprint/blueprintAssignments/write","Microsoft.Blueprint/blueprintAssignments/delete"],"dataActions":[],"notDataActions":[]}],"createdOn":"2015-02-02T21:55:09.8806423Z","updatedOn":"2020-08-14T20:15:12.5169529Z","createdBy":null,"updatedBy":null},"id":"/subscriptions/*REDACTED*/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c","type":"Microsoft.Authorization/roleDefinitions","name":"b24988ac-6180-42a0-ab88-20f7382dd24c"}]}
adal-python : 7041f240-aa5a-4d6e-9678-b21c916c6197 - Authority:Performing instance discovery: ...
adal-python : 7041f240-aa5a-4d6e-9678-b21c916c6197 - Authority:Performing static instance discovery
adal-python : 7041f240-aa5a-4d6e-9678-b21c916c6197 - Authority:Authority validated via static instance discovery
adal-python : 7041f240-aa5a-4d6e-9678-b21c916c6197 - TokenRequest:Getting token with client credentials.
adal-python : 7041f240-aa5a-4d6e-9678-b21c916c6197 - TokenRequest:No user_id passed for cache query
adal-python : 7041f240-aa5a-4d6e-9678-b21c916c6197 - CacheDriver:finding with query keys: {'_clientId': '...'}
adal-python : 7041f240-aa5a-4d6e-9678-b21c916c6197 - CacheDriver:Looking for potential cache entries: {'_clientId': '...'}
adal-python : 7041f240-aa5a-4d6e-9678-b21c916c6197 - CacheDriver:Found 0 potential entries.
urllib3.connectionpool : Starting new HTTPS connection (1): login.microsoftonline.com:443
urllib3.connectionpool : https://login.microsoftonline.com:443 "POST /*REDACTED*/oauth2/token HTTP/1.1" 200 1585
adal-python : 7041f240-aa5a-4d6e-9678-b21c916c6197 - OAuth2Client:Get Token Server returned this correlation_id: 7041f240-aa5a-4d6e-9678-b21c916c6197
adal-python : 7041f240-aa5a-4d6e-9678-b21c916c6197 - CacheDriver:Adding entry AccessTokenId: b'*REDACTED*'
adal-python : 7041f240-aa5a-4d6e-9678-b21c916c6197 - CacheDriver:Added entry is MRRT
msrest.http_logger : Request URL: 'https://management.azure.com/subscriptions/*REDACTED*/providers/Microsoft.Authorization/roleAssignments/d794d97b-dfd2-4a39-8f30-757725a9e273?api-version=2020-04-01-preview'
msrest.http_logger : Request method: 'PUT'
msrest.http_logger : Request headers:
msrest.http_logger :     'Accept': 'application/json'
msrest.http_logger :     'Content-Type': 'application/json; charset=utf-8'
msrest.http_logger :     'accept-language': 'en-US'
msrest.http_logger :     'Content-Length': '350'
msrest.http_logger :     'User-Agent': 'python/3.8.6 (macOS-10.15.5-x86_64-i386-64bit) msrest/0.6.18 msrest_azure/0.6.3 azure-mgmt-authorization/0.61.0 Azure-SDK-For-Python AZURECLI/2.14.0 (HOMEBREW)'
msrest.http_logger : Request body:
msrest.http_logger : {"properties": {"roleDefinitionId": "/subscriptions/*REDACTED*/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", "principalId": "3d5dab4e-3726-4783-bfa6-6937955da4b0", "condition": "@Resource[Microsoft.ServiceBus/namespaces/queues:Name] stringEquals 'foo'", "conditionVersion": "2.0"}}
msrest.universal_http : Configuring redirects: allow=True, max=30
msrest.universal_http : Configuring request: timeout=100, verify=True, cert=None
msrest.universal_http : Configuring proxies: ''
msrest.universal_http : Evaluate proxies against ENV settings: True
urllib3.connectionpool : https://management.azure.com:443 "PUT /subscriptions/*REDACTED*/providers/Microsoft.Authorization/roleAssignments/d794d97b-dfd2-4a39-8f30-757725a9e273?api-version=2020-04-01-preview HTTP/1.1" 400 123
msrest.http_logger : Response status: 400
msrest.http_logger : Response headers:
msrest.http_logger :     'Cache-Control': 'no-cache'
msrest.http_logger :     'Pragma': 'no-cache'
msrest.http_logger :     'Content-Length': '123'
msrest.http_logger :     'Content-Type': 'application/json; charset=utf-8'
msrest.http_logger :     'Expires': '-1'
msrest.http_logger :     'x-ms-request-id': 'c6fef979-7bb0-41b0-aadd-2518108d86c5'
msrest.http_logger :     'X-Content-Type-Options': 'nosniff'
msrest.http_logger :     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
msrest.http_logger :     'Set-Cookie': 'x-ms-gateway-slice=Production; path=/; secure; samesite=none; httponly'
msrest.http_logger :     'x-ms-ratelimit-remaining-subscription-writes': '1199'
msrest.http_logger :     'x-ms-correlation-request-id': '7423aa4d-2504-4080-8380-90fb71594ce0'
msrest.http_logger :     'x-ms-routing-request-id': 'UKSOUTH:20201027T172305Z:7423aa4d-2504-4080-8380-90fb71594ce0'
msrest.http_logger :     'Date': 'Tue, 27 Oct 2020 17:23:05 GMT'
msrest.http_logger : Response content:
msrest.http_logger : {"error":{"code":"InvalidCreateOrUpdateRoleAssignmentRequest","message":"The given role assignment condition is invalid."}}
msrest.exceptions : The given role assignment condition is invalid.
azure.cli.core.util.handle_exception is called with an exception:
Traceback (most recent call last):
  File "/usr/local/Cellar/azure-cli/2.14.0/libexec/lib/python3.8/site-packages/knack/cli.py", line 215, in invoke
    cmd_result = self.invocation.execute(args)
  File "/usr/local/Cellar/azure-cli/2.14.0/libexec/lib/python3.8/site-packages/azure/cli/core/commands/__init__.py", line 654, in execute
    raise ex
  File "/usr/local/Cellar/azure-cli/2.14.0/libexec/lib/python3.8/site-packages/azure/cli/core/commands/__init__.py", line 718, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
  File "/usr/local/Cellar/azure-cli/2.14.0/libexec/lib/python3.8/site-packages/azure/cli/core/commands/__init__.py", line 711, in _run_job
    six.reraise(*sys.exc_info())
  File "/usr/local/Cellar/azure-cli/2.14.0/libexec/lib/python3.8/site-packages/six.py", line 703, in reraise
    raise value
  File "/usr/local/Cellar/azure-cli/2.14.0/libexec/lib/python3.8/site-packages/azure/cli/core/commands/__init__.py", line 688, in _run_job
    result = cmd_copy(params)
  File "/usr/local/Cellar/azure-cli/2.14.0/libexec/lib/python3.8/site-packages/azure/cli/core/commands/__init__.py", line 325, in __call__
    return self.handler(*args, **kwargs)
  File "/usr/local/Cellar/azure-cli/2.14.0/libexec/lib/python3.8/site-packages/azure/cli/core/__init__.py", line 784, in default_command_handler
    return op(**command_args)
  File "/usr/local/Cellar/azure-cli/2.14.0/libexec/lib/python3.8/site-packages/azure/cli/command_modules/role/custom.py", line 151, in create_role_assignment
    return _create_role_assignment(cmd.cli_ctx, role, assignee or assignee_object_id, resource_group_name, scope,
  File "/usr/local/Cellar/azure-cli/2.14.0/libexec/lib/python3.8/site-packages/azure/cli/command_modules/role/custom.py", line 174, in _create_role_assignment
    return worker.create_role_assignment(assignments_client, _gen_guid(), role_id, object_id, scope,
  File "/usr/local/Cellar/azure-cli/2.14.0/libexec/lib/python3.8/site-packages/azure/cli/command_modules/role/_multi_api_adaptor.py", line 58, in create_role_assignment
    return client.create(scope, assignment_name, parameters)
  File "/usr/local/Cellar/azure-cli/2.14.0/libexec/lib/python3.8/site-packages/azure/mgmt/authorization/v2020_04_01_preview/operations/_role_assignments_operations.py", line 332, in create
    raise exp
msrestazure.azure_exceptions.CloudError: Azure Error: InvalidCreateOrUpdateRoleAssignmentRequest
Message: The given role assignment condition is invalid.

cli.azure.cli.core.azclierror : BadRequestError: The given role assignment condition is invalid.
BadRequestError: The given role assignment condition is invalid.
Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x10fa48310>]
az_command_data_logger : exit code: 1
Command ran in 1.639 seconds (init: 0.123, invoke: 1.515)
telemetry.save : Save telemetry record of length 3149 in cache
telemetry.check : Returns Positive.
telemetry.main : Begin creating telemetry upload process.
telemetry.process : Creating upload process: "/usr/local/Cellar/azure-cli/2.14.0/libexec/bin/python /usr/local/Cellar/azure-cli/2.14.0/libexec/lib/python3.8/site-packages/azure/cli/telemetry/__init__.py /Users/stewart.lord/.azure"
telemetry.process : Return from creating process
telemetry.main : Finish creating telemetry upload process.

Expected behavior A user role assignment with contributor for queues matching 'foo'

Environment summary install method: brew cli version:

azure-cli                         2.14.0

core                              2.14.0
telemetry                          1.0.6

Extensions:
managementpartner                  0.1.3
azure-devops                      0.18.0
log-analytics                      0.2.1
application-insights               0.1.7

Python location '/usr/local/Cellar/azure-cli/2.14.0/libexec/bin/python'
Extensions directory '/Users/stewart.lord/.azure/cliextensions'

Python (Darwin) 3.8.6 (default, Oct  8 2020, 14:06:32)
[Clang 12.0.0 (clang-1200.0.32.2)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

OS version: macOS Catalina 10.15.5

Additional context

[yonzhan]

add to S178

[jiasli]

Since conditions aren't well documented, I'm not sure how else to get the format it should be in, so may be user error due to misunderstanding the syntax.

The lack of document has been reported by https://github.com/Azure/azure-cli/issues/15628. The corresponding document will be updated by RBAC service team later.