Azure / azure-cli

Azure Command-Line Interface
MIT License
4.01k stars 2.98k forks source link

az containerapp --yaml fails parsing to json when user assigned identity is included #23307

Open Garwakizashi opened 2 years ago

Garwakizashi commented 2 years ago

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

Related command az containerapp create -n container-name -g resource-group --yaml file.yaml

Describe the bug Using the yaml specification for creating a containerapp, when user assigned identities are specified, it will always say: The 'UserAssignedIdentities' property keys should only be empty json objects, null or the resource exisiting property. (actually the response also has a typo exisiting šŸ˜„ )

Upon checking running again with --verbose on, it seems the empty json object {}, still get parsed to json as:

"identity": {
        "type": "UserAssigned",
        "userAssignedIdentities": {
            "managed-identity-id": {
                "principalId": null,
                "clientId": null
            }
        },
        "principalId": null,
        "tenantId": null
    }

I understand that the use of identity in the yaml specification isn't actually listed in the documentation, but it seems that it is possible to use it, just that the parsing of empty {} values in yaml creates those null principalId and clientId properties.

To Reproduce

  1. Create a managed identity (managed-identity)
  2. Have a yaml specification file (file.yaml) ready, but also include:
    identity:
    type: UserAssigned
    userAssignedIdentities:
      managed-identity-id: {}
  3. Have a resource group ready (example-rg)
  4. Run: az containerapp create -n container-name -g example-rg --yaml file.yaml

Expected behavior I'd expect the container app to be created with the managed identity assigned to the ACA

Environment summary My az version: 2.38.0

Additional context

After finding checking out the request body via --verbose, I've tried it myself via rest , and changing the identity value to empty json works. i.e

"identity": {
        "type": "UserAssigned",
        "userAssignedIdentities": {
            "managed-identity-id": {}
        },
        "principalId": null,
        "tenantId": null
    }
yonzhan commented 2 years ago

route to CXP team

RakeshMohanMSFT commented 2 years ago

@Garwakizashi Thank you for reaching out, we are looking into it.

RakeshMohanMSFT commented 2 years ago

@Garwakizashi Please go through this documentation https://docs.microsoft.com/en-us/azure/container-apps/managed-identity?tabs=portal%2Cdotnet.

In the meanwhile I will verify the working of identity settings using yaml

RakeshMohanMSFT commented 2 years ago

@Garwakizashi The error is propagated from the service and not from CLI. Let me engage the service team.

ghost commented 2 years ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @macolso.

Issue Details
> ### `az feedback` auto-generates most of the information requested below, as of CLI version 2.0.62 **Related command** `az containerapp create -n container-name -g resource-group --yaml file.yaml` **Describe the bug** Using the yaml specification for creating a containerapp, when user assigned identities are specified, it will always say: `The 'UserAssignedIdentities' property keys should only be empty json objects, null or the resource exisiting property.` (actually the response also has a typo `exisiting` šŸ˜„ ) Upon checking running again with `--verbose` on, it seems the empty json object `{}`, still get parsed to json as: ``` "identity": { "type": "UserAssigned", "userAssignedIdentities": { "managed-identity-id": { "principalId": null, "clientId": null } }, "principalId": null, "tenantId": null } ``` I understand that the use of `identity` in the yaml specification isn't actually listed in the [documentation](https://docs.microsoft.com/en-gb/azure/container-apps/azure-resource-manager-api-spec?tabs=yaml#container-app-examples), but it seems that it is possible to use it, just that the parsing of empty `{}` values in yaml creates those null `principalId` and `clientId` properties. **To Reproduce** 1. Create a managed identity (managed-identity) 2. Have a yaml specification file (file.yaml) ready, but also include: ``` identity: type: UserAssigned userAssignedIdentities: managed-identity-id: {} ``` 3. Have a resource group ready (example-rg) 4. Run: `az containerapp create -n container-name -g example-rg --yaml file.yaml` **Expected behavior** I'd expect the container app to be created with the managed identity assigned to the ACA **Environment summary** My az version: `2.38.0` **Additional context** After finding checking out the request body via `--verbose`, I've tried it myself via [rest ](https://docs.microsoft.com/en-gb/rest/api/containerapps/container-apps/create-or-update?), and changing the identity value to empty json works. i.e ``` "identity": { "type": "UserAssigned", "userAssignedIdentities": { "managed-identity-id": {} }, "principalId": null, "tenantId": null } ```
Author: Garwakizashi
Assignees: -
Labels: `Service Attention`, `Container Instances`, `question`, `customer-reported`, `Auto-Assign`, `ContainerApp`
Milestone: -
Garwakizashi commented 2 years ago

@Garwakizashi Please go through this documentation https://docs.microsoft.com/en-us/azure/container-apps/managed-identity?tabs=portal%2Cdotnet.

In the meanwhile I will verify the working of identity settings using yaml

Thanks @RakeshMohanMSFT , I've been working around this issue by using az containerapp identity assign after intial YAML creation. But it would be great to do it via the YAML specification instead. Basically I want to create a container app with identity set in place, so that I can also connect to the registry via identity, rather than using username + password.