Azure / azure-cli

Azure Command-Line Interface
MIT License
4.02k stars 2.99k forks source link

az role assign OperationsManagement/solutions brackets escaping #24588

Open wiperpaul opened 2 years ago

wiperpaul commented 2 years ago

Related command az role assignment create --assignee-object-id xxx-xxx-xxx-xxx-xxx --role 'Microsoft Sentinel Responder' --scope '/subscriptions/foobar/resourceGroups/foo-rg/providers/Microsoft.OperationsManagement/solutions/SecurityInsights(foo-workspace)'

Describe the bug

To give access to only a Sentinel Workspace it is required to assign Microsoft Sentinel Responder to not only the Log Analytics Workspace but also to the Solutions resource id for the related Sentinel instance. The az role assignment create command used on powershell has some validation / escaping issues.

The Error ERROR: The Resource 'Microsoft.OperationsManagement/solutions/SecurityInsights(foo-workspace' under resource group 'foo-rg' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix

Notice how the last closing bracket is omitted from the error. Wrapping the scope in double or single quotes could not fix this. However, using bash did fix the issue. Please correct me if it is user error and there is some escaping required I did not know about.

To Reproduce Have a pre existing workspace / sentinel I used a Group as assignee object ID

I have IAM restricted to pipeline with service principal only so I used Azure CLI devops Tasl

Task         : Azure CLI
Description  : Run Azure CLI commands against an Azure subscription in a PowerShell Core/Shell script when running on Linux agent or PowerShell/PowerShell Core/Batch script when running on Windows agent.
Version      : 2.208.0

Using PS only this occurs, does not occur with Bash. Taken from within Azure CLI Task: "C:\Program Files\PowerShell\7\pwsh.exe" -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command ". 'D:\a\_temp\azureclitaskscript123.ps1'"

az role assignment create --assignee-object-id xxx-xxx-xxx-xxx-xxx --role 'Microsoft Sentinel Responder' --scope '/subscriptions/foobar/resourceGroups/foo-rg/providers/Microsoft.OperationsManagement/solutions/SecurityInsights(foo-workspace)'

Expected behavior role assignment created

Environment summary

azure-cli                         2.41.0 *
core                              2.41.0 *
telemetry                          1.0.8
Extensions:
azure-devops                      0.25.0
msal                            1.20.0b1
azure-mgmt-resource             21.1.0b1

Additional context

yonzhan commented 2 years ago

@jiasli for awareness