search

Azure / azure-cli

Azure Command-Line Interface
MIT License
4k stars 2.98k forks source link

System assigned identity is enabled by default while assigning identity to the registry #24687

Open jikuma opened 1 year ago

jikuma commented 1 year ago

For an acr registry, if I assign an identity using "acr identity assign" command system assigned identity is enabled by default

Steps to reproduce

az acr identity show -n cmkreg1117 -g cmkregistrytest1117

{
  "principalId": null,
  "tenantId": null,
  "type": "userAssigned",
  "userAssignedIdentities": {
    "/subscriptions/<redacted>/resourcegroups/cmkregistrytest1117/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cmkregistrytest1117": {
      "clientId": "646f5e74-1df4-481b-a01f-8a7834d5ab25",
      "principalId": "e926fd96-1b57-4ac5-b39d-ebcfef34cfe5"
    }
  }
}

az acr identity assign -n cmkreg1117 -g cmkregistrytest1117 --identities /subscriptions//resourcegroups/cmkregistrytest1117/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cmkregistrytest1117 --verbose

 "identity": {
    "principalId": "6d5663e1-e20f-4544-9d3a-ceba2dcf8296",
    "tenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
    "type": "systemAssigned, userAssigned",
    "userAssignedIdentities": {
      "/subscriptions/<redacted>/resourcegroups/cmkregistrytest1117/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cmkregistrytest1117": {
        "clientId": "646f5e74-1df4-481b-a01f-8a7834d5ab25",
        "principalId": "e926fd96-1b57-4ac5-b39d-ebcfef34cfe5"
      }
    }
  }

You see that system-assigned identity was enabled by default without passing [system] in the command.

When I see the debug log, I see that the patch call has an identity type as "type": "SystemAssigned, UserAssigned"

My az version is 2.42.0

yonzhan commented 1 year ago

route to CXP team

ghost commented 1 year ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @toddysm, @luisdlp, @northtyphoon.

Issue Details
For an acr registry, if I assign an identity using "acr identity assign" command system assigned identity is enabled by default Steps to reproduce **az acr identity show -n cmkreg1117 -g cmkregistrytest1117** ```json { "principalId": null, "tenantId": null, "type": "userAssigned", "userAssignedIdentities": { "/subscriptions//resourcegroups/cmkregistrytest1117/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cmkregistrytest1117": { "clientId": "646f5e74-1df4-481b-a01f-8a7834d5ab25", "principalId": "e926fd96-1b57-4ac5-b39d-ebcfef34cfe5" } } } ``` **az acr identity assign -n cmkreg1117 -g cmkregistrytest1117 --identities /subscriptions//resourcegroups/cmkregistrytest1117/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cmkregistrytest1117 --verbose** ```json "identity": { "principalId": "6d5663e1-e20f-4544-9d3a-ceba2dcf8296", "tenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47", "type": "systemAssigned, userAssigned", "userAssignedIdentities": { "/subscriptions//resourcegroups/cmkregistrytest1117/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cmkregistrytest1117": { "clientId": "646f5e74-1df4-481b-a01f-8a7834d5ab25", "principalId": "e926fd96-1b57-4ac5-b39d-ebcfef34cfe5" } } } ``` You see that system-assigned identity was enabled by default without passing [system] in the command. When I see the debug log, I see that the patch call has an identity type as **"type": "SystemAssigned, UserAssigned"** My az version is 2.42.0
Author: jikuma
Assignees: -
Labels: `Service Attention`, `Container Registry`, `Auto-Assign`
Milestone: -