yonzhan
commented
1 year ago @jiasli for awareness
Open rishi2772 opened 1 year ago
yonzhan
commented
1 year ago @jiasli for awareness
jiasli
commented
1 year ago These lines are responsible for this behavior:
I did some Git Blame and see these lines were introduced as early as 2016-08-04 (https://github.com/Azure/azure-cli/pull/602).
Converted to natural language:
--all is specified, scope is None. In that case, all role assignments are returned, including role assignments at, above and below the subscription.--include-inherited is specified, the evaluation method of inherited is done by doing a literal regex match. The problem is a management group's ID is special and don't follow the "normal" Azure resource ID convention, thus not a substring of a subscription's ID:
Management group level: /providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000
Tenant level: /
Subscription level: /subscriptions/00000000-0000-0000-0000-000000000000
Resource group level: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rgThat's why the result doesn't include management-group-level role assignments. In other words, --include-inherited only works for "normal" Azure resource ID, up to tenant level.
Actually, if --include-inherited is specified, no regex match should be done.
When a scope is provided, atScope() will be used as a query to call List role assignments REST API. The result contains no role assignments at subscopes, but it does contain role assignments at upper levels, so the regex match is not needed at all. By removing the regex match, management-group-level role assignments is automatically included in the final result.
But I may be wrong. @rishi2772, please do correct me if I miss anything.
jiasli
commented
1 year ago Actually, I found an interesting fact that management group was GA on 2018-07-31.
https://azure.microsoft.com/en-us/blog/azure-management-groups-now-in-general-availability/
So when https://github.com/Azure/azure-cli/pull/602 was implemented on 2016-08-04, management group hasn't been released at all! This behavior has been there for so long (almost 7 years) and persisted after management group was GA, so it basically has become a feature already.
Including management-group-level role assignments can potentially be a breaking change that we should be super careful. So let me mark this issue as a feature request instead.
yanjar
commented
1 year ago @jiasli, is there any update on this? Thank you.
magnus-longva-bouvet
commented
1 year ago This is a bug report, not a feature request. https://learn.microsoft.com/en-us/cli/azure/role/assignment?view=azure-cli-latest#az-role-assignment-delete()-optional-parameters
--include-inherited
Include assignments applied on parent scopes.It's not mentioned in the docs that management group parent scopes are excluded.
Related command az role assignment list --include-inherited --scope /subscriptions/{ID}
Describe the bug Trying to get list role assignments that are assigned at subscription level and inherited from parent scopes (Management group, root). If I use, az role assignment list, only role assignments that are done at subscription level are listed. If I include --include-inherited root role assignments are also listed, but role assignments that are getting inherited from Management groups are not listed. Ideal behavior should be to list all inherited role assignments (both coming from root and Management group)
To Reproduce Use any version of CLI -> first run 'az role assignment list' -> capture the output -> Now run az role assignment list --include-inherited --scope /subscriptions/{ID} -> Compare the output. When --include-inherited is used, output doesn't include role assignments that are inherited from management groups only
Expected behavior As per docs, role assignments applied on parent scopes should also be included Ref: https://learn.microsoft.com/en-us/cli/azure/role/assignment?view=azure-cli-latest#az-role-assignment-list
Environment summary { "azure-cli": "2.43.0", "azure-cli-core": "2.43.0", "azure-cli-telemetry": "1.0.8", "extensions": { "ai-examples": "0.2.5", "ml": "2.11.0", "ssh": "1.1.3" } }
Additional context Same behavior reported in https://github.com/Azure/azure-cli/issues/14302#issuecomment-863275086