search

Azure / azure-rest-api-specs

The source for REST API specifications for Microsoft Azure.
MIT License
2.69k stars 5.12k forks source link

Subscriptions List - Tags not provided for ServicePrincipal #11656

Open JulianHayward opened 4 years ago

JulianHayward commented 4 years ago

Using a ServicePrincipal: 'GET https://management.azure.com/subscriptions?api-version=2020-01-01' (docs) does NOT return Subscription tags whilst 'GET https://management.azure.com/subscriptions/{subscriptionId}?api-version=2020-01-01' (docs) does return Subscription tags

Using user context both APIs return the Subscription tags.

why?

Powershell: Invoke-WebRequest -Uri $uri -Method get -Headers @{"Content-Type" = "application/json"; "Authorization" = "Bearer $bearerAccessToken" } Invoke-AzRestmethod -path $path -method GET

ghost commented 4 years ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @anuragdalmia, @shilpigautam, @ramaganesan-rg.

Issue meta data

Issue content:
Using a ServicePrincipal: 'GET https://management.azure.com/subscriptions?api-version=2020-01-01' ([docs](https://docs.microsoft.com/en-us/rest/api/resources/subscriptions/list)) does NOT return Subscription tags whilst 'GET https://management.azure.com/subscriptions/{subscriptionId}?api-version=2020-01-01' ([docs](https://docs.microsoft.com/en-us/rest/api/resources/subscriptions/get)) does return Subscription tags Using user context both APIs return the Subscription tags. why? Powershell: `Invoke-WebRequest -Uri $uri -Method get -Headers @{"Content-Type" = "application/json"; "Authorization" = "Bearer $bearerAccessToken" }` `Invoke-AzRestmethod -path $path -method GET`
Issue author: JulianHayward
Assignees: njuCZ
Labels: `Service Attention`, `Subscription`, `needs-triage`
Milestone: -

JulianHayward commented 4 years ago

any insights for this?

ramaganesan-rg commented 4 years ago

Removing Subscriptions from this. PM is following up with the owning team on this tag issue.

JulianHayward commented 3 years ago

is there any news?

ghost commented 3 years ago

Hi, JulianHayward. Your PR has no update for 14 days and it is marked as stale PR. If no further update for over 14 days, the bot will close the PR. If you want to refresh the PR, please remove no-recent-activity label.

anuragdalmia commented 3 years ago

@rthorn17 - FYI.

JulianHayward commented 3 years ago

ok, this seems more RBAC related. I can tell that with 'Reader' the API (GET https://management.azure.com/subscriptions?api-version=2020-01-01) does not return the subscription´s tags, whilst with 'Owner' it does. GET https://management.azure.com/subscriptions/{subscriptionId}?api-version=2020-01-01 however works with 'Reader' - returns subscription´s tags.

Can you please shed light?

swhite-strath commented 3 years ago

Any update on this?

stephanboersma commented 2 years ago

Hi,

Unfortunately, this is still an issue. According to the List Subscriptions endpoint documentation, the sample response includes tag while the original response does not.

Sample response from documentation

{
  "value": [
    {
      "id": "/subscriptions/291bba3f-e0a5-47bc-a099-3bdcb2a50a05",
      "subscriptionId": "291bba3f-e0a5-47bc-a099-3bdcb2a50a05",
      "tenantId": "31c75423-32d6-4322-88b7-c478bdde4858",
      "displayName": "Example Subscription",
      "state": "Enabled",
      "subscriptionPolicies": {
        "locationPlacementId": "Internal_2014-09-01",
        "quotaId": "Internal_2014-09-01",
        "spendingLimit": "Off"
      },
      "authorizationSource": "RoleBased",
      "managedByTenants": [
        {
          "tenantId": "8f70baf1-1f6e-46a2-a1ff-238dac1ebfb7"
        }
      ],
      "tags": {
        "tagKey1": "tagValue1",
        "tagKey2": "tagValue2"
      }
    },
    {
      "id": "/subscriptions/72ac930a-f34e-42d8-b06d-dc2a9e12ed71",
      "subscriptionId": "72ac930a-f34e-42d8-b06d-dc2a9e12ed71",
      "tenantId": "2a0ff0de-96b2-4859-bb7c-a430d07a3e0c",
      "displayName": "Example Subscription2",
      "state": "Enabled",
      "subscriptionPolicies": {
        "locationPlacementId": "Internal_2014-09-01",
        "quotaId": "Internal_2014-09-01",
        "spendingLimit": "Off"
      },
      "authorizationSource": "RoleBased",
      "managedByTenants": [
        {
          "tenantId": "8f70baf1-1f6e-46a2-a1ff-238dac1ebfb7"
        },
        {
          "tenantId": "f7fb6af2-321d-47c8-9c0f-b0239eaad39a"
        }
      ],
      "tags": {
        "tagKey1": "tagValue1",
        "tagKey2": "tagValue2"
      }
    }
  ],
  "nextLink": "..."
}

Any update regarding this issue, @rthorn17 ? :-)

mlomat commented 2 years ago

Any update on this? Looks like an issue when I am using command Get-AzSubscription. Working without any issue on my regular account, having problem to get tags on Manage Identity :(

rthorn17 commented 2 years ago

Yes, this issue is RBAC related, but it's because of where the RBAC assignment is which tells ARM where to source the call from. If the Role Assignment is made directly to the resource, ARM sources the list call from ARM's resource tables where tags info is stored. If the RBAC role is inherited to the resource, which most Service Principals have inherited rights to subscriptions, ARM sources the info from Management Groups RP based on the Hierarchy. Management Groups doesn't store tags values of the subscriptions, so when the data is sourced from MG RP, it doesn't include the tag data.

Our teams are working on moving this LIST Subs call from going to Management Groups RP to have it sourced from ARG instead, which will resolve this issue. Since ARG holds all the subscription data, it will be able to return tags data in the list call. We are looking for this to be done summer next year.

sopelt commented 1 year ago

Hi @rthorn17 , I think the referenced summer just passed ;)

Any update on this issue?