search

Azure / azure-sdk-for-java

This repository is for active development of the Azure SDK for Java. For consumers of the SDK we recommend visiting our public developer docs at https://docs.microsoft.com/java/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-java.
MIT License
2.31k stars 1.96k forks source link

[BUG] RoleAssignment not working with Java but works through AZ CLI #41669

Open nebojsa-db opened 3 weeks ago

nebojsa-db commented 3 weeks ago

Describe the bug I'm trying to assign role to Managed Identity with precise scope to storage account / container level and it fails that I don't have enough permission to do so, even though my principal has custom role assigned which allows granting roles to Service Principals.

Code snippet (Not working):

image

Az CLI (working): az role assignment create --assignee-object-id --assignee-principal-type ServicePrincipal --role "Storage Blob Data Contributor" --scope /subscriptions//resourceGroups//providers/Microsoft.Storage/storageAccounts/nebojsaazurebucket123/blobServices/default/containers/testcontainer

My principal does not have GraphAPI permissions, thats why it is needed for AZ CLI to use --assignee-object-id and assignee-principal-type, does Java SDK require graph api permissions?

Exception or Stack Trace Status code 403, "{"error":{"code":"AuthorizationFailed","message":"The client '90516a84-d215-479d-b7f4-0ee01b47ab84' with object id '90516a84-d215-479d-b7f4-0ee01b47ab84' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions//resourceGroups//providers/Microsoft.Storage/storageAccounts/nebojsaazurebucket123/providers/Microsoft.Authorization/roleAssignments/roleAssignmentName' or the scope is invalid. If access was recently granted, please refresh your credentials."}}"

XiaofeiCao commented 1 week ago

Azure CLI and Java SDK should be using the same API.

Did you authenticate CLI and SDK using the same identity(assigner, not assignee)?

github-actions[bot] commented 1 week ago

Hi @nebojsa-db. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

nebojsa-db commented 1 week ago

Hi @XiaofeiCao, thanks for the response!

So the scenario was next: 1) We are using SP which has custom role configured that allows granting only "Storage Blob Data Contributor" role to only "Service Principals" (so role has condition assigned to it) 2) We are granting permissions to Managed Identity created as part of "Azure Databricks Access Connector"

Granting permissions worked through AzCLI, and failed through Java SDK API. We fixed the issue by removing condition from the role assignment. Might have something to do with condition allowing roles to be assigned only to ServicePrincipal type, and in AzCLI command you explicitly provide principalType as parameter.

Edit: Yes, we are using same SP in both cases.

XiaofeiCao commented 1 week ago

@nebojsa-db That's strange... CLI and SDK should be using the same API...

Would you help append --debug to your CLI command and try if you could tell from the output what API they called?