search

netr0m / az-pim-cli

A utility to list and activate Azure Entra ID Privileged Identity Management roles from the CLI
MIT License
28 stars 8 forks source link

Ticket System & Ticket Number submitted in command not reflecting in request #62

Open t4chik0ma opened 2 weeks ago

t4chik0ma commented 2 weeks ago

Welcome

Description of the problem

pim-notification-from-azure

Using the same ~~TicketNumber for both the reason and ticket number, though it only reports back in the Azure pim notification as being used in the justification. Ticket Number is returning 'Evaluate Only', same with Ticket System

Version of az-pim-cli

```console $ az-pim-cli version az-pim-cli version v1.1.0 (built with go1.23.2 from (unknown, modified: ?, mod sum: "h1:fAiKo2N2tWHOQhZKN9535LDQ/UMJS1TwgHu0eHIBBzM=") on (unknown)) ```

Configuration

```console az-pim-cli activate resource -d 60 -r "~~RoleName" -n "~~SubName" --reason ~~TicketNumber -T ~~TicketNumber --ticket-system ~~TicketSystem ```

Go environment

```console $ go version && go env go version go1.23.2 linux/amd64 GO111MODULE='' GOARCH='amd64' GOBIN='' GOCACHE='/home/user/.cache/go-build' GOENV='/home/user/.config/go/env' GOEXE='' GOEXPERIMENT='' GOFLAGS='' GOHOSTARCH='amd64' GOHOSTOS='linux' GOINSECURE='' GOMODCACHE='/home/user/go/pkg/mod' GONOPROXY='' GONOSUMDB='' GOOS='linux' GOPATH='/home/user/go' GOPRIVATE='' GOPROXY='https://proxy.golang.org,direct' GOROOT='/snap/go/10730' GOSUMDB='sum.golang.org' GOTMPDIR='' GOTOOLCHAIN='auto' GOTOOLDIR='/snap/go/10730/pkg/tool/linux_amd64' GOVCS='' GOVERSION='go1.23.2' GODEBUG='' GOTELEMETRY='local' GOTELEMETRYDIR='/home/user/.config/go/telemetry' GCCGO='gccgo' GOAMD64='v1' AR='ar' CC='gcc' CXX='g++' CGO_ENABLED='1' GOMOD='/dev/null' GOWORK='' CGO_CFLAGS='-O2 -g' CGO_CPPFLAGS='' CGO_CXXFLAGS='-O2 -g' CGO_FFLAGS='-O2 -g' CGO_LDFLAGS='-O2 -g' PKG_CONFIG='pkg-config' GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3210394080=/tmp/go-build -gno-record-gcc-switches' ```

Output of command

```console 2024/10/13 12:30:16 Activating role '~~RoleName' in subscription '~~SubName' with reason '~~TicketNumber' (ticket: ~~TicketNumber [~~TicketSystem]) 2024/10/13 12:30:22 The role '~~RoleName' in '~~SubName' is now Provisioned ```

Validation

netr0m commented 6 days ago

Hi @t4chik0ma ,

As in the Azure Portal when activating a resource, this tool issues a request to the /validation endpoint to validate the request prior to requesting activation. As such, there should be a subsequent request to the activation endpoint, which includes the reason, ticket number, and ticket system you provided. The Azure Portal (at least at the time of implementing this) included these messages (reason: "validation only call", ticketSystem: "Evaluate Only", ticketNumber: "Evaluate Only") by default, which is why I hard-coded them to override the user-provided message(s) when validating.

Could you check if that is the case for you?

I can consider implementing the validation as an optional flag (e.g. az-pim-cli activate resource [...] --validate) instead, but no other users have reported issues with the current solution (and they are seeing the correct reason/ticketNumber/ticketSystem messages for their requests)

t4chik0ma commented 1 day ago

Hi @netr0m

The TicketSystem & TicketNumber entries used during pim is run through a function down the line in my corp whenever someone PIMs to make sure they're accessing resources with a current and valid ticket, so currently anytime I try to use az-pim-cli to initiate a PIM I'm triggering an alert as the ticketnumber 'Evaluate Only' is obviously not matching what would be found in our ticket system.

Is it possible to allow those to be filled dynamically instead of static with what's entered for -T (TicketNumber) and --ticket-system (TicketSystem)?

Thanks