Skip to content

[Role] RoleAssignmentProperties.principalType contains invalid values #11830

New issue
New issue
Open
Open
[Role] RoleAssignmentProperties.principalType contains invalid values#11830
Labels
AuthorizationService AttentionWorkflow: This issue is responsible by Azure service team.
@jiasli

Description

@jiasli
jiasli
opened on Nov 26, 2020

Reported by Azure/azure-cli#11594

Since 2018-09-01-preview API, an Enum called PrincipalType is introduced.

azure-rest-api-specs/specification/authorization/resource-manager/Microsoft.Authorization/preview/2020-04-01-preview/authorization-RoleAssignmentsCalls.json

Lines 508 to 522 in b02ad20

"principalType": {
"type": "string",
"description": "The principal type of the assigned principal ID.",
"enum": [
"User",
"Group",
"ServicePrincipal",
"Unknown",
"DirectoryRoleTemplate",
"ForeignGroup",
"Application",
"MSI",
"DirectoryObjectOrGroup",
"Everyone"
],

It is used by the role assignment create API.

However, When I really use --assignee-principal-type MSI in a CLI command, it returns error:

> az role assignment create --scope /subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/rg1111 --role "Reader" --assignee-principal-type MSI --assignee-object-id 2fdcd421-c744-440d-b253-3daf68c697eb --debug

msrest.http_logger : Request URL: 'https://management.azure.com/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/rg1111/providers/Microsoft.Authorization/roleAssignments/0a5f880e-f02f-4a3e-8799-0a09fd95cf29?api-version=2020-04-01-preview'
msrest.http_logger : Request method: 'PUT'
msrest.http_logger : Request body:
msrest.http_logger : {"properties": {"roleDefinitionId": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", "principalId": "2fdcd421-c744-440d-b253-3daf68c697eb", "principalType": "MSI"}}

msrest.http_logger : Response status: 400
msrest.http_logger : Response content:
msrest.http_logger : {"error":{"code":"InvalidPrincipalType","message":"The PrincipalType property 'MSI' is not valid. It must be 'User', 'Group' or 'ServicePrincipal'."}}

If I remove --assignee-principal-type MSI, the command starts to work.

> az role assignment create --scope /subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/rg1111 --role "Reader" --assignee-object-id 2fdcd421-c744-440d-b253-3daf68c697eb --debug

{
  "canDelegate": null,
  "condition": null,
  "conditionVersion": null,
  "description": null,
  "id": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/rg1111/providers/Microsoft.Authorization/roleAssignments/07f17302-3df0-4b50-9597-b006ad7ccbcd",
  "name": "07f17302-3df0-4b50-9597-b006ad7ccbcd",
  "principalId": "2b0e1505-73c2-4cc4-91c2-53f88521a14f",
  "principalName": "http://azure-cli-2020-11-11-05-36-53",
  "principalType": "ServicePrincipal",
  "resourceGroup": "rg1111",
  "roleDefinitionId": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
  "roleDefinitionName": "Reader",
  "scope": "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/rg1111",
  "type": "Microsoft.Authorization/roleAssignments"
}

As discussed in the email thread

  • BadRequestError: The PrincipalType property 'MSI' is not valid. It must be 'User', 'Group' or 'ServicePrincipal'

only User, Group or ServicePrincipal are allowed values and other invalid values (which are used internally by the service) should not be exposed by principalType.

Metadata

Metadata

Assignees

No one assigned

    Labels

    AuthorizationService AttentionWorkflow: This issue is responsible by Azure service team.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions