Azure
{CORE} Fix attempting to issue subscription token for PIM requests
Related command
az rest `
--method put `
--headers "Content-Type=application/json" `
--url "https://management.azure.com/subscriptions/XXX/providers/Microsoft.Authorization/roleAssignmentScheduleRequests/${guid}?api-version=2020-10-01" `
--body "@$tempFile"
Description
A PUT request to Microsoft.Authorization/roleAssignmentScheduleRequests activates a role assignment in Privileged Identity Management. Activating such a role might be required for the logged-in user to even list the subscriptions on the tenant.
However, azure-cli sees subscription id in the request, and prior to the ARM request it tries to get an access token for the subscription. The subscription that isn't available yet. This is a chicken-and-egg problem.
It looks like for this query a tenant-wide Bearer token is enough. The subscription ID in the URL actually means a scope for the role assignment.
Important caveat: I tested this change on PUT requests for role activation.
Testing Guide
- Have a tenant
your_test_tenantwith PIM enabled, and your user that needs a to activate a role via PIM to access the subscription. -
az login -t your_test_tenant --allow-no-subscriptions - Activate the role with azure-cli. Example for powershell:
$userId = (az ad signed-in-user show --query id -o tsv)
$subscriptionId = "your_sub_id"
$roleScope = "/subscriptions/$subscriptionId" # request role on entire subscription
$body = @{
Properties = @{
PrincipalId = $userId
RoleDefinitionId = "/subscriptions/$subscriptionId/providers/Microsoft.Authorization/roleDefinitions/$roleId"
RequestType = "SelfActivate"
Justification = "xxx"
ScheduleInfo = @{
StartDateTime = $null
Expiration = @{
Duration = "PT480M" # 8 hours
Type = "AfterDuration"
}
}
}
}
# Put request body into a temporary file to avoid issues with quoting in the az rest command
# https://learn.microsoft.com/cli/azure/use-azure-cli-successfully-quoting?tabs=bash1%2Cbash2%2Cbash3#json-strings
$tempFile = [System.IO.Path]::GetTempFileName()
$guid = [guid]::NewGuid().ToString()
try{
$body | ConvertTo-Json -Depth 10 | Out-File -FilePath $tempFile
az rest `
--method put `
--headers "Content-Type=application/json" `
--url "https://management.azure.com${roleScope}/providers/Microsoft.Authorization/roleAssignmentScheduleRequests/${guid}?api-version=2020-10-01" `
--body "@$tempFile" `
--query "properties.status"
}
finally {
# Clean up
if (Test-Path $tempFile) {
Remove-Item -Path $tempFile -Force
}
}
History Notes
[CORE] az rest: Use tenant-wide token when working with PIM roles
This checklist is used to make sure that common guidelines for a pull request are followed.
-
[x] The PR title and description has followed the guideline in Submitting Pull Requests.
-
[x] I adhere to the Command Guidelines.
-
[x] I adhere to the Error Handling Guidelines.
️✔️AzureCLI-FullTest
️✔️acr
️✔️latest
️✔️3.12
️✔️3.9
️✔️acs
️✔️latest
️✔️3.12
️✔️3.9
️✔️advisor
️✔️latest
️✔️3.12
️✔️3.9
️✔️ams
️✔️latest
️✔️3.12
️✔️3.9
️✔️apim
️✔️latest
️✔️3.12
️✔️3.9
️✔️appconfig
️✔️latest
️✔️3.12
️✔️3.9
️✔️appservice
️✔️latest
️✔️3.12
️✔️3.9
️✔️aro
️✔️latest
️✔️3.12
️✔️3.9
️✔️backup
️✔️latest
️✔️3.12
️✔️3.9
️✔️batch
️✔️latest
️✔️3.12
️✔️3.9
️✔️batchai
️✔️latest
️✔️3.12
️✔️3.9
️✔️billing
️✔️latest
️✔️3.12
️✔️3.9
️✔️botservice
️✔️latest
️✔️3.12
️✔️3.9
️✔️cdn
️✔️latest
️✔️3.12
️✔️3.9
️✔️cloud
️✔️latest
️✔️3.12
️✔️3.9
️✔️cognitiveservices
️✔️latest
️✔️3.12
️✔️3.9
️✔️compute_recommender
️✔️latest
️✔️3.12
️✔️3.9
️✔️computefleet
️✔️latest
️✔️3.12
️✔️3.9
️✔️config
️✔️latest
️✔️3.12
️✔️3.9
️✔️configure
️✔️latest
️✔️3.12
️✔️3.9
️✔️consumption
️✔️latest
️✔️3.12
️✔️3.9
️✔️container
️✔️latest
️✔️3.12
️✔️3.9
️✔️containerapp
️✔️latest
️✔️3.12
️✔️3.9
️✔️core
️✔️latest
️✔️3.12
️✔️3.9
️✔️cosmosdb
️✔️latest
️✔️3.12
️✔️3.9
️✔️databoxedge
️✔️latest
️✔️3.12
️✔️3.9
️✔️dls
️✔️latest
️✔️3.12
️✔️3.9
️✔️dms
️✔️latest
️✔️3.12
️✔️3.9
️✔️eventgrid
️✔️latest
️✔️3.12
️✔️3.9
️✔️eventhubs
️✔️latest
️✔️3.12
️✔️3.9
️✔️feedback
️✔️latest
️✔️3.12
️✔️3.9
️✔️find
️✔️latest
️✔️3.12
️✔️3.9
️✔️hdinsight
️✔️latest
️✔️3.12
️✔️3.9
️✔️identity
️✔️latest
️✔️3.12
️✔️3.9
️✔️iot
️✔️latest
️✔️3.12
️✔️3.9
️✔️keyvault
️✔️latest
️✔️3.12
️✔️3.9
️✔️lab
️✔️latest
️✔️3.12
️✔️3.9
️✔️managedservices
️✔️latest
️✔️3.12
️✔️3.9
️✔️maps
️✔️latest
️✔️3.12
️✔️3.9
️✔️marketplaceordering
️✔️latest
️✔️3.12
️✔️3.9
️✔️monitor
️✔️latest
️✔️3.12
️✔️3.9
️✔️mysql
️✔️latest
️✔️3.12
️✔️3.9
️✔️netappfiles
️✔️latest
️✔️3.12
️✔️3.9
️✔️network
️✔️latest
️✔️3.12
️✔️3.9
️✔️policyinsights
️✔️latest
️✔️3.12
️✔️3.9
️✔️privatedns
️✔️latest
️✔️3.12
️✔️3.9
️✔️profile
️✔️latest
️✔️3.12
️✔️3.9
️✔️rdbms
️✔️latest
️✔️3.12
️✔️3.9
️✔️redis
️✔️latest
️✔️3.12
️✔️3.9
️✔️relay
️✔️latest
️✔️3.12
️✔️3.9
️✔️resource
️✔️latest
️✔️3.12
️✔️3.9
️✔️role
️✔️latest
️✔️3.12
️✔️3.9
️✔️search
️✔️latest
️✔️3.12
️✔️3.9
️✔️security
️✔️latest
️✔️3.12
️✔️3.9
️✔️servicebus
️✔️latest
️✔️3.12
️✔️3.9
️✔️serviceconnector
️✔️latest
️✔️3.12
️✔️3.9
️✔️servicefabric
️✔️latest
️✔️3.12
️✔️3.9
️✔️signalr
️✔️latest
️✔️3.12
️✔️3.9
️✔️sql
️✔️latest
️✔️3.12
️✔️3.9
️✔️sqlvm
️✔️latest
️✔️3.12
️✔️3.9
️✔️storage
️✔️latest
️✔️3.12
️✔️3.9
️✔️synapse
️✔️latest
️✔️3.12
️✔️3.9
️✔️telemetry
️✔️latest
️✔️3.12
️✔️3.9
️✔️util
️✔️latest
️✔️3.12
️✔️3.9
️✔️vm
️✔️latest
️✔️3.12
️✔️3.9
![azure-client-tools-bot-prd[bot] avatar](https://avatars.githubusercontent.com/u/37600188?v=4 "Published by a pub.dev verified publisher"){kind=small}
️✔️AzureCLI-BreakingChangeTest
️✔️Non Breaking Changes
Thank you for your contribution! We will review the pull request and get back to you soon.
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.
Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). After that please run the following commands to enable git hooks:
pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}