Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

az role definition list cannot show only built-in roles #30647

Open
jiasli opened this issue Jan 13, 2025 · 2 comments
Open

az role definition list cannot show only built-in roles #30647

jiasli opened this issue Jan 13, 2025 · 2 comments
Assignees
@jiasli
Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that RBAC az role

Comments

@jiasli
Copy link
Member

jiasli commented Jan 13, 2025
edited
Loading

Related command
az role definition list

Is your feature request related to a problem? Please describe.
According to https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions-list#list-role-definitions, the underlying Role Definitions - List REST API supports returning

  1. CustomRole + BuiltInRole
  2. only CustomRole
  3. only BuiltInRole

But in CLI, --custom-role-only only supports returning

  1. CustomRole + BuiltInRole
  2. only CustomRole

azure-cli/src/azure-cli/azure/cli/command_modules/role/custom.py

Lines 166 to 167 in 649886e

if custom_role_only:
roles = [r for r in roles if worker.get_role_property(r, 'role_type') == 'CustomRole']

thus losing the ability to only show BuiltInRole.

Describe the solution you'd like
az role definition list should support a --type argument that maps to the $filter=type+eq+'{type}' filter.

Describe alternatives you've considered

Additional context
@yonzhan
Copy link
Collaborator

yonzhan commented Jan 13, 2025

Thank you for opening this issue, we will look into it.

@microsoft-github-policy-service microsoft-github-policy-service bot added Auto-Assign Auto assign by bot RBAC az role labels Jan 13, 2025
@microsoft-github-policy-service microsoft-github-policy-service bot added Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jan 13, 2025
@jiasli
Copy link
Member Author

jiasli commented Jan 13, 2025

This part of the document https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions-list is wrong:

The following example lists all of the built-in roles.

az role definition list --custom-role-only false --output json --query '[].{roleName:roleName, description:description, roleType:roleType}'

Apparently, CustomRole are also returned:

> az role definition list --custom-role-only false --output json --query '[].{roleName:roleName, description:description, roleType:roleType}'
[
  {
    "description": "Can monitor compute, network and storage, and restart virtual machines",
    "roleName": "cli-test-roleegjwqoc",
    "roleType": "CustomRole"
  },
  {
    "description": "Can monitor compute, network and storage, and restart virtual machines",
    "roleName": "cli-test-rolelm2gk2l",
    "roleType": "CustomRole"
  },
  {
    "description": "Can monitor compute, network and storage, and restart virtual machines",
    "roleName": "cli-test-rolezp2d5bu",
    "roleType": "CustomRole"
  },
  {
    "description": "Can monitor compute, network and storage, and restart virtual machines",
    "roleName": "cli-test-rolenarrj5x",
    "roleType": "CustomRole"
  },
  {
    "description": "acr push",
    "roleName": "AcrPush",
    "roleType": "BuiltInRole"
  },

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that RBAC az role
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jiasli @yonzhan