System assigned identity is enabled by default while assigning identity to the registry

[jikuma]

For an acr registry, if I assign an identity using "acr identity assign" command system assigned identity is enabled by default

Steps to reproduce

az acr identity show -n cmkreg1117 -g cmkregistrytest1117

{
  "principalId": null,
  "tenantId": null,
  "type": "userAssigned",
  "userAssignedIdentities": {
    "/subscriptions/<redacted>/resourcegroups/cmkregistrytest1117/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cmkregistrytest1117": {
      "clientId": "646f5e74-1df4-481b-a01f-8a7834d5ab25",
      "principalId": "e926fd96-1b57-4ac5-b39d-ebcfef34cfe5"
    }
  }
}

az acr identity assign -n cmkreg1117 -g cmkregistrytest1117 --identities /subscriptions//resourcegroups/cmkregistrytest1117/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cmkregistrytest1117 --verbose

 "identity": {
    "principalId": "6d5663e1-e20f-4544-9d3a-ceba2dcf8296",
    "tenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
    "type": "systemAssigned, userAssigned",
    "userAssignedIdentities": {
      "/subscriptions/<redacted>/resourcegroups/cmkregistrytest1117/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cmkregistrytest1117": {
        "clientId": "646f5e74-1df4-481b-a01f-8a7834d5ab25",
        "principalId": "e926fd96-1b57-4ac5-b39d-ebcfef34cfe5"
      }
    }
  }

You see that system-assigned identity was enabled by default without passing [system] in the command.

When I see the debug log, I see that the patch call has an identity type as "type": "SystemAssigned, UserAssigned"

My az version is 2.42.0

[yonzhan]

route to CXP team

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @toddysm, @luisdlp, @northtyphoon.

Issue Details

---

For an acr registry, if I assign an identity using "acr identity assign" command system assigned identity is enabled by default

Steps to reproduce

az acr identity show -n cmkreg1117 -g cmkregistrytest1117

{
  "principalId": null,
  "tenantId": null,
  "type": "userAssigned",
  "userAssignedIdentities": {
    "/subscriptions/<redacted>/resourcegroups/cmkregistrytest1117/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cmkregistrytest1117": {
      "clientId": "646f5e74-1df4-481b-a01f-8a7834d5ab25",
      "principalId": "e926fd96-1b57-4ac5-b39d-ebcfef34cfe5"
    }
  }
}

az acr identity assign -n cmkreg1117 -g cmkregistrytest1117 --identities /subscriptions//resourcegroups/cmkregistrytest1117/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cmkregistrytest1117 --verbose

 "identity": {
    "principalId": "6d5663e1-e20f-4544-9d3a-ceba2dcf8296",
    "tenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
    "type": "systemAssigned, userAssigned",
    "userAssignedIdentities": {
      "/subscriptions/<redacted>/resourcegroups/cmkregistrytest1117/providers/Microsoft.ManagedIdentity/userAssignedIdentities/cmkregistrytest1117": {
        "clientId": "646f5e74-1df4-481b-a01f-8a7834d5ab25",
        "principalId": "e926fd96-1b57-4ac5-b39d-ebcfef34cfe5"
      }
    }
  }

You see that system-assigned identity was enabled by default without passing [system] in the command.

When I see the debug log, I see that the patch call has an identity type as "type": "SystemAssigned, UserAssigned"

My az version is 2.42.0

Author:	jikuma
Assignees:	-
Labels:	Service Attention, Container Registry, Auto-Assign
Milestone:	-

[toddysm]

@johnsonshi Can you please follow up on the experience here?

[johnsonshi]

@lizMSFT does this bug still happen after the Tasks CLI improvements that we did as part of ACR ABAC GA?

[lizMSFT]

@johnsonshi Yes, the issue persists. https://github.com/Azure/azure-cli/blob/dev/src/azure-cli/azure/cli/command_modules/acr/custom.py#L533 needs to be fixed

[johnsonshi]

Ok @lizMSFT thanks for confirming this is an issue that still exists. Putting this in our backlog to pick up if we have cycles.