'az keyvault role assignment' does not check for valid OIDs

[sfusinaz]

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

The below command should validate the --assignee parameter before creating the role assignment.

Related command

az keyvault role assignment create --hsm-name "YourMHSM" --role 'Managed HSM Crypto User' --assignee 'application_object_id' --scope /keys/keyname

Describe the bug

In the above, we can specify any Application ID as assignee and the command will execute. This triggers an error when accessing the key's RBAC assignments in the portal. The portal bug is currently being investigated.

To Reproduce

1. Create a MHSM and a key.
2. In az cli, assign a role on the key (with scope /keys/keyname), and pick an application id instead.
3. In the portal, opening the above key RBAC details will trigger an error preventing the user from managing the key's RBAC.

Expected behavior

The command should not create a role assignment if given an invalid OID.
Following the docs, Application IDs should not be allowed: Managed HSM role management

"To allow a security principal (such as a user, a service principal, group or a managed identity) to perform managed HSM data plane operations, they must be assigned a role that permits performing those operations."

Additional context

[yonzhan]

Thank you for opening this issue, we will look into it.

[neeerajaakula]

The portal screenshot we here is a separate bug on the Managed HSM portal that is being hotfixed. However, the CLI should still address the issue where an invalid OID should not be allowed.

[sfusinaz]

The portal screenshot we here is a separate bug on the Managed HSM portal that is being hotfixed. However, the CLI should still address the issue where an invalid OID should not be allowed.

The Portal is being hotfixed, should be live very soon. Thank you!

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @RandalliLama, @schaabs, @jlichwa.

Issue Details

---

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

The below command should validate the --assignee parameter before creating the role assignment.

Related command

az keyvault role assignment create --hsm-name "YourMHSM" --role 'Managed HSM Crypto User' --assignee 'application_object_id' --scope /keys/keyname

Describe the bug

In the above, we can specify any Application ID as assignee and the command will execute. This triggers an error when accessing the key's RBAC assignments in the portal. The portal bug is currently being investigated.

To Reproduce

1. Create a MHSM and a key.
2. In az cli, assign a role on the key (with scope /keys/keyname), and pick an application id instead.
3. In the portal, opening the above key RBAC details will trigger an error preventing the user from managing the key's RBAC.

Expected behavior

The command should not create a role assignment if given an invalid OID.
Following the docs, Application IDs should not be allowed: Managed HSM role management

"To allow a security principal (such as a user, a service principal, group or a managed identity) to perform managed HSM data plane operations, they must be assigned a role that permits performing those operations."

Additional context

Author:	sfusinaz
Assignees:	evelyn-ys
Labels:	KeyVault, Service Attention, question, customer-reported, Auto-Assign, Azure CLI Team
Milestone:	Backlog

[evelyn-ys]

It should be MHSM service that verifies if it's valid object id and if the role assignment should fail or not

[jlichwa]

It is correct it is nothing to do with CLI, there is no option for CLI to see if OID is correct. It is service issue. @kim-soohwan