Azure CLI commands fail for newly granted subscriptions

[jiasli]

Symptom

Azure CLI commands fail for newly granted subscriptions.

Steps to repro:

1. Run az login with a user account or service principal. Azure CLI caches the result of ARM REST API Subscriptions - List which doesn't contain the new subscription. The cache is saved to ~/.azure/azureProfile.json.
2. The user account or service principal is granted an RBAC role assignment on a new subscription to which the user account or service principal previously doesn't have access. The subscription can be newly created.
3. Because az account set/show and --subscription only use subscription information from the local cache, they won't be able to work with that new subscription and show errors.

Different error messages can be shown:

• az account set --subscription:

  azure-cli/src/azure-cli-core/azure/cli/core/_profile.py

  Lines 516 to 518 in 060b414

  	if len(result) != 1:
  	raise CLIError("The subscription of '{}' {} in cloud '{}'.".format(
  	subscription, "doesn't exist" if not result else 'has more than one match', active_cloud.name))

• az account show --subscription:

  azure-cli/src/azure-cli-core/azure/cli/core/_profile.py

  Lines 552 to 554 in 060b414

  	if not result and subscription:
  	raise CLIError("Subscription '{}' not found. "
  	"Check the spelling and casing and try again.".format(subscription))

• az group show --subscription:

  azure-cli/src/azure-cli-core/azure/cli/core/commands/arm.py

  Lines 365 to 366 in ce3a1f1

  	if not sub_id:
  	logger.warning("Subscription '%s' not recognized.", value)

az account subscription list is not affected because this command gets the result from ARM API Subscriptions - List, instead of the local cache.

Solution

The best practice is to have subscriptions' RBAC role assignments granted before running az login.

If you have already run az login, you may refresh the local cache:

• Option 1: Run az login again
• Option 2: Run az account list --refresh, but we don't recommend using --refresh argument as it is known to be buggy in some edge cases: Refine or deprecate --refresh in az account list #20429

Additional Context

Email: Regarding issue during Azure ClI

[yonzhan]

Thank you for opening this issue, we will look into it.

[jiasli]

We received another incident today reporting a deleted subscription still shows up in the result of az account list.

The root cause is similar: az login caches the result of ARM REST API Subscriptions - List before deleting the subscription. Because az account list only uses subscription information from the local cache, it doesn't know the subscription has been deleted.

Solution: re-login with

az account clear
az login

[matsilva]

Hit the above issue when I was added to another subscription. Running az account clear and az login worked.

My armchair expert opinion would be to always fetch subscriptions from remote when the az login command is used...