Describe the bug
The documentation for param --assignee-principal-type states that:
accepted values: Application, DirectoryObjectOrGroup, DirectoryRoleTemplate, Everyone, ForeignGroup, Group, MSI, ServicePrincipal, Unknown, User
However, running with --assignee-principal-type MSI yields:
ERROR: az role assignment create: 'MSI' is not a valid value for '--assignee-principal-type'. Allowed values: User, Group, ServicePrincipal, ForeignGroup. during pipeline run.
Running with:
az role assignment create --assignee-object-id $CLUSTER_MSI_PRINCIPAL_ID \
--role "Key Vault Crypto Service Encryption User" \
--assignee-principal-type ServicePrincipal \
--scope $CLUSTER_KV_ID
Where the $CLUSTER_MSI_PRINCIPAL_ID is fetched through:
CLUSTER_MSI_PRINCIPAL_ID=$(az identity show --name $CLUSTER_MSI \
--resource-group $CLUSTER_RG \
--query 'principalId' \
--output tsv)
as suggested in #11594 (comment) worked.
Related command
az role assignment create
Errors
ERROR: az role assignment create: 'MSI' is not a valid value for '--assignee-principal-type'. Allowed values: User, Group, ServicePrincipal, ForeignGroup.
Issue script & Debug output
CLUSTER_MSI_PRINCIPAL_ID=$(az identity show --name $CLUSTER_MSI
--resource-group $CLUSTER_RG
--query 'principalId'
--output tsv)
az role assignment create --assignee-object-id $CLUSTER_MSI_PRINCIPAL_ID
--role "Key Vault Crypto Service Encryption User"
--assignee-principal-type MSI
--scope $CLUSTER_KV_ID
Expected behavior
Consistency between CLI and documentation
Environment Summary
/usr/bin/az --version
azure-cli 2.53.0
core 2.53.0
telemetry 1.1.0
Extensions:
azure-devops 0.26.0
Dependencies:
msal 1.24.0b2
azure-mgmt-resource 23.1.0b2
Additional context
No response
Describe the bug
The documentation for param
--assignee-principal-typestates that:However, running with
--assignee-principal-type MSIyields:ERROR: az role assignment create: 'MSI' is not a valid value for '--assignee-principal-type'. Allowed values: User, Group, ServicePrincipal, ForeignGroup.during pipeline run.Running with:
Where the
$CLUSTER_MSI_PRINCIPAL_IDis fetched through:as suggested in #11594 (comment) worked.
Related command
az role assignment create
Errors
ERROR: az role assignment create: 'MSI' is not a valid value for '--assignee-principal-type'. Allowed values: User, Group, ServicePrincipal, ForeignGroup.
Issue script & Debug output
CLUSTER_MSI_PRINCIPAL_ID=$(az identity show --name $CLUSTER_MSI
--resource-group $CLUSTER_RG
--query 'principalId'
--output tsv)
az role assignment create --assignee-object-id $CLUSTER_MSI_PRINCIPAL_ID
--role "Key Vault Crypto Service Encryption User"
--assignee-principal-type MSI
--scope $CLUSTER_KV_ID
Expected behavior
Consistency between CLI and documentation
Environment Summary
/usr/bin/az --version
azure-cli 2.53.0
core 2.53.0
telemetry 1.1.0
Extensions:
azure-devops 0.26.0
Dependencies:
msal 1.24.0b2
azure-mgmt-resource 23.1.0b2
Additional context
No response