--query not usable on "az role assignment list --all"

[njefsky]

Describe the bug

az role assignment list --all --query [?principalName==``""``].id --output tsv
gives following wrong error:
group or scope are not required when --all is used

Related command

az role assignment list

Errors

group or scope are not required when --all is used

Issue script & Debug output

az role assignment list --all --query [?principalName==``""``].id --output tsv --debug
cli.knack.cli: Command arguments: ['role', 'assignment', 'list', '--all', '--query', '[?principalName==``].id', '--output', 'tsv', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
Enable VT mode.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0000023A3D56B880>, <function OutputProducer.on_global_arguments at 0x0000023A3D6F6020>, <function CLIQuery.on_global_arguments at 0x0000023A3D723BA0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'role': ['azure.cli.command_modules.role']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: role 0.009 17 61
cli.azure.cli.core: Total (1) 0.009 17 61
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: Total (0) 0.000 0 0
cli.azure.cli.core: Loaded 17 groups, 61 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : role assignment list
cli.azure.cli.core: Command table: role assignment list
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x0000023A4054AA20>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\11030493.azure\commands\2024-02-21.11-32-21.role_assignment_list.36520.log'.
az_command_data_logger: command args: role assignment list --all --query {} --output {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x0000023A405ACFE0>]
cli.knack.commands: Configured default 'EVGatewaytest' for arg resource_group_name
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x0000023A405AD080>, <function register_cache_arguments..add_cache_arguments at 0x0000023A405AD1C0>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x0000023A3D6F60C0>, <function CLIQuery.handle_query_parameter at 0x0000023A3D723C40>, <function register_ids_argument..parse_ids_arguments at 0x0000023A405AD120>]
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=AuthorizationManagementClient
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\11030493\.azure\service_principal_entries.bin', encrypt=True
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\11030493\.azure\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\11030493.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/3d2d2b6f-061a-48b6-b4b3-9312d687e3a1/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/3d2d2b6f-061a-48b6-b4b3-9312d687e3a1/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/3d2d2b6f-061a-48b6-b4b3-9312d687e3a1/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/3d2d2b6f-061a-48b6-b4b3-9312d687e3a1/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/3d2d2b6f-061a-48b6-b4b3-9312d687e3a1/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/3d2d2b6f-061a-48b6-b4b3-9312d687e3a1/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/3d2d2b6f-061a-48b6-b4b3-9312d687e3a1/kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 664, in execute
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 729, in _run_jobs_serially
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 698, in _run_job
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 334, in call
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/custom.py", line 223, in list_role_assignments
knack.util.CLIError: group or scope are not required when --all is used

cli.azure.cli.core.azclierror: group or scope are not required when --all is used
az_command_data_logger: group or scope are not required when --all is used
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x0000023A4054ACA0>]
az_command_data_logger: exit code: 1
cli.main: Command ran in 1.006 seconds (init: 0.548, invoke: 0.458)
cli.azure.cli.core.decorators: Suppress exception:
Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/main.py", line 62, in
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/main.py", line 55, in
SystemExit: 1

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/decorators.py", line 79, in _wrapped_func
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/telemetry.py", line 532, in _get_secrets_warning_config
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/config.py", line 147, in getboolean
ValueError: Not a boolean: None

telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3465 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry_init_.pyc C:\Users\11030493.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

Expected behavior

return the ids that are not assigned to a principal.

Environment Summary

az version
{
"azure-cli": "2.57.0",
"azure-cli-core": "2.57.0",
"azure-cli-telemetry": "1.1.0",
"extensions": {
"application-insights": "1.2.0",
"authV2": "0.1.3",
"azure-devops": "0.26.0",
"cosmosdb-preview": "0.26.0",
"log-analytics": "0.2.2",
"storage-preview": "1.0.0b1",
"webpubsub": "1.4.0"
}
}

Additional context

This used to work in older versions, can not specify which however.
Script used for deleting role assignments that have deleted principalNames.

$ids = az role assignment list --all --query [?principalName==``""``].id --output tsv
az role assignment delete --ids @ids

[yonzhan]

Thank you for opening this issue, we will look into it.

[emanjogu]

I also had an issue listing role assignments for a Service Principal for a clients AKS cluster that I am updating the Service Principal for tonight. I also got the error
ERROR: cli.azure.cli.core.azclierror: group or scope are not required when --all is used

I discovered that I had some kind of default value set for resource group in Azure CLI by running
az group show
The group I had set was the one named in the log line
cli.knack.commands: Configured default 'EVGatewaytest' for arg resource_group_name
in the original problem description above.

The workaround I found was to issue the following command (set default resource group to empty string):
az configure --defaults group=''

I don't see this as a solution, but maybe it will work as a temporary workaround for others too.