Symptom
Azure CLI commands fail for newly granted subscriptions.
Steps to repro:
- Run
az login with a user account or service principal. Azure CLI caches the result of ARM REST API Subscriptions - List which doesn't contain the new subscription. The cache is saved to ~/.azure/azureProfile.json.
- The user account or service principal is granted an RBAC role assignment on a new subscription to which the user account or service principal previously doesn't have access. The subscription can be newly created.
- Because
az account set/show and --subscription only use subscription information from the local cache, they won't be able to work with that new subscription and show errors.
Different error messages can be shown:
az account set --subscription:
|
if len(result) != 1: |
|
raise CLIError("The subscription of '{}' {} in cloud '{}'.".format( |
|
subscription, "doesn't exist" if not result else 'has more than one match', active_cloud.name)) |
az account show --subscription:
|
if not result and subscription: |
|
raise CLIError("Subscription '{}' not found. " |
|
"Check the spelling and casing and try again.".format(subscription)) |
az group show --subscription:
|
if not sub_id: |
|
logger.warning("Subscription '%s' not recognized.", value) |
az account subscription list is not affected because this command gets the result from ARM API Subscriptions - List, instead of the local cache.
Solution
The best practice is to have subscriptions' RBAC role assignments granted before running az login.
If you have already run az login, you may refresh the local cache:
Additional Context
Email: Regarding issue during Azure ClI
Symptom
Azure CLI commands fail for newly granted subscriptions.
Steps to repro:
az loginwith a user account or service principal. Azure CLI caches the result of ARM REST API Subscriptions - List which doesn't contain the new subscription. The cache is saved to~/.azure/azureProfile.json.az account set/showand--subscriptiononly use subscription information from the local cache, they won't be able to work with that new subscription and show errors.Different error messages can be shown:
az account set --subscription:azure-cli/src/azure-cli-core/azure/cli/core/_profile.py
Lines 516 to 518 in 060b414
az account show --subscription:azure-cli/src/azure-cli-core/azure/cli/core/_profile.py
Lines 552 to 554 in 060b414
az group show --subscription:azure-cli/src/azure-cli-core/azure/cli/core/commands/arm.py
Lines 365 to 366 in ce3a1f1
az account subscription listis not affected because this command gets the result from ARM API Subscriptions - List, instead of the local cache.Solution
The best practice is to have subscriptions' RBAC role assignments granted before running
az login.If you have already run
az login, you may refresh the local cache:az loginagainaz account list --refresh, but we don't recommend using--refreshargument as it is known to be buggy in some edge cases: Refine or deprecate--refreshinaz account list#20429Additional Context
Email: Regarding issue during Azure ClI