Skip to content

az keyvault role assignment create documentation mismatch #27526

Description

@CasperGN

Describe the bug

The documentation for param --assignee-principal-type states that:

accepted values: Application, DirectoryObjectOrGroup, DirectoryRoleTemplate, Everyone, ForeignGroup, Group, MSI, ServicePrincipal, Unknown, User

However, running with --assignee-principal-type MSI yields:

ERROR: az role assignment create: 'MSI' is not a valid value for '--assignee-principal-type'. Allowed values: User, Group, ServicePrincipal, ForeignGroup. during pipeline run.

Running with:

az role assignment create --assignee-object-id $CLUSTER_MSI_PRINCIPAL_ID \
 --role "Key Vault Crypto Service Encryption User" \
 --assignee-principal-type ServicePrincipal \
 --scope $CLUSTER_KV_ID

Where the $CLUSTER_MSI_PRINCIPAL_ID is fetched through:

CLUSTER_MSI_PRINCIPAL_ID=$(az identity show --name $CLUSTER_MSI \
  --resource-group $CLUSTER_RG \
  --query 'principalId' \
  --output tsv)

as suggested in #11594 (comment) worked.

Related command

az role assignment create

Errors

ERROR: az role assignment create: 'MSI' is not a valid value for '--assignee-principal-type'. Allowed values: User, Group, ServicePrincipal, ForeignGroup.

Issue script & Debug output

CLUSTER_MSI_PRINCIPAL_ID=$(az identity show --name $CLUSTER_MSI
--resource-group $CLUSTER_RG
--query 'principalId'
--output tsv)

az role assignment create --assignee-object-id $CLUSTER_MSI_PRINCIPAL_ID
--role "Key Vault Crypto Service Encryption User"
--assignee-principal-type MSI
--scope $CLUSTER_KV_ID

Expected behavior

Consistency between CLI and documentation

Environment Summary

/usr/bin/az --version
azure-cli 2.53.0

core 2.53.0
telemetry 1.1.0

Extensions:
azure-devops 0.26.0

Dependencies:
msal 1.24.0b2
azure-mgmt-resource 23.1.0b2

Additional context

No response

Metadata

Metadata

Labels

Auto-AssignAuto assign by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamKeyVaultaz keyvaultManaged IdentityFor `az identity` onlyRBACaz roleact-identity-squadcustomer-reportedIssues that are reported by GitHub users external to the Azure organization.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type
No fields configured for issues without a type.

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions