Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] az role assignment list/delete: Make --scope a required argument #30471

Open
jiasli opened this issue Dec 5, 2024 · 1 comment · May be fixed by #30472
Open

[Feature Request] az role assignment list/delete: Make --scope a required argument #30471

jiasli opened this issue Dec 5, 2024 · 1 comment · May be fixed by #30472
Assignees
@jiasli
Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that RBAC az role
Milestone
Backlog

Comments

@jiasli
Copy link
Member

jiasli commented Dec 5, 2024

#27651 made --scope a required argument for az role assignment create.

I propose making --scope a required argument for az role assignment list/delete too, as explained below:

az role assignment list

Even though the output of this command contains no secret, it contains PII - the email address of the assignee:

  {
    "id": "/subscriptions/xxx/providers/Microsoft.Authorization/roleAssignments/xxx",
    "principalId": "xxx",
    "principalName": xxx#EXT#@xxx.onmicrosoft.com,
    "principalType": "User",
    ...
  }

Without specifying --scope, this command lists all role assignments under the current subscription. The PII can be saved into build logs, such as GitHub Action logs. Therefore, we should ask the user to explicitly specify the scope under which role assignments should be listed to avoid showing PII as much as possible.

az role assignment delete

#13577 made a very nice metaphor: This command is an insane footgun. Without specifying --scope, it deletes all role assignment under the current subscription. We should ask the user to explicitly specify the scope under which role assignments should be deleted to avoid expectedly nuking the whole subscription.

Making --scope a required argument aligns all create, list and delete commands to have a consistent interface.
@yonzhan
Copy link
Collaborator

yonzhan commented Dec 5, 2024

Thank you for opening this issue, we will look into it.

@microsoft-github-policy-service microsoft-github-policy-service bot added Auto-Assign Auto assign by bot RBAC az role labels Dec 5, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Dec 5, 2024
@yonzhan yonzhan added this to the Backlog milestone Dec 5, 2024
This was referenced Dec 5, 2024
Merged
Draft
Closed
@jiasli jiasli mentioned this issue Jan 16, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that RBAC az role
Projects
None yet
Milestone
Backlog
2 participants
@jiasli @yonzhan