Azure-cli: Authorization issue when calling az policy assignment create with policy id.
Describe the bug
If I run:
az policy assignment create --name 'Allowed locations' --policy "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c" -p '{\"listOfAllowedLocations\":{\"value\":[\"westeurope\",\"northeurope\",\"eastus\"]}}' -g 'Resource Group Name'
I get the following error:
The client 'live.com#[my account] with object id '[GUID]' does not have authorization to perform action 'Microsoft.Authorization/policyDefinitions/Microsoft.Authorization/e56962a6-4747-49cd-b67b-bf8b01975c4c/read' over scope '/providers/Microsoft.Authorization/policyDefinitions/providers/Microsoft.Authorization/policyDefinitions'.
To Reproduce
Run:
az policy assignment create --name 'Allowed locations' --policy "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c" -p '{\"listOfAllowedLocations\":{\"value\":[\"westeurope\",\"northeurope\",\"eastus\"]}}' -g 'Resource Group Name'
Expected behavior
The cli help (az policy assignment create -h) states: --policy: Name or id of the policy definition. Therefore I expect the same result as when running the command with just the name of the policy:
az policy assignment create --name 'Allowed locations' --policy "e56962a6-4747-49cd-b67b-bf8b01975c4c" -p '{\"listOfAllowedLocations\":{\"value\":[\"westeurope\",\"northeurope\",\"eastus\"]}}' -g 'Resource Group Name'
which results in:
{
"description": null,
"displayName": null,
"id": "/subscriptions/[subscription id]/resourceGroups/[resource group]/providers/Microsoft.Authorization/policyAssignments/Allowed locations",
"metadata": null,
"name": "Allowed locations",
"notScopes": null,
"parameters": {
"listOfAllowedLocations": {
"value": [
"westeurope",
"northeurope",
"eastus"
]
}
},
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c",
"resourceGroup": "[resource group]",
"scope": "/subscriptions/[subscription id]/resourceGroups/[resource group]",
"sku": {
"name": "A0",
"tier": "Free"
},
"type": "Microsoft.Authorization/policyAssignments"
}
Environment summary
azure-cli (2.0.31)
Python (Windows) 3.6.1 (v3.6.1:69c0db5, Mar 21 2017, 17:54:52) [MSC v.1900 32 bit (Intel)]
Additional context
Thanks for your work and help!
cmendible
All 4 comments
Howdy,
Thanks for the high-quality repro, it made approaching this issue easy. The issue you're encountering is that the policy ID that you're providing does not include a subscription ID and is therefor is not matching this regex. You can fix this issue by adding /subscriptions/${AZURE_SUBSCRIPTION_ID} to the front of the value you're currently providing for --policy.
That said, the error message that is returned is pretty unhelpful. I'm going to spend a little more time this afternoon seeing if there's something I can do to fix that before closing this issue.
marstr
on 16 Feb 2019
Frustratingly, it seems like if you run:
az policy assignment create --name 'Allowed locations' --policy "ni" -p '{"listOfAllowedLocations":{"value":["westeurope","northeurope","eastus"]}}' -g 'Resource Group Name'
you get back a reasonably good error message: "The policy definition 'ni' could not be found." But if you run:
az policy assignment create --name 'Allowed locations' --policy "knights/ni" -p '{"listOfAllowedLocations":{"value":["westeurope","northeurope","eastus"]}}' -g 'Resource Group Name'
you get the same error message you saw.
I've opened an issue in the Swagger repository, so that hopefully all languages benefit. However, for the meantime, I'm going to add a check to ensure that the CLI handles this more gracefully.
marstr
on 16 Feb 2019
I'm going to unassign myself from this, as we're blocked until the next version (the current version is 0.6.0 at time of writing.)
marstr
on 8 May 2019
add to S165.
yonzhan
on 22 Dec 2019
Related issues
oakeyc
路
3Comments
seanknox
路
3Comments
williexu
路
3Comments
derekperkins
路
3Comments
idkjs
路
3Comments