Azure-docs: Updating Custom Role Process Is Wrong
When updating a custom role, this page says to use az role definition list to grab the role, then makes changes, then az role definition update to update. The problem is that the list action returns the wrong json schema. For me it returns:
[
{
"assignableScopes": [
"/subscriptions/XXXXXXXXXXXXXXXXXXXXXXXXXX"
],
"description": "Can create/modify resource groups and assign access.",
"id": "/subscriptions/XXXXXXXXXXXXXXXXXXXXXXXXX/providers/Microsoft.Authorization/roleDefinitions/XXXXXXXXXXXXXXXXXXXXXXXXXXX",
"name": "XXXXXXXXXXXXXXXXXXXXXXXXXXX",
"permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/write"
],
"dataActions": [],
"notActions": [],
"notDataActions": []
}
],
"roleName": "Custom Role",
"roleType": "CustomRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
]
When for example, adding a scope here, and then using the update command I get Invalid role definition. A valid dictionary JSON representation is expected. What I am having to do is convert it to the format given on this page:
{
"Name": "Custom Role",
"IsCustom": true,
"Description": "Can create/modify resource groups and assign access.",
"Actions": [
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/write"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/XXXXXXXXXXXXXXXX",
"/subscriptions/XXXXXXXXXXXXXXXXXXXX"
]
}
So I think the output format for list has changed and makes you do a little more work for updating your roles (keeping the role in scm to reference).
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 8fb67af1-51c8-9ee4-a679-df70ad398b50
- Version Independent ID: 0395abbe-3c55-70fd-b129-75e63a97ba86
- Content: Create custom roles for Azure resources using Azure CLI
- Content Source: articles/role-based-access-control/custom-roles-cli.md
- Service: role-based-access-control
- GitHub Login: @rolyon
- Microsoft Alias: rolyon
snyder-riley-pfg
All 4 comments
Thanks for your comment. The feedback has been shared with the content owner for further review. Thanks for your patience.
femsulu
on 1 Jul 2019
Hi @snyder-riley-pfg
Thanks for the feedback. You are correct that when you list a custom role, the output format does not exactly match what is required for the input. I will update this article to make this more clear. I think the custom role tutorial does a little better job at communicating this.
https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-cli
rolyon
on 8 Jul 2019
Thanks! I saw that other page and it helped, I just wanted to make sure this documentation was fixed to match up with the new output.
snyder-riley-pfg
on 8 Jul 2019
Thanks again @snyder-riley-pfg
We will now close this issue. If there are further questions regarding this matter, please reply and we will gladly continue the discussion.
femsulu
on 8 Jul 2019
Related issues
spottedmahn
·
3Comments
behnam89
·
3Comments
jamesgallagher-ie
·
3Comments
jebeld17
·
3Comments
paulmarshall
·
3Comments
Most helpful comment
Hi @snyder-riley-pfg
Thanks for the feedback. You are correct that when you list a custom role, the output format does not exactly match what is required for the input. I will update this article to make this more clear. I think the custom role tutorial does a little better job at communicating this.
https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-cli