Skip to content

Commit 7af895a

Browse files
authored
{AKS} Set principalType when creating role assignments (#33586)
1 parent 7e90af0 commit 7af895a

2 files changed

Lines changed: 12 additions & 0 deletions

File tree

src/azure-cli/azure/cli/command_modules/acs/_roleassignments.py

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -100,6 +100,14 @@ def add_role_assignment_executor(cmd, role, assignee, resource_group_name=None,
100100

101101
def add_role_assignment(cmd, role, service_principal_msi_id, is_service_principal=True,
102102
delay=2, scope=None, assignee_principal_type=None):
103+
# Every caller of add_role_assignment targets either a service principal or a managed
104+
# identity, both of which are represented as a ServicePrincipal in Microsoft Entra ID.
105+
# Explicitly setting the principal type lets the Authorization RP skip the Entra ID
106+
# existence check, which avoids PrincipalNotFound failures caused by replication delay
107+
# for freshly created identities.
108+
if assignee_principal_type is None:
109+
assignee_principal_type = "ServicePrincipal"
110+
103111
# AAD can have delays in propagating data, so sleep and retry
104112
hook = cmd.cli_ctx.get_progress_controller(True)
105113
hook.add(message="Waiting for AAD role to propagate", value=0, total_val=1.0)

src/azure-cli/azure/cli/command_modules/acs/managed_cluster_decorator.py

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8356,12 +8356,16 @@ def postprocessing_after_mc_created(self, cluster: ManagedCluster) -> None:
83568356
except Exception as e: # pylint: disable=broad-except
83578357
logger.warning("Could not get signed in user: %s", str(e))
83588358
else:
8359+
# signed_in_user_get() calls Graph /me, which only succeeds for a delegated
8360+
# (interactive) user; service principal / managed identity logins raise GraphError
8361+
# and are handled by the except branch above. So the assignee here is always a User.
83598362
self.context.external_functions.add_role_assignment_executor( # type: ignore # pylint: disable=protected-access
83608363
self.cmd,
83618364
"Azure Kubernetes Service RBAC Cluster Admin",
83628365
user["id"],
83638366
scope=cluster.id,
83648367
resolve_assignee=False,
8368+
assignee_principal_type="User",
83658369
)
83668370

83678371
def put_mc(self, mc: ManagedCluster) -> ManagedCluster:

0 commit comments

Comments
 (0)