You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit introduces a new parameter, --assignee-principal-type, to the az aks update --attach-acr command in the Azure CLI, allowing users to explicitly specify the principal type (e.g., User, Group, or ServicePrincipal) for ACR role assignment. This enhancement aims to address Role-Based Access Control (RBAC)-related errors by ensuring the correct principal type is applied during the ACR role assignment, specifically when using Azure RBAC role assignment conditions
The original --attach-acr parameter omits the principalType from the requestBody, which causes the authorization request to be invalidated when used with role assignment conditions.
The original logic is not changed, as to not break existing implementation. The optional parameter, when used, overrides the default behavior to ensure the correct principal type is applied during the ACR role assignment.
Testing Guide
Create an AKS cluster
Setup an Azure role assignment condition dependent on one of the expected principalTypes. eg: ( ( !(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) ) OR ( @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'ServicePrincipal', 'Group'}) )
Run az aks update -g <rg> -n <cluster_name> --attach-acr <acr name> and notice the 403 Unauthorized exception from ARM.
Re-run the command with the new parameter --assignee-principal-type and the expected principalType and the command succeeds.
History Notes
[AKS] az aks update: Add option --assignee-principal-type to specify the principal type when using --attach-acr
This checklist is used to make sure that common guidelines for a pull request are followed.
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.
Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:
jovieir
changed the title
Add optional parameter --assignee-principal-type to az aks update --attach-acr
[AKS] Add optional parameter --assignee-principal-type to az aks update --attach-acr
May 26, 2025
jovieir
changed the title
[AKS] Add optional parameter --assignee-principal-type to az aks update --attach-acr
[AKS] Add optional parameter --assignee-principal-type to az aks update--attach-acrMay 27, 2025
not sure why the title PR is failing - the fixes are there?
[Azure CLI] Add optional parameter --assignee-principal-type to az aks update --attach-acr : missing around --assignee-principal-type ↑ ↑ [Azure CLI] Add optional parameter --assignee-principal-type to az aks update --attach-acr : missing around az aks update --attach-acr
↑ ↑
[Azure CLI] Add optional parameter --assignee-principal-type to az aks update --attach-acr : missing ` around --attach-acr
↑ ↑
[Azure CLI] Add optional parameter --assignee-principal-type to az aks update --attach-acr : please delete the last character
jovieir
changed the title
[AKS] Add optional parameter --assignee-principal-type to az aks update--attach-acr
[AKS] az aks update: Add option --assignee-principal-type to specify the principal type when using --attach-acrMay 29, 2025
Thanks @FumingZhang - Looks like CI was complaining about the resource history part on the body - and I was assuming it was the title. I've updated the title anyway as yours look better. :-)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
jovieir
requested review from
FumingZhang,
jsntcy,
yanzhudd and
zhoxing-ms
as code owners
microsoft-github-policy-service
bot
requested review from
JXavierMSFT,
northtyphoon,
rosanch,
shizhMSFT,
terencet-dev,
toddysm,
wangzelin007 and
yonzhan
Related command
az aks update --attach-acrDescription
This commit introduces a new parameter,
--assignee-principal-type,to theaz aks update --attach-acrcommand in the Azure CLI, allowing users to explicitly specify the principal type (e.g., User, Group, or ServicePrincipal) for ACR role assignment. This enhancement aims to address Role-Based Access Control (RBAC)-related errors by ensuring the correct principal type is applied during the ACR role assignment, specifically when using Azure RBAC role assignment conditionsThe original
--attach-acrparameter omits the principalType from the requestBody, which causes the authorization request to be invalidated when used with role assignment conditions.The original logic is not changed, as to not break existing implementation. The optional parameter, when used, overrides the default behavior to ensure the correct principal type is applied during the ACR role assignment.
Testing Guide
( ( !(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) ) OR ( @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'ServicePrincipal', 'Group'}) )az aks update -g <rg> -n <cluster_name> --attach-acr <acr name>and notice the 403 Unauthorized exception from ARM.--assignee-principal-typeand the expected principalType and the command succeeds.History Notes
[AKS]
az aks update: Add option--assignee-principal-typeto specify the principal type when using--attach-acrThis checklist is used to make sure that common guidelines for a pull request are followed.
The PR title and description has followed the guideline in Submitting Pull Requests.
I adhere to the Command Guidelines.
I adhere to the Error Handling Guidelines.