diff --git a/src/azure-cli/azure/cli/command_modules/role/_help.py b/src/azure-cli/azure/cli/command_modules/role/_help.py index 48ac4b748f1..28561c24222 100644 --- a/src/azure-cli/azure/cli/command_modules/role/_help.py +++ b/src/azure-cli/azure/cli/command_modules/role/_help.py @@ -685,22 +685,23 @@ helps['role assignment create'] = """ type: command short-summary: Create a new role assignment for a user, group, or service principal. +long-summary: >- + --scope argument will become required for creating a role assignment in the breaking change release of the fall + of 2023. Please explicitly specify --scope. examples: - - name: Create role assignment for an assignee. - text: az role assignment create --assignee sp_name --role a_role + - name: Create role assignment to grant the specified assignee the Reader role on an Azure virtual machine. + text: az role assignment create --assignee sp_name --role Reader --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Compute/virtualMachines/MyVm - name: Create role assignment for an assignee with description and condition. text: >- - az role assignment create --role "Owner" --assignee "John.Doe@Contoso.com" + az role assignment create --role Owner + --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.Storage/storageAccounts/MyStorageAccount + --assignee "John.Doe@Contoso.com" --description "Role assignment foo to check on bar" --condition "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:Name] stringEquals 'foo'" --condition-version "2.0" supported-profiles: latest - - name: Create a new role assignment for a user, group, or service principal. (autogenerated) - text: | - az role assignment create --assignee 00000000-0000-0000-0000-000000000000 --role "Storage Account Key Operator Service Role" --scope $id - crafted: true - name: Create role assignment with your own assignment name. - text: az role assignment create --assignee-object-id 00000000-0000-0000-0000-000000000000 --assignee-principal-type ServicePrincipal --role Reader --scope /subscriptions/00000000-0000-0000-0000-000000000000 --name 00000000-0000-0000-0000-000000000000 + text: az role assignment create --assignee-object-id 00000000-0000-0000-0000-000000000000 --assignee-principal-type ServicePrincipal --role Reader --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup --name 00000000-0000-0000-0000-000000000000 """ diff --git a/src/azure-cli/azure/cli/command_modules/role/custom.py b/src/azure-cli/azure/cli/command_modules/role/custom.py index 1f46363b0a7..fe1fa3bc347 100644 --- a/src/azure-cli/azure/cli/command_modules/role/custom.py +++ b/src/azure-cli/azure/cli/command_modules/role/custom.py @@ -50,6 +50,10 @@ "The output includes credentials that you must protect. Be sure that you do not include these credentials in " "your code or check the credentials into your source control. For more information, see https://aka.ms/azadsp-cli") +SCOPE_WARNING = ( + "--scope argument will become required for creating a role assignment in the breaking change release of the fall " + "of 2023. Please explicitly specify --scope.") + logger = get_logger(__name__) # pylint: disable=too-many-lines, protected-access @@ -148,6 +152,9 @@ def create_role_assignment(cmd, role, assignee=None, assignee_object_id=None, re scope=None, assignee_principal_type=None, description=None, condition=None, condition_version=None, assignment_name=None): """Check parameters are provided correctly, then call _create_role_assignment.""" + if not scope: + logger.warning(SCOPE_WARNING) + if bool(assignee) == bool(assignee_object_id): raise CLIError('usage error: --assignee STRING | --assignee-object-id GUID')