[Compute] `az vm/vmss identity assign`: Add warning log and modify help to inform that the default value Contributor of `--role` will be removed #25283

zhoxing-ms · 2023-01-30T09:34:43Z

Related command

az vm/vmss identity assign

Description

Similar to #20924

As the security team raised the security concern: the permission of Contributor is too high to be used as the default role for az vm/vmss identity assign, so the default value Contributor of --role will be removed in the future.
Therefore, the first step is to prompt users that parameters --role and --scope should be passed in at the same time when assigning role to the managed identity to reduce the impact of breaking change.

The specific effects are as follows:

warning message
help message
help example

Testing Guide

History Notes

[Component Name 1] BREAKING CHANGE: az command a: Make some customer-facing breaking change
[Component Name 2] az command b: Add some customer-facing feature

This checklist is used to make sure that common guidelines for a pull request are followed.

The PR title and description has followed the guideline in Submitting Pull Requests.
I adhere to the Command Guidelines.
I adhere to the Error Handling Guidelines.

yonzhan · 2023-01-30T11:11:11Z

Compute warning refinement

…sign_security_issue

zhoxing-ms · 2023-02-23T08:25:03Z

@dcaro Could you please help review this PR?

dcaro · 2023-02-24T06:50:09Z

@zhoxing-ms can you reuse the messages that have been discussed in #24755 ?
cc: @dbradish-microsoft

zhoxing-ms · 2023-02-27T08:47:26Z

@dcaro Thanks for your suggestion, I have reused the description of timeline as in the breaking change release of the fall
For other parts, I have reused the previous descriptions in similar requirements #20924 for az vm/vmss create

dbradish-microsoft · 2023-02-27T18:32:48Z

@dcaro, From a doc's perspective, there are 770 GitHub lines that have various combinations of az vm/vmss identity + --role and/or --scope. In March 2022, we made a pass through all docs removing any default dependency on --role and explicitly specifying both --role and --scope. When this change is pushed to production, please give me a 30-day heads-up if possible so I can make a 2nd pass and make sure both docs and auto-generated reference content are ready to go. Thank you.

src/azure-cli/azure/cli/command_modules/vm/_help.py

azure-client-tools-bot-prd · 2023-03-02T09:56:51Z

️✔️acr

️✔️acs

️✔️advisor

️✔️ams

️✔️apim

️✔️appconfig

️✔️appservice

️✔️aro

️✔️backup

️✔️batch

️✔️batchai

️✔️billing

️✔️botservice

️✔️cdn

️✔️cloud

️✔️cognitiveservices

️✔️config

️✔️configure

️✔️consumption

️✔️container

️✔️core

️✔️cosmosdb

️✔️databoxedge

️✔️dla

️✔️dls

️✔️dms

️✔️eventgrid

️✔️eventhubs

️✔️feedback

️✔️find

️✔️hdinsight

️✔️identity

️✔️iot

️✔️keyvault

️✔️kusto

️✔️lab

️✔️managedservices

️✔️maps

️✔️marketplaceordering

️✔️monitor

️✔️natgateway

️✔️netappfiles

️✔️network

️✔️policyinsights

️✔️privatedns

️✔️profile

️✔️rdbms

️✔️redis

️✔️relay

️✔️resource

️✔️role

️✔️search

️✔️security

️✔️servicebus

️✔️serviceconnector

️✔️servicefabric

️✔️signalr

️✔️sql

️✔️sqlvm

️✔️storage

️✔️synapse

️✔️telemetry

️✔️util

️✔️vm

…lp to inform that the default value Contributor of `--role` will be removed (Azure#25283)

Add warning log for removing default role

06da5d7

ghost requested review from jiasli and yonzhan January 30, 2023 09:34

ghost added the Auto-Assign Auto assign by bot label Jan 30, 2023

ghost assigned jiasli Jan 30, 2023

ghost added this to the Feb 2023 (2023-03-07) milestone Jan 30, 2023

ghost added the RBAC az role label Jan 30, 2023

zhoxing-ms changed the title ~~Add warning log for removing default role~~ [Compute] az vm/vmss identity assign: Add warning log and modify help to inform that the default value Contributor of --role will be removed Jan 30, 2023

Merge branch 'dev' of github.com:Azure/azure-cli into fix_identity_as…

bfba352

…sign_security_issue

zhoxing-ms requested a review from dcaro February 23, 2023 08:24

Refine the description of timeline

e6df3dc

zhoxing-ms marked this pull request as ready for review February 27, 2023 08:44

zhoxing-ms requested review from jsntcy, wangzelin007 and yanzhudd as code owners February 27, 2023 08:44

jiasli assigned zhoxing-ms and unassigned jiasli Mar 2, 2023

jiasli modified the milestones: Feb 2023 (2023-03-07), Backlog Mar 2, 2023

yanzhudd reviewed Mar 2, 2023

View reviewed changes

src/azure-cli/azure/cli/command_modules/vm/_help.py Outdated Show resolved Hide resolved

yanzhudd reviewed Mar 2, 2023

View reviewed changes

src/azure-cli/azure/cli/command_modules/vm/_help.py Outdated Show resolved Hide resolved

Update the mock subid

003e134

yanzhudd approved these changes Mar 2, 2023

View reviewed changes

zhoxing-ms modified the milestones: Backlog, Feb 2023 (2023-03-07) Mar 2, 2023

jsntcy approved these changes Mar 3, 2023

View reviewed changes

zhoxing-ms merged commit 98d6851 into Azure:dev Mar 3, 2023

avgale pushed a commit to avgale/azure-cli that referenced this pull request Aug 24, 2023

[Compute] az vm/vmss identity assign: Add warning log and modify he…

b039479

…lp to inform that the default value Contributor of `--role` will be removed (Azure#25283)

jiasli mentioned this pull request Oct 20, 2023

{Role} az role assignment create: Show warning if --scope argument is not specified #24755

Merged

yanzhudd mentioned this pull request Oct 23, 2023

[Compute] BREAKING CHANGE: az vm/vmss identity assign: Remove the default value Contributor of parameter --role #27657

Merged

3 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Compute] `az vm/vmss identity assign`: Add warning log and modify help to inform that the default value Contributor of `--role` will be removed #25283

[Compute] `az vm/vmss identity assign`: Add warning log and modify help to inform that the default value Contributor of `--role` will be removed #25283

Uh oh!

zhoxing-ms commented Jan 30, 2023 •

edited

Loading

Uh oh!

yonzhan commented Jan 30, 2023 •

edited

Loading

Uh oh!

zhoxing-ms commented Feb 23, 2023

Uh oh!

dcaro commented Feb 24, 2023

Uh oh!

zhoxing-ms commented Feb 27, 2023 •

edited

Loading

Uh oh!

dbradish-microsoft commented Feb 27, 2023

Uh oh!

Uh oh!

Uh oh!

azure-client-tools-bot-prd bot commented Mar 2, 2023 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

[Compute] az vm/vmss identity assign: Add warning log and modify help to inform that the default value Contributor of --role will be removed #25283

[Compute] az vm/vmss identity assign: Add warning log and modify help to inform that the default value Contributor of --role will be removed #25283

Uh oh!

Conversation

zhoxing-ms commented Jan 30, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

yonzhan commented Jan 30, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

zhoxing-ms commented Feb 23, 2023

Uh oh!

dcaro commented Feb 24, 2023

Uh oh!

zhoxing-ms commented Feb 27, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

dbradish-microsoft commented Feb 27, 2023

Uh oh!

Uh oh!

Uh oh!

azure-client-tools-bot-prd bot commented Mar 2, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

[Compute] `az vm/vmss identity assign`: Add warning log and modify help to inform that the default value Contributor of `--role` will be removed #25283

[Compute] `az vm/vmss identity assign`: Add warning log and modify help to inform that the default value Contributor of `--role` will be removed #25283

zhoxing-ms commented Jan 30, 2023 •

edited

Loading

yonzhan commented Jan 30, 2023 •

edited

Loading

zhoxing-ms commented Feb 27, 2023 •

edited

Loading

azure-client-tools-bot-prd bot commented Mar 2, 2023 •

edited

Loading