Azure · vilit1 · May 5, 2023 · May 5, 2023 · May 5, 2023 · May 9, 2023
@@ -253,7 +253,7 @@ def default_api_version(self):
         ResourceType.MGMT_MSI: '2023-01-31',
         ResourceType.MGMT_APPSERVICE: '2022-03-01',
         ResourceType.MGMT_IOTHUB: '2022-04-30-preview',
-        ResourceType.MGMT_IOTDPS: '2021-10-15',
+        ResourceType.MGMT_IOTDPS: '2023-03-01-preview',
         ResourceType.MGMT_IOTCENTRAL: '2021-11-01-preview',
         ResourceType.MGMT_ARO: '2022-09-04',
         ResourceType.MGMT_DATABOXEDGE: '2021-02-01-preview',

@@ -148,6 +148,47 @@
         az iot dps certificate verify --dps-name MyDps --resource-group MyResourceGroup --name MyCertificate --path /certificates/Verification.pem --etag AAAAAAAAAAA=
 """
 
+helps['iot dps identity'] = """
+type: group
+short-summary: Manage identities of an Azure IoT Hub Device Provisioning Service instance.
+"""
+
+helps['iot dps identity assign'] = """
+type: command
+short-summary: Assign managed identities to an IoT Azure IoT Hub Device Provisioning Service instance.
+examples:
+  - name: Assign user-assigned managed identities to an IoT DPS.
+    text: >
+        az iot dps identity assign --name MyIoTDPS --resource-group MyResourceGroup --user-assigned {resourceId1} {resourceId2}
+  - name: Assign a system-assigned managed identity to an IoT DPS and assign a role to that identity.
+    text: >
+        az iot dps identity assign --name MyIoTDPS --resource-group MyResourceGroup --system-assigned --role "Storage Blob Data Contributor" --scopes {resourceId}
+"""
+
+helps['iot dps identity show'] = """
+type: command
+short-summary: Show the identity properties of an IoT Azure IoT Hub Device Provisioning Service instance.
+examples:
+  - name: Show identity properties of an IoT DPS.
+    text: >
+        az iot dps identity show --name MyIoTDPS --resource-group MyResourceGroup
+"""
+
+helps['iot dps identity remove'] = """
+type: command
+short-summary: Remove managed identities from an IoT Azure IoT Hub Device Provisioning Service instance.
+examples:
+  - name: Remove a user-assigned managed identity from an IoT DPS.
+    text: >
+        az iot dps identity remove --name MyIoTDPS --resource-group MyResourceGroup --user-assigned {resourceId}
+  - name: Remove a system-assigned managed identity from an IoT DPS.
+    text: >
+        az iot dps identity remove --name MyIoTDPS --resource-group MyResourceGroup --system-assigned
+  - name: Remove all identities from an IoT DPS.
+    text: >
+        az iot dps identity remove --name MyIoTDPS --resource-group MyResourceGroup --system-assigned --user-assigned
+"""
+
 helps['iot dps create'] = """
 type: command
 short-summary: Create an Azure IoT Hub Device Provisioning Service instance.
@@ -159,9 +200,15 @@
   - name: Create an Azure IoT Hub Device Provisioning Service with the standard pricing tier S1, in the 'eastus' region.
     text: >
         az iot dps create --name MyDps --resource-group MyResourceGroup --location eastus
-  - name: Create an Azure IoT Hub Device Provisioning Service with data residency enforced. This will disable cross-region disaster recovery.
+  - name: Create an Azure IoT Hub Device Provisioning Service with data residency enforced.
     text: >
         az iot dps create --name MyDps --resource-group MyResourceGroup --edr
+  - name: Create an Azure IoT Hub Device Provisioning Service with the standard pricing tier S1, in the region of the resource group, enable system identity, and assign a role and scope to an IoT Hub for the created identity.
+    text: >
+        az iot dps create --name MyDps --resource-group MyResourceGroup --mi-system-assigned --role 'Iot Hub Data Contributor' --scopes {hubResourceId}
+  - name: Create an Azure IoT Hub Device Provisioning Service with the standard pricing tier S1, in the region of the resource group, and assign two User Assigned Identities.
+    text: >
+        az iot dps create --name MyDps --resource-group MyResourceGroup --mi-user-assigned {userIdentityResourceId1} {userIdentityResourceId2}
 """
 
 helps['iot dps delete'] = """

@@ -62,6 +62,11 @@ def load_arguments(self, _):  # pylint: disable=too-many-statements
     with self.argument_context('iot dps') as c:
         c.argument('dps_name', dps_name_type, options_list=['--name', '-n'], id_part='name')
         c.argument('tags', tags_type)
+        c.argument('identity_role', options_list=['--role'],
+                   help="Role to assign to the DPS's system-assigned managed identity.")
+        c.argument('identity_scopes', options_list=['--scopes'], nargs='*',
+                   help="Space separated list of scopes to assign the role (--role) "
+                   "for the system-assigned managed identity.")
 
     with self.argument_context('iot dps create') as c:
         c.argument('location', get_location_type(self.cli_ctx),
@@ -75,6 +80,18 @@ def load_arguments(self, _):  # pylint: disable=too-many-statements
                    help='Enforce data residency for this IoT Hub Device Provisioning Service by disabling '
                    'cross geo-pair disaster recovery. This property is immutable once set on the resource. '
                    'Only available in select regions. Learn more at https://aka.ms/dpsdr')
+        c.argument('system_identity', options_list=['--mi-system-assigned'],
+                   arg_type=get_three_state_flag(),
+                   help="Enable system-assigned managed identity for this DPS", is_preview=True)
+        c.argument('user_identities', options_list=['--mi-user-assigned'],
+                   nargs='*', help="Enable user-assigned managed identities for this DPS. "
+                   "Accept space-separated list of identity resource IDs.", is_preview=True)
+        # vilit - remove this once GA. This is here to make az iot dps identity commands look nicer
+        c.argument('identity_role', options_list=['--role'],
+                   help="Role to assign to the DPS's system-assigned managed identity.", is_preview=True)
+        c.argument('identity_scopes', options_list=['--scopes'], nargs='*',
+                   help="Space separated list of scopes to assign the role (--role) "
+                   "for the system-assigned managed identity.", is_preview=True)
 
     # plan to slowly align this with extension naming patterns - n should be aligned with dps_name
     for subgroup in ['linked-hub', 'certificate']:
@@ -141,6 +158,22 @@ def load_arguments(self, _):  # pylint: disable=too-many-statements
             c.argument('is_verified', options_list=['--verified', '-v'], arg_type=get_three_state_flag(),
                        help='A boolean indicating whether or not the certificate is verified.')
 
+    with self.argument_context('iot dps identity assign') as c:
+        c.argument('system_identity', options_list=['--system-assigned', '--system'],
+                   arg_type=get_three_state_flag(),
+                   nargs='*', help="Assign a system-assigned managed identity to this DPS.")
+        c.argument('user_identities', options_list=['--user-assigned', '--user'],
+                   nargs='+', help="Assign user-assigned managed identities to this DPS. "
+                   "Accept space-separated list of identity resource IDs.")
+
+    with self.argument_context('iot dps identity remove') as c:
+        c.argument('system_identity', options_list=['--system-assigned', '--system'],
+                   arg_type=get_three_state_flag(),
+                   nargs='*', help="Remove a system-assigned managed identity from this DPS.")
+        c.argument('user_identities', options_list=['--user-assigned', '--user'],
+                   nargs='*', help="Remove user-assigned managed identities from this DPS. "
+                   "Accept space-separated list of identity resource IDs.")
+
     # Arguments for IoT Hub
     with self.argument_context('iot hub') as c:
         c.argument('hub_name', hub_name_type, options_list=['--name', '-n'], id_part='name')

@@ -101,6 +101,12 @@ def load_command_table(self, _):  # pylint: disable=too-many-statements
         g.custom_command('verify', 'iot_dps_certificate_verify')
         g.custom_command('update', 'iot_dps_certificate_update')
 
+    # iot dps identity commands
+    with self.command_group('iot dps identity', client_factory=iot_service_provisioning_factory, is_preview=True) as g:
+        g.custom_command('assign', 'iot_dps_identity_assign')
+        g.custom_show_command('show', 'iot_dps_identity_show')
+        g.custom_command('remove', 'iot_dps_identity_remove')
+
     # iot dps policy commands
     with self.command_group('iot dps policy', client_factory=iot_service_provisioning_factory) as g:
         g.custom_command('list', 'iot_dps_policy_list')