azure-cli: az role assignment create is not idempotent
Creating the same role assignment twice results in success the first time, but the second time results in an error: The role assignment already exists.
$ az role assignment create --role Owner --assignee "my@account.example.com" --scope /subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.Storage/storageAccounts/<redacted>
The role assignment already exists.
$ echo $?
1
According to https://github.com/Azure/azure-cli/blob/dev/doc/command_guidelines.md#standard-command-types this operation should be idempotent, i.e.: creating existing role assignments should not result in an error.
This happens with azure-cli 2.0.58 (role 2.4.0) on Linux but also with azure-cli 2.0.51 (storage 2.2.5) on Windows.
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Reactions: 5
- Comments: 18 (10 by maintainers)
I would suggest we proceed by fetching the assignment by leveraging the existing
list_role_assignments. Idempotent is the main command authoring guideline we would like to persist which community has appreciated very much.@marstr, the error code is 409 as revealed through
--debug. I agree this is service bug that we should tag asService Attention. At the same time, considering idempotent is a basic principle we like to maintain across CLI so that scripts can confidently rely on. I suggest we catch it, and ignore if the error code isRoleAssignmentExists. Letting service team fix it would likely take years based on the experience we have accumulated on other service issues.Technically this is a breaking change, but I am fine we go ahead to swallow it.
Fixed by #9108
I ended up flipping around the strategy, and asking if the role assignment exists first instead of reacting to a 409. Figured it was a much cleaner solution, and it matches how Terraform works around this problem.