locked
Azure CLI comment error when updating custom role --- Role "id" is missing. Look for the role in the current subscription. RRS feed

  • Question

  • Azure CLI comment error ( this appear in green unlike a error which is normally in red -  occurred  when updating custom role ---

    Role "id" is missing. Look for the role in the current subscription.

    Is this error significant???  I checked the custom role and it appears to have been updated and the error

    C:\WINDOWS\system32>az role definition update --role-definition "C:\Azure Custom Role Test\Safe.json"

    Role "id" is missing. Look for the role in the current subscription...
    {
      "assignableScopes": [
        "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
      ],
      "description": "Perform VM actions and read storage and network information.",
      "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
      "name": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,
      "permissions": [
        {
          "actions": [
            "Microsoft.Compute/*/read",
            "Microsoft.Compute/virtualMachines/start/action",
            "Microsoft.Compute/virtualMachines/restart/action",
            "Microsoft.Network/*/read",
            "Microsoft.Storage/*/read",
            "Microsoft.Authorization/*/read",
            "Microsoft.Resources/subscriptions/resourceGroups/read",
            "Microsoft.Resources/subscriptions/resourceGroups/resources/read",
            "Microsoft.Insights/alertRules/*",
            "Microsoft.Support/*"
          ],
          "dataActions": [
            "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*"
          ],
          "notActions": [],
          "notDataActions": [
            "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
          ]
        }
      ],
      "roleName": "Test Custom Role 1",
      "roleType": "CustomRole",
      "type": "Microsoft.Authorization/roleDefinitions"
    }

    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxx   below is the CLI command that was run that produce the role Id comment.   What do I need to change and where do I get this information?

    {
    "Name": "Test Custom Role 1", 
    "Id": null, 
    "Description": "Perform VM actions and read storage and network information.", 
    "Actions": [
      "Microsoft.Compute/*/read",
      "Microsoft.Compute/virtualMachines/start/action",
      "Microsoft.Compute/virtualMachines/restart/action",
      "Microsoft.Network/*/read",
      "Microsoft.Storage/*/read",
      "Microsoft.Authorization/*/read",
      "Microsoft.Resources/subscriptions/resourceGroups/read",
      "Microsoft.Resources/subscriptions/resourceGroups/resources/read",
      "Microsoft.Insights/alertRules/*",
      "Microsoft.Support/*"
    ], "DataActions": [
      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*"
    ], "NotDataActions": [
      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
    ], "AssignableScopes": [ "/subscriptions/XXXXXXXXXXXXXXXXXXXXXXXXXXXX" ]


    }


    dsk




    Sunday, December 1, 2019 5:33 PM

All replies

  • Hello,

    There is a discussion on this in the CLI Github repo: https://github.com/Azure/azure-cli/issues/6304

    The best thing to is to use "az role definition list" to get the schema the command is expecting and make your updates from there. This will include the id parameter it is looking for. As a role could be used in multiple subscriptions, that id helps the cli determine which subscription it was originally created in.

    If you are still having trouble after using the list command to generate a template to edit, please run it with the --debug command and post the results so I can see what is going on with your script. You can also delete/recreate the role as a workaround.


    Monday, December 2, 2019 3:50 PM