Reputation: 189
az role assignment delete: The request did not have a subscription or a valid tenant level resource provider
I'm trying to do some cleanup (to solve other issues) within a yaml, and I've come up with this:
- task: AzureCLI@2
inputs:
azureSubscription: 'MYSUBSCRIPTION'
scriptType: pscore
scriptLocation: inlineScript
inlineScript: |
az role assignment delete --ids "GUID1 GUID2 GUIDn"
name: CleanupRoleAssignments
And I'm getting this error:
ERROR: (MissingSubscription) The request did not have a subscription or a valid tenant level resource provider.
Code: MissingSubscription
Message: The request did not have a subscription or a valid tenant level resource provider.
I tried adding --scope but that only got me an additional warning WARNING: option '--scope' will be ignored due to use of '--ids'. The error persisted.
Any idea on what I'm doing wrong?
TIA
Jim
Upvotes: 1
Views: 816
Answers (4)
Reputation: 21
You just need to delete the leading "/" and leave
--scope "subscriptions/<sub_id>/resourceGroups/<resource-group-name>
Upvotes: 2
Reputation: 189
Thank you both @juunas and @wenbo. What I ended up doing is this:
$iacDescription = 'IaC generated role assignment'
Clear-Host
$ErrorActionPreference='Stop'
$json = & az role assignment list --resource-group 'MYRESOURCEGROUP'
$roleAssignmentList = ($json | ConvertFrom-Json)
# Write-Host "Count = $($roleAssignmentList.Count)"
$idList = [System.Collections.ArrayList]::new()
foreach($roleAssignment in $roleAssignmentList) {
if ($roleAssignment.description -eq $iacDescription) {
Write-Host "roleDefinitionName = $($roleAssignment.roleDefinitionName), description = $($roleAssignment.description), id = $($roleAssignment.id)"
$idList.Add($roleAssignment.id) | Out-Null
}
}
if ($idList.Count -gt 0) {
Write-Host "Cleaning up:`n$idList"
az role assignment delete --ids $idList
}
else {
Write-Host "Nothing to clean"
}
Upvotes: 0
Reputation: 1531
Try below in local pc: Replace with your own subscription and resource group
az role assignment list --scope /subscriptions/xxxx-xxx-xxx-xxx-xxxx/resourceGroups/wb-test-rg
will return like
[
{
"condition": null,
"conditionVersion": null,
"createdBy": "492b05b3-bc6c-4497-8d3e-ab42366d3b9a",
"createdOn": "2024-06-06T08:33:53.807218+00:00",
"delegatedManagedIdentityResourceId": null,
"description": null,
"id": "/subscriptions/xxxx-xxx-xxx-xxx-xxxx/resourceGroups/wb-test-rg/providers/Microsoft.Authorization/roleAssignments/454c98bf-349a-4643-8f41-8bf45293440e",
"...."
}
]
then delete the assignment using the id:
az role assignment delete --ids "/subscriptions/xxxx-xxx-xxx-xxx-xxxx/resourceGroups/wb-test-rg/providers/Microsoft.Authorization/roleAssignments/454c98bf-349a-4643-8f41-8bf45293440e"
Upvotes: 1
Reputation: 58908
The --ids parameter expects resource IDs for the role assignments. This is what it should look like for a resource-specific assignment:
/subscriptions/5ef3ad25-ad2f-4fbd-846c-e0de974adf45/resourceGroups/myresourcegroup/providers/Microsoft.CognitiveServices/accounts/mycognitiveaccount/providers/Microsoft.Authorization/roleAssignments/c89f4724-986a-47ca-9f1b-2c152a6b5a73
For assignments at subscription or resource group level, some of the parts of that ID would be left out. The idea is that the ID identifies where the role assignment is as well as the assignment ID.
Upvotes: 1
Related Questions
- Terraform - Azure as a provider and limited access account
- Troubleshooting GitHub Secrets: "Invalid Subscription or Tenant Level Error"
- Subscription-scope authorization for Azure Resource Manager API user
- Recovery Services Vault can't find subscription
- az tag update ERROR: (MissingSubscription) The request did not have a subscription or a valid tenant level resource provider
- How do I make the scope of a custom role be Resourcegroup in azure?
- Is virtual network peering across azure tenants possible?
- What is 'azureRmConnection.Id' in this Azure Pipelines build yaml template and how do I use it?
- Giving an Azure Managed Identity Directory.Read.All