Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

`az role assignment delete` command is an insane footgun

See original GitHub issue

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

Describe the bug

If you type az role assignment delete with no arguments, the Azure CLI offers to delete every role assignment in your subscription. This is insane.

To Reproduce

Make sure your cat/child/fingers are as far away from the keyboard as possible
Type az role assignment delete with no arguments
Throw your computer into the ocean

Expected behavior

Literally anything else

Environment summary

Homebrew

$ az --version
azure-cli                          2.2.0 *

command-modules-nspkg              2.0.3
core                               2.2.0 *
nspkg                              3.0.4
telemetry                          1.0.4

Python location '/Users/bellamko/git/k8s-infrastructure/.direnv/python-3.8.2/bin/python3'
Extensions directory '/Users/bellamko/.azure/cliextensions'

Python (Darwin) 3.8.2 (default, Mar 11 2020, 00:29:50)
[Clang 11.0.0 (clang-1100.0.33.17)]

Additional context

This reminds me of how az vmss delete-instances used to offer to delete every single one of your VMs if you didn’t pass in --instance-ids. Now it just raises an error, which is sane behavior.

Issue Analytics

State:
Created 3 years ago
Reactions:10
Comments:12 (7 by maintainers)

Top GitHub Comments

1reaction

jiaslicommented, Sep 24, 2020

This issue was previously reported in #2933 and the prompt for “delete all” was added in #8862.

The logic is to search for all assignments and delete them all:

    assignments = _search_role_assignments(cmd.cli_ctx, assignments_client, definitions_client,
                                           scope, assignee, role, include_inherited,
                                           include_groups=False)

    if assignments:
        for a in assignments:
            assignments_client.delete_by_id(a.id)

I agree this behavior is insane and should be changed even though it is a breaking change.

If you have already deleted all role assignments, and luckily you are a Global Administrator in AAD tenant, there is a chance to recover it: https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin

1reaction

Catramencommented, Sep 22, 2020

I accidentally did this:

az role assignment create --assignee “$SOME_VAR” --role “Owner”

SOME_VAR was accidentally set to empty string. I did not get any prompt and EVERY OWNER WAS DELETED.I lost access to my subscription. Cannot even file a support ticket cause I lost permissions. Is there a way to fix this?

Top Results From Across the Web

az role assignment | Microsoft Learn

Manage role assignments. In this article. Commands; az role assignment create; az role assignment delete; az role assignment list; az role assignment ......

Untitled

Slepo tipkanje test, The manhattans crazy free mp3 download, Anschluss frischluft kaminofen, ... El mas feo del mundo 2014, Anamorphose selbst erstellen, ...

COLUMBIA - Amazon S3

an informal chain of command and decision-making pro- ... Though assigned an operational role by NASA, during this ... 30 foot gun barrel....

Learning Archives - Michael Bianco

This seems insane to be and makes for very ugly code, I must be missing something ... However, if a function creates a...

Ask HN: Inherited the worst code and tech team I have ever ...

I gather the reason for that is because it was developed on production directly and deleting things is too risky. - the database...