How to grant TrustFrameworkKeySet.Read.All to az cli
See original GitHub issueDescribe the bug
Command Name
az rest
Errors:
Forbidden({"error":{"code":"AADB2C","message":"The application does not have any of the required delegated permissions (TrustFrameworkKeySet.Read.All, TrustFrameworkKeySet.ReadWrite.All) to access the resource. ","innerError":{"correlationId":"e3062914-8c45-4904-a81d-7a8dc518323d","date":"2022-06-07T05:34:40","request-id":"fc0244a4-d8d7-4a3d-9f12-b81291542503","client-request-id":"fc0244a4-d8d7-4a3d-9f12-b81291542503"}}})
To Reproduce:
Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.
az rest --method get --url https://graph.microsoft.com/beta/trustFramework/keySets
Expected Behavior
az cli can retrieve the keyset
Environment Summary
Linux-5.10.102.1-microsoft-standard-WSL2-x86_64-with-glibc2.31, Ubuntu 20.04 LTS
Python 3.10.4
Installer: DEB
azure-cli 2.37.0
Extensions:
containerapp 0.2.0
spring-cloud 2.11.2
Dependencies:
msal 1.18.0b1
azure-mgmt-resource 21.1.0b1
Additional Context
The following commands can be executed successfully.
az rest --method get --url https://graph.microsoft.com/v1.0/applications
Issue Analytics
- State:
- Created a year ago
- Comments:5 (2 by maintainers)
Top Results From Across the Web
List keySets - Microsoft Graph beta
Retrieve a list of trustframeworkkeyset objects. ... Read.All, TrustFrameworkKeySet.ReadWrite.All. Delegated (personal Microsoft account) ...
Read more >Microsoft Graph App and Scope permissions.
Role Name ID Display Name
APIConnectors.Read.All b86848a7‑d5b1‑41eb‑a9b4‑54a4e6306e97 Read API conne...
AccessReview.Read.All d07a8cc0‑3d51‑4b77‑b3b0‑32704d1f69fa Read all access...
AccessReview.ReadWrite.All ef5f7d5c‑338f‑44b0‑86c3‑351f46c8bb5f Manage all acce...
Read more >Microsoft Graph Permission Scope IDs - darrenjrobinson
How to use the Azure CLI to retrieve the full list of Microsoft Graph Permission Scope IDs. Here are Application and Delegated Scope...
Read more >Azure AD – Determine App Roles and Scope Permissions
Using the Azure CLI we can get a list of all Azure AD service ... All, e12dae10-5a57-4817-b79d-dfbec5348930, Read all app catalogs.
Read more >App Permissions für Microsoft Graph Calls automatisiert ...
All. Die Azure CLI kann dann auch gleich noch den Admin Grant erledigen (wenn man nicht in der Azure Cloud Shell läuft!): az...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
For above options, we did some internal discussion:
Applying for TrustFrameworkKeySet.Read.All, TrustFrameworkKeySet.ReadWrite.All delegated permissions is certainly not an easy task for us. We need to work with security team, PM team, and AAD team to review the business justification and go through multiple approvals.
Supporting custom client ID will also take some time for development. For now, I think the best shot you can take is to
/opt/az/lib/python3.10/site-packages/azure/cli/core/auth/identity.py
Line 22 with your own application ID: https://github.com/Azure/azure-cli/blob/1d973cceb38980181eeaa45934497d2148a3e7b2/src/azure-cli-core/azure/cli/core/auth/identity.py#L22but this is very hacky and we don’t officially support it.
Workaround
A third option is not to use user identity to log in at all. Instead,
Thanks for the discussion.
Indeed, I too think we should be cautious about granting for any authority to az cli tools. I decided to use a workaround and have already written an automated script. This is a bit of a pain to manage the secret, though.