Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

How to grant TrustFrameworkKeySet.Read.All to az cli

See original GitHub issue

Describe the bug

Command Name az rest

Errors:

Forbidden({"error":{"code":"AADB2C","message":"The application does not have any of the required delegated permissions (TrustFrameworkKeySet.Read.All, TrustFrameworkKeySet.ReadWrite.All) to access the resource. ","innerError":{"correlationId":"e3062914-8c45-4904-a81d-7a8dc518323d","date":"2022-06-07T05:34:40","request-id":"fc0244a4-d8d7-4a3d-9f12-b81291542503","client-request-id":"fc0244a4-d8d7-4a3d-9f12-b81291542503"}}})

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

  • az rest --method get --url https://graph.microsoft.com/beta/trustFramework/keySets

Expected Behavior

az cli can retrieve the keyset

Environment Summary

Linux-5.10.102.1-microsoft-standard-WSL2-x86_64-with-glibc2.31, Ubuntu 20.04 LTS
Python 3.10.4
Installer: DEB

azure-cli 2.37.0

Extensions:
containerapp 0.2.0
spring-cloud 2.11.2

Dependencies:
msal 1.18.0b1
azure-mgmt-resource 21.1.0b1

Additional Context

The following commands can be executed successfully.

az rest --method get --url https://graph.microsoft.com/v1.0/applications

Issue Analytics

  • State:open
  • Created a year ago
  • Comments:5 (2 by maintainers)

github_iconTop GitHub Comments

2reactions
jiaslicommented, Jun 16, 2022

For above options, we did some internal discussion:

  1. Applying for TrustFrameworkKeySet.Read.All, TrustFrameworkKeySet.ReadWrite.All delegated permissions is certainly not an easy task for us. We need to work with security team, PM team, and AAD team to review the business justification and go through multiple approvals.

  2. Supporting custom client ID will also take some time for development. For now, I think the best shot you can take is to

    1. Create your own AAD application
    2. Grant it TrustFrameworkKeySet.Read.All, TrustFrameworkKeySet.ReadWrite.All delegated permissions
    3. Replace Azure CLI’s client ID at /opt/az/lib/python3.10/site-packages/azure/cli/core/auth/identity.py Line 22 with your own application ID: https://github.com/Azure/azure-cli/blob/1d973cceb38980181eeaa45934497d2148a3e7b2/src/azure-cli-core/azure/cli/core/auth/identity.py#L22

    but this is very hacky and we don’t officially support it.

Workaround

A third option is not to use user identity to log in at all. Instead,

  1. Create a service principal
  2. Grant it TrustFrameworkKeySet.Read.All, TrustFrameworkKeySet.ReadWrite.All application permissions
  3. Log in with that service principal
0reactions
m-moriscommented, Jun 17, 2022

Thanks for the discussion.

Indeed, I too think we should be cautious about granting for any authority to az cli tools. I decided to use a workaround and have already written an automated script. This is a bit of a pain to manage the secret, though.

Read more comments on GitHub >

github_iconTop Results From Across the Web

List keySets - Microsoft Graph beta
Retrieve a list of trustframeworkkeyset objects. ... Read.All, TrustFrameworkKeySet.ReadWrite.All. Delegated (personal Microsoft account) ...
Read more >
Microsoft Graph App and Scope permissions.
Role Name ID Display Name APIConnectors.Read.All b86848a7‑d5b1‑41eb‑a9b4‑54a4e6306e97 Read API conne... AccessReview.Read.All d07a8cc0‑3d51‑4b77‑b3b0‑32704d1f69fa Read all access... AccessReview.ReadWrite.All ef5f7d5c‑338f‑44b0‑86c3‑351f46c8bb5f Manage all acce...
Read more >
Microsoft Graph Permission Scope IDs - darrenjrobinson
How to use the Azure CLI to retrieve the full list of Microsoft Graph Permission Scope IDs. Here are Application and Delegated Scope...
Read more >
Azure AD – Determine App Roles and Scope Permissions
Using the Azure CLI we can get a list of all Azure AD service ... All, e12dae10-5a57-4817-b79d-dfbec5348930, Read all app catalogs.
Read more >
App Permissions für Microsoft Graph Calls automatisiert ...
All. Die Azure CLI kann dann auch gleich noch den Admin Grant erledigen (wenn man nicht in der Azure Cloud Shell läuft!): az...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

az functionapp config ssl import - breaks with latest CLI version (Microsoft Graph api updates)

Next page

Azure Image Builder API 2022-02-14 Update