From d65617a527a2f0baf78494d0a56ba4e390efddc5 Mon Sep 17 00:00:00 2001 From: Azure SDK Bot <53356347+azure-sdk@users.noreply.github.com> Date: Thu, 25 Jan 2024 14:52:37 -0800 Subject: [PATCH] Sync eng/common directory with azure-sdk-tools for PR 7584 (#34018) * Fix role assignment for user auth * PR fb * Apply suggestions from code review Co-authored-by: Heath Stewart --------- Co-authored-by: jolov Co-authored-by: JoshLove-msft <54595583+JoshLove-msft@users.noreply.github.com> Co-authored-by: Heath Stewart --- .../TestResources/New-TestResources.ps1 | 33 ++++++++++--------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/eng/common/TestResources/New-TestResources.ps1 b/eng/common/TestResources/New-TestResources.ps1 index 0f997fd1e9f1..76fbfc51a67f 100644 --- a/eng/common/TestResources/New-TestResources.ps1 +++ b/eng/common/TestResources/New-TestResources.ps1 @@ -619,9 +619,11 @@ try { Write-Warning "The specified TestApplicationId '$TestApplicationId' will be ignored when UserAuth is set." } - $TestApplicationOid = (Get-AzADUser -UserPrincipalName (Get-AzContext).Account).Id + $userAccount = (Get-AzADUser -UserPrincipalName (Get-AzContext).Account) + $TestApplicationOid = $userAccount.Id $TestApplicationId = $testApplicationOid - Log "User-based app id '$TestApplicationId' will be used." + $userAccountName = $userAccount.UserPrincipalName + Log "User authentication with user '$userAccountName' ('$TestApplicationId') will be used." } # If no test application ID was specified during an interactive session, create a new service principal. elseif (!$CI -and !$TestApplicationId) { @@ -686,11 +688,11 @@ try { $PSBoundParameters['TestApplicationOid'] = $TestApplicationOid $PSBoundParameters['TestApplicationSecret'] = $TestApplicationSecret - # If the role hasn't been explicitly assigned to the resource group and a cached service principal is in use, + # If the role hasn't been explicitly assigned to the resource group and a cached service principal or user authentication is in use, # query to see if the grant is needed. - if (!$resourceGroupRoleAssigned -and $AzureTestPrincipal) { + if (!$resourceGroupRoleAssigned -and $TestApplicationOid) { $roleAssignment = Get-AzRoleAssignment ` - -ObjectId $AzureTestPrincipal.Id ` + -ObjectId $TestApplicationOid ` -RoleDefinitionName 'Owner' ` -ResourceGroupName "$ResourceGroupName" ` -ErrorAction SilentlyContinue @@ -702,19 +704,20 @@ try { # considered a critical failure, as the test application may have subscription-level permissions and not require # the explicit grant. if (!$resourceGroupRoleAssigned) { - Log "Attempting to assigning the 'Owner' role for '$ResourceGroupName' to the Test Application '$TestApplicationId'" - $principalOwnerAssignment = New-AzRoleAssignment ` - -RoleDefinitionName "Owner" ` - -ApplicationId "$TestApplicationId" ` - -ResourceGroupName "$ResourceGroupName" ` - -ErrorAction SilentlyContinue - - if ($principalOwnerAssignment.RoleDefinitionName -eq 'Owner') { - Write-Verbose "Successfully assigned ownership of '$ResourceGroupName' to the Test Application '$TestApplicationId'" + $idSlug = if ($userAuth) { "User '$userAccountName' ('$TestApplicationId')"} else { "Test Application '$TestApplicationId'"}; + Log "Attempting to assign the 'Owner' role for '$ResourceGroupName' to the $idSlug" + $ownerAssignment = New-AzRoleAssignment ` + -RoleDefinitionName "Owner" ` + -ObjectId "$TestApplicationOId" ` + -ResourceGroupName "$ResourceGroupName" ` + -ErrorAction SilentlyContinue + + if ($ownerAssignment.RoleDefinitionName -eq 'Owner') { + Write-Verbose "Successfully assigned ownership of '$ResourceGroupName' to the $idSlug" } else { Write-Warning ("The 'Owner' role for '$ResourceGroupName' could not be assigned. " + "You may need to manually grant 'Owner' for the resource group to the " + - "Test Application '$TestApplicationId' if it does not have subscription-level permissions.") + "$idSlug if it does not have subscription-level permissions.") } }