Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add "federatedClientId" and UserAssignedIdentities for disk api version 2022-03-02 for public preview #22350

Closed
laurawu19 opened this issue May 10, 2022 · 8 comments · Fixed by #22966
Assignees
Labels
Auto-Assign Auto assign by bot Compute az vm/vmss/image/disk/snapshot feature-request

Comments

@laurawu19
Copy link

laurawu19 commented May 10, 2022

Related command
az disk-encryption-set create --federatedClientId "13ebe945-1314-41b4-8b58-f3784e0dd278" --identityType "UserAssigned" --userAssignedIdentities "{ /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName} :{}}"

az disk-encryption-set update --federatedClientId "13ebe945-1314-41b4-8b58-f3784e0dd278" --identityType "UserAssigned" --userAssignedIdentities "{ /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName} :{}}"

Resource Provider
<Microsoft.Azure.Management.Compute (specifically DiskRP)>

Description of Feature or Work Requested
Customer can use multi-tenant application client id to access key vault in a different tenant. Setting federatedClientId to 'None' will clear the property.

Need to support new identityTypes. Previously the default identityType is systemAssigned, now CLI need to support 2 more options for identityType: UserAssigned, and "SystemAssigned, UserAssigned".

UserAssignedIdentities is a dictionary with key-value pairs.

Powershell design:
https://github.com/Azure/azure-powershell-cmdlet-review-pr/issues/1196

Minimum API Version Required
<2021-08-01>

Swagger Link
Azure/azure-rest-api-specs#18866

Target Date
<July 8th,2022>

@ghost ghost added the Compute az vm/vmss/image/disk/snapshot label May 10, 2022
@ghost ghost added this to the Backlog milestone May 10, 2022
@ghost ghost assigned zhoxing-ms May 10, 2022
@ghost ghost added the Auto-Assign Auto assign by bot label May 10, 2022
@laurawu19 laurawu19 changed the title Add "federatedClientId" property for disk api version 2022-03-02 for public preview Add "federatedClientId" and UserAssignedIdentities for disk api version 2022-03-02 for public preview May 10, 2022
@yonzhan
Copy link
Collaborator

yonzhan commented May 10, 2022

Compute

@zhoxing-ms
Copy link
Contributor

zhoxing-ms commented May 26, 2022

@laurawu19 For the support of managed identity, we usually do not use --identity-type, but we have an unified specifications. Please refer to the managed_identity_command_guideline.md for details
May I ask can the design of managed identity related parameters according to our guidelines meet your expectations?

@zhoxing-ms
Copy link
Contributor

zhoxing-ms commented May 30, 2022

In addition, I found that the property of federatedClientId was only introduced in the 2022-03-02 api-version folder Swagger link. So we need to use version 2022-03-02 instead of api-version 2021-08-01, right?

@laurawu19
Copy link
Author

@laurawu19 For the support of managed identity, we usually do not use --identity-type, but we have an unified specifications. Please refer to the managed_identity_command_guideline.md for details May I ask can the design of managed identity related parameters according to our guidelines meet your expectations?

Yes. The design you provided looks good to us.

@laurawu19
Copy link
Author

In addition, I found that the property of federatedClientId was only introduced in the 2022-03-02 api-version folder Swagger link. So we need to use version 2022-03-02 instead of api-version 2021-08-01, right?

In DiskRP internally, the minimun api version required is 2021-08-01, and it is included in the swagger for "2022-03-02". Is the policy that cli should follow the same as swagger? If so, we will go with 2022-03-02.

@zhoxing-ms
Copy link
Contributor

Is the policy that cli should follow the same as swagger? If so, we will go with 2022-03-02.

Yes, because CLI depends on the Python SDK, and the api-version folder of Python SDK comes from the definition of Swagger

@yanzhudd
Copy link
Contributor

@laurawu19 For the support of managed identity, we usually do not use --identity-type, but we have an unified specifications. Please refer to the managed_identity_command_guideline.md for details May I ask can the design of managed identity related parameters according to our guidelines meet your expectations?

Yes. The design you provided looks good to us.

@laurawu19 The modified commands are attached following, and are they meet your expectations?

For federatedClientId:

  1. create: az disk-encryption-set create ... --federatedClientId "13ebe945-1314-41b4-8b58-f3784e0dd278"
  2. update: az disk-encryption-set update ... --federatedClientId "13ebe945-1314-41b4-8b58-f3784e0dd278"

For managed identity:

  1. enable managed identity during disk creation
    az disk-encryption-set create ... --mi-system-assigned --mi-user-assigned
  2. operate managed identity on existing disk
    a. assign identities: az disk-encryption-set identity assign ... --system-assigned --user-assigned
    b. remove identities: az disk-encryption-set identity remove ... --system-assigned --user-assigned (no values for --user-assigned should remove all user assigned identities)

@laurawu19
Copy link
Author

@laurawu19 The modified commands are attached following, and are they meet your expectations?

Yes. The commands look good to me!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment