{AKS} Fix role assignment failure when using azure-cli version >= 2.77.0. (#9267)

FumingZhang · web-flow · commit af54e9d799ca · 2025-10-03T16:35:48.000+10:00
diff --git a/src/aks-preview/HISTORY.rst b/src/aks-preview/HISTORY.rst
@@ -11,6 +11,10 @@ To release a new version, please select a new version number (usually plus 1 to
 
 Pending
 +++++++
+
+18.0.0b42
++++++++
+* Fix role assignment failure when using azure-cli version >= `2.77.0`.
 * Add option `Flatcar` to `--os-sku` for `az aks nodepool add` and `az aks nodepool update`.
 
 18.0.0b41
diff --git a/src/aks-preview/azext_aks_preview/_roleassignments.py b/src/aks-preview/azext_aks_preview/_roleassignments.py
@@ -3,103 +3,8 @@
 # Licensed under the MIT License. See License.txt in the project root for license information.
 # --------------------------------------------------------------------------------------------
 
-import time
-import uuid
-
-from azure.cli.command_modules.acs._client_factory import (
-    get_auth_management_client,
+# pylint: disable=unused-import
+from azure.cli.command_modules.acs._roleassignments import (
+    add_role_assignment,
+    add_role_assignment_executor,
 )
-from azure.cli.command_modules.acs._graph import resolve_object_id
-from azure.cli.command_modules.acs._roleassignments import build_role_scope, resolve_role_id
-from azure.cli.core.azclierror import AzCLIError
-from azure.cli.core.profiles import ResourceType, get_sdk
-from azure.core.exceptions import HttpResponseError, ResourceExistsError
-from knack.log import get_logger
-
-logger = get_logger(__name__)
-
-# pylint: disable=protected-access
-
-
-# temp workaround for the breaking change caused by default API version bump of the auth SDK
-def add_role_assignment(cmd, role, service_principal_msi_id, is_service_principal=True, delay=2, scope=None):
-    return _add_role_assignment_new(cmd, role, service_principal_msi_id, is_service_principal, delay, scope)
-
-
-# TODO(fuming): remove and replaced by import from azure.cli.command_modules.acs once dependency bumped to 2.47.0
-def _add_role_assignment_executor_new(cmd, role, assignee, resource_group_name=None, scope=None, resolve_assignee=True):
-    factory = get_auth_management_client(cmd.cli_ctx, scope)
-    assignments_client = factory.role_assignments
-    definitions_client = factory.role_definitions
-
-    # FIXME: is this necessary?
-    if assignments_client._config is None:
-        raise AzCLIError("Assignments client config is undefined.")
-
-    scope = build_role_scope(resource_group_name, scope, assignments_client._config.subscription_id)
-
-    # XXX: if role is uuid, this function's output cannot be used as role assignment defintion id
-    # ref: https://github.com/Azure/azure-cli/issues/2458
-    role_id = resolve_role_id(role, scope, definitions_client)
-
-    # If the cluster has service principal resolve the service principal client id to get the object id,
-    # if not use MSI object id.
-    object_id = resolve_object_id(cmd.cli_ctx, assignee) if resolve_assignee else assignee
-
-    assignment_name = uuid.uuid4()
-    custom_headers = None
-
-    RoleAssignmentCreateParameters = get_sdk(
-        cmd.cli_ctx,
-        ResourceType.MGMT_AUTHORIZATION,
-        "RoleAssignmentCreateParameters",
-        mod="models",
-        operation_group="role_assignments",
-    )
-    if cmd.supported_api_version(min_api="2018-01-01-preview", resource_type=ResourceType.MGMT_AUTHORIZATION):
-        parameters = RoleAssignmentCreateParameters(role_definition_id=role_id, principal_id=object_id,
-                                                    principal_type=None)
-        return assignments_client.create(scope, assignment_name, parameters, headers=custom_headers)
-
-    # for backward compatibility
-    RoleAssignmentProperties = get_sdk(
-        cmd.cli_ctx,
-        ResourceType.MGMT_AUTHORIZATION,
-        "RoleAssignmentProperties",
-        mod="models",
-        operation_group="role_assignments",
-    )
-    properties = RoleAssignmentProperties(role_definition_id=role_id, principal_id=object_id)
-    return assignments_client.create(scope, assignment_name, properties, headers=custom_headers)
-
-
-# TODO(fuming): remove and replaced by import from azure.cli.command_modules.acs once dependency bumped to 2.47.0
-def _add_role_assignment_new(cmd, role, service_principal_msi_id, is_service_principal=True, delay=2, scope=None):
-    # AAD can have delays in propagating data, so sleep and retry
-    hook = cmd.cli_ctx.get_progress_controller(True)
-    hook.add(message="Waiting for AAD role to propagate", value=0, total_val=1.0)
-    logger.info("Waiting for AAD role to propagate")
-    for x in range(0, 10):
-        hook.add(message="Waiting for AAD role to propagate", value=0.1 * x, total_val=1.0)
-        try:
-            # TODO: break this out into a shared utility library
-            _add_role_assignment_executor_new(
-                cmd,
-                role,
-                service_principal_msi_id,
-                scope=scope,
-                resolve_assignee=is_service_principal,
-            )
-            break
-        except HttpResponseError as ex:
-            if isinstance(ex, ResourceExistsError) or "The role assignment already exists." in ex.message:
-                break
-            logger.info(ex.message)
-        except Exception as ex:  # pylint: disable=broad-except
-            logger.error(str(ex))
-        time.sleep(delay + delay * x)
-    else:
-        return False
-    hook.add(message="AAD role propagation done", value=1.0, total_val=1.0)
-    logger.info("AAD role propagation done")
-    return True
diff --git a/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py b/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py
@@ -73,7 +73,7 @@
 )
 from azext_aks_preview._roleassignments import (
     add_role_assignment,
-    _add_role_assignment_executor_new
+    add_role_assignment_executor
 )
 from azext_aks_preview.agentpool_decorator import (
     AKSPreviewAgentPoolAddDecorator,
@@ -212,7 +212,7 @@ def external_functions(self) -> SimpleNamespace:
             ] = ensure_azure_monitor_profile_prerequisites
             # temp workaround for the breaking change caused by default API version bump of the auth SDK
             external_functions["add_role_assignment"] = add_role_assignment
-            external_functions["_add_role_assignment_executor_new"] = _add_role_assignment_executor_new
+            external_functions["add_role_assignment_executor"] = add_role_assignment_executor
             # azure container storage functions
             external_functions[
                 "perform_enable_azure_container_storage_v1"
@@ -4227,7 +4227,7 @@ def postprocessing_after_mc_created(self, cluster: ManagedCluster) -> None:
             except Exception as e:  # pylint: disable=broad-except
                 logger.warning("Could not get signed in user: %s", str(e))
             else:
-                self.context.external_functions._add_role_assignment_executor_new(  # type: ignore # pylint: disable=protected-access
+                self.context.external_functions.add_role_assignment_executor(  # type: ignore # pylint: disable=protected-access
                     self.cmd,
                     "Azure Kubernetes Service RBAC Cluster Admin",
                     user["id"],
diff --git a/src/aks-preview/setup.py b/src/aks-preview/setup.py
@@ -9,7 +9,7 @@
 
 from setuptools import find_packages, setup
 
-VERSION = "18.0.0b41"
+VERSION = "18.0.0b42"
 
 CLASSIFIERS = [
     "Development Status :: 4 - Beta",
