[Role] az role assignment list: Add --fill-principal-name to allow omitting principalName property (#30693)

jiasli · web-flow · commit 919923cc9e36 · 2025-03-28T16:56:28.000+08:00
diff --git a/src/azure-cli/azure/cli/command_modules/role/_help.py b/src/azure-cli/azure/cli/command_modules/role/_help.py
@@ -800,6 +800,8 @@
     text: az role assignment list --role Reader --scope /subscriptions/00000000-0000-0000-0000-000000000000
   - name: List all role assignments of an assignee at the subscription scope.
     text: az role assignment list --assignee 00000000-0000-0000-0000-000000000000 --scope /subscriptions/00000000-0000-0000-0000-000000000000
+  - name: List all role assignments with "Reader" role at the subscription scope, without filling principalName property
+    text: az role assignment list --role Reader --scope /subscriptions/00000000-0000-0000-0000-000000000000 --fill-principal-name false
 """
 
 helps['role assignment list-changelogs'] = """
diff --git a/src/azure-cli/azure/cli/command_modules/role/_params.py b/src/azure-cli/azure/cli/command_modules/role/_params.py
@@ -340,6 +340,14 @@ def load_arguments(self, _):
         c.argument('assignment_name', name_arg_type,
                    help='A GUID for the role assignment. It must be unique and different for each role assignment. If omitted, a new GUID is generated.')
 
+    with self.argument_context('role assignment list') as c:
+        c.argument('fill_principal_name', arg_type=get_three_state_flag(),
+                   help="Query Microsoft Graph to get the assignee's userPrincipalName (for user), "
+                        "servicePrincipalNames (for service principal) or displayName (for group), then fill "
+                        "principalName property with it. "
+                        "If the logged-in account has no permission or the machine has no network access to query "
+                        "Microsoft Graph, set this flag to false to avoid warning or error.")
+
     time_help = 'The {} of the query in the format of %Y-%m-%dT%H:%M:%SZ, e.g. 2000-12-31T12:59:59Z. Defaults to {}'
     with self.argument_context('role assignment list-changelogs') as c:
         c.argument('start_time', help=time_help.format('start time', '1 Hour prior to the current time'))
diff --git a/src/azure-cli/azure/cli/command_modules/role/custom.py b/src/azure-cli/azure/cli/command_modules/role/custom.py
@@ -234,7 +234,8 @@ def _create_role_assignment(cli_ctx, role, assignee, resource_group_name=None, s
 
 def list_role_assignments(cmd, assignee=None, role=None, resource_group_name=None,
                           scope=None, include_inherited=False,
-                          show_all=False, include_groups=False, include_classic_administrators=False):
+                          show_all=False, include_groups=False, include_classic_administrators=False,
+                          fill_principal_name=True):
     '''
     :param include_groups: include extra assignments to the groups of which the user is a
     member(transitively).
@@ -282,22 +283,23 @@ def list_role_assignments(cmd, assignee=None, role=None, resource_group_name=Non
                 i['roleDefinitionName'] = None  # the role definition might have been deleted
 
     # fill in principal names
-    principal_ids = set(worker.get_role_property(i, 'principalId')
-                        for i in results if worker.get_role_property(i, 'principalId'))
+    if fill_principal_name:
+        principal_ids = set(worker.get_role_property(i, 'principalId')
+                            for i in results if worker.get_role_property(i, 'principalId'))
 
-    if principal_ids:
-        try:
-            principals = _get_object_stubs(graph_client, principal_ids)
-            principal_dics = {i[ID]: _get_displayable_name(i) for i in principals}
-
-            for i in [r for r in results if not r.get('principalName')]:
-                i['principalName'] = ''
-                if principal_dics.get(worker.get_role_property(i, 'principalId')):
-                    worker.set_role_property(i, 'principalName',
-                                             principal_dics[worker.get_role_property(i, 'principalId')])
-        except (HttpResponseError, GraphError) as ex:
-            # failure on resolving principal due to graph permission should not fail the whole thing
-            logger.info("Failed to resolve graph object information per error '%s'", ex)
+        if principal_ids:
+            try:
+                principals = _get_object_stubs(graph_client, principal_ids)
+                principal_dics = {i[ID]: _get_displayable_name(i) for i in principals}
+
+                for i in [r for r in results if not r.get('principalName')]:
+                    i['principalName'] = ''
+                    if principal_dics.get(worker.get_role_property(i, 'principalId')):
+                        worker.set_role_property(i, 'principalName',
+                                                 principal_dics[worker.get_role_property(i, 'principalId')])
+            except (HttpResponseError, GraphError) as ex:
+                # failure on resolving principal due to graph permission should not fail the whole thing
+                logger.info("Failed to resolve graph object information per error '%s'", ex)
 
     for r in results:
         if not r.get('additionalProperties'):  # remove the useless "additionalProperties"
diff --git a/src/azure-cli/azure/cli/command_modules/role/tests/latest/recordings/test_role_assignment_no_graph.yaml b/src/azure-cli/azure/cli/command_modules/role/tests/latest/recordings/test_role_assignment_no_graph.yaml
diff --git a/src/azure-cli/azure/cli/command_modules/role/tests/latest/test_role.py b/src/azure-cli/azure/cli/command_modules/role/tests/latest/test_role.py
@@ -689,6 +689,31 @@ def check_changelogs():
             finally:
                 self.cmd('ad user delete --id {upn}')
 
+    @ResourceGroupPreparer(name_prefix='cli_role_assign')
+    @AllowLargeResponse()
+    def test_role_assignment_no_graph(self, resource_group):
+        with mock.patch('azure.cli.command_modules.role.custom._gen_guid', side_effect=self.create_guid):
+            self.kwargs.update({
+                'uami': self.create_random_name('clitest', 15),  # user-assigned managed identity
+                # https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
+                'role_reader_guid': 'acdd72a7-3385-48ef-bd42-f606fba81ae7'
+            })
+            self._prepare_scope_kwargs()
+
+            uami = self.cmd('identity create -g {rg} -n {uami} --location westus').get_output_in_json()
+            self.kwargs['uami_object_id'] = uami['principalId']
+
+            self.cmd('role assignment create '
+                     '--assignee-object-id {uami_object_id} --assignee-principal-type ServicePrincipal '
+                     '--role {role_reader_guid} --scope {rg_id}')
+            # Verify '--fill-principal-name false' skips the Graph query for filling principalName.
+            self.cmd('role assignment list --scope {rg_id} --fill-principal-name false',
+                     checks=[
+                         self.check("length([])", 1),
+                         self.not_exists("[0].principalName")
+                     ])
+            # Manually verify the recording file that no HTTP request to https://graph.microsoft.com is made
+
 
 class RoleAssignmentWithConfigScenarioTest(RoleScenarioTestBase):
 
