Idempotency of az role assignment create is not working

[nasusoba]

Describe the bug

The az role assignment create command used to implement the idempotency, it means when the role assignment already exists, it will return the existing role assignment without error. It was implemented here. However, recently, I am seeing the idempotency assumption is broken.

Related command

az role assignment create

Errors

az role assignment create --assignee 292fc6f0-c845-4f60-9b2a-84253e963e2c --role "Key Vault Contributor" --scope /subscriptions/【mysub】/resourceGroups/[myrg]/providers/Microsoft.KeyVault/vaults/[mykv]--only-show-errors

(RoleAssignmentExists) A role assignment with ID '0b24f0d38ec546f5a10b26557bb60958' already exists with the same scope, principal ID, and role definition ID.
Code: RoleAssignmentExists
Message: A role assignment with ID '0b24f0d38ec546f5a10b26557bb60958' already exists with the same scope, principal ID, and role definition ID.

Issue script & Debug output

log.txt

Expected behavior

Succeeds and return the role assignment list result

Environment Summary

{
"azure-cli": "2.76.0",
"azure-cli-core": "2.76.0",
"azure-cli-telemetry": "1.1.0",
"extensions": {
"account": "0.2.5",
"aksarc-lm": "0.9.1",
"arcappliance": "1.5.0",
"arcdata": "1.5.25",
"azure-devops": "1.0.2",
"connectedk8s": "1.10.8",
"customlocation": "0.1.4",
"k8s-configuration": "2.2.0",
"k8s-extension": "1.6.7",
"k8s-runtime": "2.0.0",
"providerhub": "1.0.0b2"
}
}

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• az role assignment create is not idempotent #8568
• az role assignment create unexpectedly calls graph API when objectid/principaltype set if assignment already exists #31579
• az role assignment creating fails on role definitions which are valid on 1+ subscription #9868
• az role assignment create is NOT idempotent #25872

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

I ended up flipping around the strategy, and asking if the role assignment exists first instead of reacting to a 409. Figured it was a much cleaner solution, and it matches how Terraform works around this problem.

Reference:

• az role assignment create is not idempotent #8568 (comment)

Solution 2:

Currently, the workaround is to check before assigning:

existingAssignment=$(az synapse role assignment list --workspace-name ${synapseName}  --role "6e4bf58a-b8e1-4cc3-bbf9-d73143322b78" --assignee ${adGroup} --only-show-errors);
if [ -z "$existingAssignment" ]; 
then az synapse role assignment create --workspace-name ${synapseName} --role "6e4bf58a-b8e1-4cc3-bbf9-d73143322b78" --assignee ${adGroup} --only-show-errors; 
fi

Reference:

• az role assignment create is NOT idempotent #25872 (comment)

Solution 3:

I would suggest we proceed by fetching the assignment by leveraging the existing list_role_assignments. Idempotent is the main command authoring guideline we would like to persist which community has appreciated very much.

Reference:

• az role assignment create is not idempotent #8568 (comment)

Powered by issue-sentinel

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• az role assignment create is not idempotent #8568
• az role assignment create is NOT idempotent #25872
• az role assignment create unexpectedly calls graph API when objectid/principaltype set if assignment already exists #31579
• unable to create role assignment using aad group object id #11081

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

I suggest we catch the error and ignore it if the error code is RoleAssignmentExists. Letting the service team fix it would likely take years based on the experience we have accumulated on other service issues. Technically this is a breaking change, but I am fine we go ahead to swallow it.

Reference:

• az role assignment create is not idempotent #8568 (comment)

Solution 2:

I ended up flipping around the strategy, and asking if the role assignment exists first instead of reacting to a 409. Figured it was a much cleaner solution, and it matches how Terraform works around this problem.

Reference:

• az role assignment create is not idempotent #8568 (comment)

Solution 3:

Currently, the workaround is to check before assigning:

existingAssignment=$(az synapse role assignment list --workspace-name ${synapseName}  --role "6e4bf58a-b8e1-4cc3-bbf9-d73143322b78" --assignee ${adGroup} --only-show-errors);
if [ -z "$existingAssignment" ]; 
then az synapse role assignment create --workspace-name ${synapseName} --role "6e4bf58a-b8e1-4cc3-bbf9-d73143322b78" --assignee ${adGroup} --only-show-errors; 
fi

Reference:

• az role assignment create is NOT idempotent #25872 (comment)

Powered by issue-sentinel

[yehiyam]

Hi @yonzhan any update on this bug?

[timosnel]

This broke all of our deployments, this is a regression. We are migrating to Bicep for this currently so we can do this deployment with idempotence.