Add optional parameter --assignee-principal-type to az aks update --attach-acr

[jovieir]

Related command
az aks update --attach-acr

Description

This commit introduces a new parameter, --assignee-principal-type, to the az aks update --attach-acr command in the Azure CLI, allowing users to explicitly specify the principal type (e.g., User, Group, or ServicePrincipal) for ACR role assignment. This enhancement aims to address Role-Based Access Control (RBAC)-related errors by ensuring the correct principal type is applied during the ACR role assignment, specifically when using Azure RBAC role assignment conditions

The original --attach-acr parameter omits the principalType from the requestBody, which causes the authorization request to be invalidated when used with role assignment conditions.

The original logic is not changed, as to not break existing implementation. The optional parameter, when used, overrides the default behavior to ensure the correct principal type is applied during the ACR role assignment.

Testing Guide

1. Create an AKS cluster
2. Setup an Azure role assignment condition dependent on one of the expected principalTypes. eg:
   ( ( !(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) ) OR ( @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'ServicePrincipal', 'Group'}) )
3. Run az aks update -g <rg> -n <cluster_name> --attach-acr <acr name> and notice the 403 Unauthorized exception from ARM.
4. Re-run the command with the new parameter --assignee-principal-type and the expected principalType and the command succeeds.

History Notes

[Azure CLI] Add optional parameter --assignee-principal-type to az aks update --attach-acr

---

This checklist is used to make sure that common guidelines for a pull request are followed.

• The PR title and description has followed the guideline in Submitting Pull Requests.

• I adhere to the Command Guidelines.

• I adhere to the Error Handling Guidelines.

[azure-client-tools-bot-prd]

Validation for Azure CLI Full Test Starting...

Thanks for your contribution!

[azure-client-tools-bot-prd]

Hi @jovieir,
Since the current milestone time is less than 7 days, this pr will be reviewed in the next milestone.

[azure-client-tools-bot-prd]

Validation for Breaking Change Starting...

Thanks for your contribution!

[yonzhan]

Thank you for your contribution! We will review the pull request and get back to you soon.

[github-actions]

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>