Open
Description
openedon Sep 25, 2020
Given a role definition defined in sub1 (which is assignable to both sub1 and sub2), when assign it to sub2 (scope) via role assignment by dereferencing the role definition id, where the definition id is constructured using the sub1 as the subscription component.
PUT https://management.azure.com//subscriptions/<sub2>/providers/Microsoft.Authorization/roleAssignments/<UUID>?api-version=2018-09-01-preview HTTP/2.0
{
"properties": {
"principalId": "<UUID>",
"roleDefinitionId": "/subscriptions/<sub1>/providers/Microsoft.Authorization/roleDefinitions/<UUID>"
}
}Later, when we GET the assignment object via API, the response shows the role definition id is constructed using the sub2 as the subscription component:
GET https://management.azure.com//subscriptions/<sub2>/providers/Microsoft.Authorization/roleAssignments/<UUID>?api-version=2018-09-01-preview HTTP/2.0
{
...
"properties": {
...
"roleDefinitionId": "/subscriptions/<sub2>/providers/Microsoft.Authorization/roleDefinitions/<UUID>",
...
}
}Whilst the expected roleDefinitionId should be kept the same as in the request.
Related Issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment