Skip to content

How do I - find who is the authenticated account? @azure/arm-authorization  #17460

New issue
New issue
Closed
#20516
Closed
How do I - find who is the authenticated account? @azure/arm-authorization #17460
#20516

Description

@diberry

diberry
openedon Sep 3, 2021

If I use the DefaultAzureCredential, and I think I know which credential should be used, then I ask for client.permissions.listForResourceGroup(resourceGroupName) and I'm surprised by a lack of permissions because the Default Credential chose credentials other than what I thought, I need to figure out which account was authenticated.

For example, I think the result should tell me which account it is getting permissions for.

const { DefaultAzureCredential } = require("@azure/identity");
const { AuthorizationManagementClient } = require("@azure/arm-authorization");
const subscriptionId = process.env["AZURE_SUBSCRIPTION_ID"];
const resourceGroupName = process.env["AZURE_RESOURCE_GROUP_NAME"];

// Use `DefaultAzureCredential` or any other credential of your choice based on https://aka.ms/azsdk/js/identity/examples
// Please note that you can also use credentials from the `@azure/ms-rest-nodeauth` package instead.
const creds = new DefaultAzureCredential();
const client = new AuthorizationManagementClient(creds, subscriptionId);
/*
client.classicAdministrators.list().then((result) => {
  console.log("The result is:");
  console.log(result);
}).catch((err) => {
  console.log("An error occurred:");
  console.error(err);
});
*/

// Gets all permissions the caller has for a resource group.
// https://docs.microsoft.com/en-us/javascript/api/@azure/arm-authorization/permissions?view=azure-node-latest#listForResourceGroup_string__msRest_RequestOptionsBase_

client.permissions.listForResourceGroup(resourceGroupName).then((result) => {
    console.log("The result is:");
    console.log(result);
  }).catch((err) => {
    console.log("An error occurred:");
    console.error(err);
  });

Returns the following:

[
  {
    actions: [ '*' ],
    notActions: [
      'Microsoft.Authorization/*/Delete',
      'Microsoft.Authorization/*/Write',
      'Microsoft.Authorization/elevateAccess/Action',
      'Microsoft.Blueprint/blueprintAssignments/write',
      'Microsoft.Blueprint/blueprintAssignments/delete',
      'Microsoft.Compute/galleries/share/action'
    ],
    dataActions: [],
    notDataActions: []
  },
  nextLink: undefined
]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

Labels

Azure.IdentityClientThis issue points to a problem in the data-plane of the library.customer-reportedIssues that are reported by GitHub users external to the Azure organization.feature-requestThis issue requires a new behavior in the product in order be resolved.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions