diff --git a/src/containerapp/azext_containerapp/_help.py b/src/containerapp/azext_containerapp/_help.py index c4e500caf4a..23c48abdf13 100644 --- a/src/containerapp/azext_containerapp/_help.py +++ b/src/containerapp/azext_containerapp/_help.py @@ -277,13 +277,13 @@ examples: - name: Assign system identity. text: | - az containerapp identity assign + az containerapp identity assign -n myContainerapp -g MyResourceGroup --system-assigned - name: Assign user identity. text: | - az containerapp identity assign --identities myAssignedId + az containerapp identity assign -n myContainerapp -g MyResourceGroup --user-assigned myAssignedId - name: Assign system and user identity. text: | - az containerapp identity assign --identities [system] myAssignedId + az containerapp identity assign -n myContainerapp -g MyResourceGroup --system-assigned --user-assigned myAssignedId """ helps['containerapp identity remove'] = """ @@ -292,15 +292,25 @@ examples: - name: Remove system identity. text: | - az containerapp identity remove --identities [system] + az containerapp identity remove -n myContainerapp -g MyResourceGroup --system-assigned - name: Remove system and user identity. text: | - az containerapp identity remove --identities [system] myAssignedId + az containerapp identity remove -n myContainerapp -g MyResourceGroup --system-assigned --user-assigned myAssignedId + - name: Remove all user identities. + text: | + az containerapp identity remove -n myContainerapp -g MyResourceGroup --user-assigned + - name: Remove system identity and all user identities. + text: | + az containerapp identity remove -n myContainerapp -g MyResourceGroup --system-assigned --user-assigned """ helps['containerapp identity show'] = """ type: command short-summary: Show managed identities of a container app. + examples: + - name: Show managed identities. + text: | + az containerapp identity show -n myContainerapp -g MyResourceGroup """ # Ingress Commands @@ -526,7 +536,7 @@ helps['containerapp dapr disable'] = """ type: command - short-summary: Disable Dapr for a container app. + short-summary: Disable Dapr for a container app. Removes existing values. examples: - name: Disable Dapr for a container app. text: | diff --git a/src/containerapp/azext_containerapp/_params.py b/src/containerapp/azext_containerapp/_params.py index b1a89f2c8d0..c09dcf48522 100644 --- a/src/containerapp/azext_containerapp/_params.py +++ b/src/containerapp/azext_containerapp/_params.py @@ -114,10 +114,11 @@ def load_arguments(self, _): c.argument('name', name_type, help='Name of the Container Apps Environment.') with self.argument_context('containerapp identity') as c: - c.argument('identities', nargs='+', help="Space-separated identities. Use '[system]' to refer to the system assigned identity.") + c.argument('user_assigned', nargs='+', help="Space-separated user identities.") + c.argument('system_assigned', help="System-assigned identity.") - with self.argument_context('containerapp identity assign') as c: - c.argument('identities', nargs='+', help="Space-separated identities. Use '[system]' to refer to the system assigned identity. Default is '[system]'.") + with self.argument_context('containerapp identity remove') as c: + c.argument('user_assigned', nargs='*', help="Space-separated user identities. If no user identities are specified, all user identities will be removed.") with self.argument_context('containerapp github-action add') as c: c.argument('repo_url', help='The GitHub repository to which the workflow file will be added. In the format: https://github.com//') diff --git a/src/containerapp/azext_containerapp/custom.py b/src/containerapp/azext_containerapp/custom.py index 52620d08e1d..acfd2cb5222 100644 --- a/src/containerapp/azext_containerapp/custom.py +++ b/src/containerapp/azext_containerapp/custom.py @@ -843,17 +843,13 @@ def delete_managed_environment(cmd, name, resource_group_name, no_wait=False): handle_raw_exception(e) -def assign_managed_identity(cmd, name, resource_group_name, identities=None, no_wait=False): +def assign_managed_identity(cmd, name, resource_group_name, system_assigned=False, user_assigned=None, no_wait=False): _validate_subscription_registered(cmd, "Microsoft.App") - # if no identities, then assign system by default - if not identities: - identities = ['[system]'] - logger.warning('Identities not specified. Assigning managed system identity.') - - identities = [x.lower() for x in identities] - assign_system_identity = '[system]' in identities - assign_user_identities = [x for x in identities if x != '[system]'] + assign_system_identity = system_assigned + if not user_assigned: + user_assigned = [] + assign_user_identities = [x.lower() for x in user_assigned] containerapp_def = None @@ -906,12 +902,16 @@ def assign_managed_identity(cmd, name, resource_group_name, identities=None, no_ subscription_id = get_subscription_id(cmd.cli_ctx) for r in assign_user_identities: - old_id = r r = _ensure_identity_resource_id(subscription_id, resource_group_name, r).replace("resourceGroup", "resourcegroup") - try: - containerapp_def["identity"]["userAssignedIdentities"][r] - logger.warning("User identity {} is already assigned to containerapp".format(old_id)) - except: + isExisting = False + + for old_user_identity in containerapp_def["identity"]["userAssignedIdentities"]: + if old_user_identity.lower() == r.lower(): + isExisting = True + logger.warning("User identity {} is already assigned to containerapp".format(old_user_identity)) + break + + if not isExisting: containerapp_def["identity"]["userAssignedIdentities"][r] = {} try: @@ -923,18 +923,19 @@ def assign_managed_identity(cmd, name, resource_group_name, identities=None, no_ handle_raw_exception(e) -def remove_managed_identity(cmd, name, resource_group_name, identities, no_wait=False): +def remove_managed_identity(cmd, name, resource_group_name, system_assigned=False, user_assigned=None, no_wait=False): _validate_subscription_registered(cmd, "Microsoft.App") - identities = [x.lower() for x in identities] - remove_system_identity = '[system]' in identities - remove_user_identities = [x for x in identities if x != '[system]'] - remove_id_size = len(remove_user_identities) + remove_system_identity = system_assigned + remove_user_identities = user_assigned - # Remove duplicate identities that are passed and notify - remove_user_identities = list(set(remove_user_identities)) - if remove_id_size != len(remove_user_identities): - logger.warning("At least one identity was passed twice.") + if user_assigned: + remove_id_size = len(remove_user_identities) + + # Remove duplicate identities that are passed and notify + remove_user_identities = list(set(remove_user_identities)) + if remove_id_size != len(remove_user_identities): + logger.warning("At least one identity was passed twice.") containerapp_def = None # Get containerapp properties of CA we are updating @@ -964,6 +965,14 @@ def remove_managed_identity(cmd, name, resource_group_name, identities, no_wait= raise InvalidArgumentValueError("The containerapp {} has no system assigned identities.".format(name)) containerapp_def["identity"]["type"] = ("None" if containerapp_def["identity"]["type"] == "SystemAssigned" else "UserAssigned") + if isinstance(user_assigned, list) and not user_assigned: + containerapp_def["identity"]["userAssignedIdentities"] = {} + remove_user_identities = [] + + if containerapp_def["identity"]["userAssignedIdentities"] == {}: + containerapp_def["identity"]["userAssignedIdentities"] = None + containerapp_def["identity"]["type"] = ("None" if containerapp_def["identity"]["type"] == "UserAssigned" else "SystemAssigned") + if remove_user_identities: subscription_id = get_subscription_id(cmd.cli_ctx) try: