[KeyVault] Fix `az keyvault role assignment create/list` AccessDenied when caller lacks root-scope permissions by Copilot · Pull Request #33465 · Azure/azure-cli

Copilot · 2026-05-28T09:58:20Z

Related command
az keyvault role assignment create / az keyvault role assignment list

Description

When a principal holds a Managed HSM role scoped to a specific key (e.g., /keys/my-key) rather than root /, az keyvault role assignment create --scope /keys/my-key fails with:

ERROR: (AccessDenied) Not authorized to access Microsoft.KeyVault/managedHsm/roleAssignments/read/action on /

Root cause: After creating/listing role assignments, both create_role_assignment and list_role_assignments called list_role_definitions(client) with no scope, which defaults to root (''). This forces a read at / regardless of the requested scope.

Fix: Pass the operation's scope through to list_role_definitions:

create_role_assignment: list_role_definitions(client) → list_role_definitions(client, scope=scope)
list_role_assignments: list_role_definitions(client) → list_role_definitions(client, scope=query_scope)

Role definitions are HSM-wide and are returned for any scope the caller can read, so scoping this call to the requested scope is both correct and sufficient.

Testing Guide

# As a principal with Policy Administrator role scoped to /keys/my-key only:
az keyvault role assignment create \
  --hsm-name <hsm-name> \
  --assignee-object-id <object-id> \
  --assignee-principal-type ServicePrincipal \
  --role "Managed HSM Crypto User" \
  --scope /keys/my-key
# Previously: AccessDenied on /
# After fix: succeeds

History Notes

[KeyVault] az keyvault role assignment create: Fix AccessDenied error when creating role assignments with a key-scoped --scope using a principal that lacks root-level read permissions

This checklist is used to make sure that common guidelines for a pull request are followed.

The PR title and description has followed the guideline in Submitting Pull Requests.
I adhere to the Command Guidelines.
I adhere to the Error Handling Guidelines.

azure-client-tools-bot-prd · 2026-05-28T09:58:24Z

❌AzureCLI-FullTest

️✔️acr

️✔️latest

️✔️3.12

️✔️3.13

️✔️acs

️✔️latest

️✔️3.12

️✔️3.13

️✔️advisor

️✔️latest

️✔️3.12

️✔️3.13

️✔️ams

️✔️latest

️✔️3.12

️✔️3.13

️✔️apim

️✔️latest

️✔️3.12

️✔️3.13

️✔️appconfig

️✔️latest

️✔️3.12

️✔️3.13

️✔️appservice

️✔️latest

️✔️3.12

️✔️3.13

️✔️aro

️✔️latest

️✔️3.12

️✔️3.13

️✔️backup

️✔️latest

️✔️3.12

️✔️3.13

️✔️batch

️✔️latest

️✔️3.12

️✔️3.13

️✔️batchai

️✔️latest

️✔️3.12

️✔️3.13

️✔️billing

️✔️latest

️✔️3.12

️✔️3.13

️✔️botservice

️✔️latest

️✔️3.12

️✔️3.13

️✔️cdn

️✔️latest

️✔️3.12

️✔️3.13

️✔️cloud

️✔️latest

️✔️3.12

️✔️3.13

️✔️cognitiveservices

️✔️latest

️✔️3.12

️✔️3.13

️✔️compute_recommender

️✔️latest

️✔️3.12

️✔️3.13

️✔️computefleet

️✔️latest

️✔️3.12

️✔️3.13

️✔️config

️✔️latest

️✔️3.12

️✔️3.13

️✔️configure

️✔️latest

️✔️3.12

️✔️3.13

️✔️consumption

️✔️latest

️✔️3.12

️✔️3.13

️✔️container

️✔️latest

️✔️3.12

️✔️3.13

️✔️containerapp

️✔️latest

️✔️3.12

️✔️3.13

️✔️core

️✔️latest

️✔️3.12

️✔️3.13

️✔️cosmosdb

️✔️latest

️✔️3.12

️✔️3.13

️✔️databoxedge

️✔️latest

️✔️3.12

️✔️3.13

️✔️dls

️✔️latest

️✔️3.12

️✔️3.13

️✔️dms

️✔️latest

️✔️3.12

️✔️3.13

️✔️eventgrid

️✔️latest

️✔️3.12

️✔️3.13

️✔️eventhubs

️✔️latest

️✔️3.12

️✔️3.13

️✔️feedback

️✔️latest

️✔️3.12

️✔️3.13

️✔️find

️✔️latest

️✔️3.12

️✔️3.13

️✔️hdinsight

️✔️latest

️✔️3.12

️✔️3.13

️✔️identity

️✔️latest

️✔️3.12

️✔️3.13

️✔️iot

️✔️latest

️✔️3.12

️✔️3.13

❌keyvault

❌latest

❌3.12

Type Test Case Error Message Line

Failed test_keyvault_hsm_role self = <azure.cli.testsdk.base.ExecutionResult object at 0x7ffb42c1d1f0>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7ffb494dba40>
command = 'keyvault role assignment list --id https://clitesthsmrole000002.managedhsm.azure.net --scope keys'
expect_failure = False

    def in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException

        if command.startswith('az '):
            command = command[3:]

        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
>           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

src/azure-cli-testsdk/azure/cli/testsdk/base.py:303:

env/lib/python3.12/site-packages/knack/cli.py:245: in invoke
    exit_code = self.exception_handler(ex)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/init.py:157: in exception_handler
    return handle_exception(ex)
           ^^^^^^^^^^^^^^^^^^^^


ex = CLIError(CannotOverwriteExistingCassetteException("Can't overwrite existing cassette ('/mnt/vss/work/1/s/src/azure-cl...chers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'custom_request_query_matcher']\nMatchers failed :\n"))
args = (), kwargs = {}

    def handle_main_exception(ex, *args, **kwargs):  # pylint: disable=unused-argument
        if isinstance(ex, CannotOverwriteExistingCassetteException):
            # This exception usually caused by a no match HTTP request. This is a product error
            # that is caused by change of SDK invocation.
            raise ex

>       raise CliExecutionError(ex)
E       azure.cli.testsdk.exceptions.CliExecutionError: The CLI throws exception CLIError during execution and fails the command.

src/azure-cli-testsdk/azure/cli/testsdk/patches.py:35: CliExecutionError

During handling of the above exception, another exception occurred:

self = <azure.cli.command_modules.keyvault.tests.latest.test_keyvault_commands.KeyVaultHSMRoleScenarioTest testMethod=test_keyvault_hsm_role>
resource_group = 'cli_test_hsm_role000001', managed_hsm = 'clitesthsmrole000002'

    @serial_test()
    @ResourceGroupPreparer(name_prefix='cli_test_hsm_role')
    @ManagedHSMPreparer(name_prefix='clitesthsmrole', certs_path=CERTS_DIR)
    def test_keyvault_hsm_role(self, resource_group, managed_hsm):
        self.kwargs.update({
            'hsm_url': f'https://{managed_hsm}.managedhsm.azure.net',
            'hsm_name': managed_hsm,
            'officer_role': 'Managed HSM Crypto Officer',
            'user_role': 'Managed HSM Crypto User',
            'user1': self.create_random_name(prefix='clihsmroletest', length=24),
            'user2': self.create_random_name(prefix='clihsmroletest', length=24),
            'domain': 'AzureSDKTeam.onmicrosoft.com',
            'password': self.create_random_name(prefix='password-', length=40)
        })

        user1_result = self.cmd('ad user create --display-name {user1} --password {password} '
                                '--user-principal-name {user1}@{domain}').get_output_in_json()
        self.kwargs['user1_id'] = user1_result['id']

        user2_result = self.cmd('ad user create --display-name {user2} --password {password} '
                                '--user-principal-name {user2}@{domain}').get_output_in_json()
        self.kwargs['user2_id'] = user2_result['id']

        role_definitions = self.cmd('keyvault role definition list --hsm-name {hsm_name}').get_output_in_json()

        officer_role_def = [r for r in role_definitions if r['roleName'] == self.kwargs['officer_role']][0]
        user_role_def = [r for r in role_definitions if r['roleName'] == self.kwargs['user_role']][0]

        self.kwargs.update({
            'officer_role_id': officer_role_def['id'],
            'user_role_id': user_role_def['id']
        })

        with mock.patch('azure.cli.command_modules.keyvault.custom.gen_guid', side_effect=self.create_guid):
            # user1 + role1/role2
            role_assignment1 = self.cmd('keyvault role assignment create --id {hsm_url} --role "{officer_role}" '
                                        '--assignee {user1}@{domain} --scope keys',
                                        checks=[
                                            self.check('roleDefinitionId', '{officer_role_id}'),
                                            self.check('roleName', '{officer_role}'),
                                            self.check('principalId', '{user1_id}'),
                                            self.check('scope', '/keys')
                                        ]).get_output_in_json()
            self.kwargs['role_assignment_id1'] = role_assignment1['id']
            self.kwargs['role_assignment_name1'] = role_assignment1['name']

            role_assignment2 = self.cmd('keyvault role assignment create --hsm-name {hsm_name} --role "{user_role}" '
                                        '--assignee {user1}@{domain} --scope "/"',
                                        checks=[
                                            self.check('roleDefinitionId', '{user_role_id}'),
                                            self.check('roleName', '{user_role}'),
                                            self.check('principalId', '{user1_id}'),
                                            self.check('scope', '/')
                                        ]).get_output_in_json()
            self.kwargs['role_assignment_id2'] = role_assignment2['id']
            self.kwargs['role_assignment_name2'] = role_assignment2['name']

            # user2 + role1/role2
            role_assignment3 = self.cmd('keyvault role assignment create --id {hsm_url} --role "{officer_role}" '
                                        '--assignee {user2_id} --scope keys',
                                        checks=[
                                            self.check('roleDefinitionId', '{officer_role_id}'),
                                            self.check('roleName', '{officer_role}'),
                                            self.check('principalId', '{user2_id}'),
                                            self.check('scope', '/keys')
                                        ]).get_output_in_json()
            self.kwargs['role_assignment_id3'] = role_assignment3['id']
            self.kwargs['role_assignment_name3'] = role_assignment3['name']

            self.cmd('keyvault role assignment create --id {hsm_url} --role "{user_role}" '
                     '--assignee-object-id {user2_id} --scope "/"',
                     checks=[
                         self.check('roleDefinitionId', '{user_role_id}'),
                         self.check('roleName', '{user_role}'),
                         self.check('principalId', '{user2_id}'),
                         self.check('scope', '/')
                     ]).get_output_in_json()

        time.sleep(100)

        # list all (including this one: assignee=administrator,role=Administrator, scope=/)
        self.cmd('keyvault role assignment list --id {hsm_url}', checks=self.check('length(@)', 5))

        # list by scope
>       self.cmd('keyvault role assignment list --id {hsm_url} --scope keys', checks=self.check('length(@)', 2))

src/azure-cli/azure/cli/command_modules/keyvault/tests/latest/test_keyvault_commands.py:891:

src/azure-cli-testsdk/azure/cli/testsdk/base.py:177: in cmd
    return execute(self.cli_ctx, command, expect_failure=expect_failure).assert_with_checks(checks)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init
    self.in_process_execute(cli_ctx, command, expect_failure=expect_failure)
src/azure-cli-testsdk/azure/cli/testsdk/base.py:315: in in_process_execute
    raise ex.exception
env/lib/python3.12/site-packages/knack/cli.py:233: in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:677: in execute
    raise ex
src/azure-cli-core/azure/cli/core/commands/init.py:820: in run_jobs_serially
    results.append(self.run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:789: in run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:335: in call
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/keyvault/command_type.py:135: in keyvault_command_handler
    return keyvault_exception_handler(ex)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                       _

ex = CannotOverwriteExistingCassetteException("Can't overwrite existing cassette ('/mnt/vss/_work/1/s/src/azure-cli/azure/c...tchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']\nMatchers failed :\n")

    def keyvault_exception_handler(ex):
        from msrest.exceptions import ValidationError, ClientRequestError
        if isinstance(ex, ValidationError):
            try:
                raise CLIError(ex.inner_exception.error.message)
            except AttributeError:
                raise CLIError(ex)
        elif isinstance(ex, ClientRequestError):
            if 'Failed to establish a new connection' in str(ex.inner_exception):
                instance_type = 'Vault'
                if 'managedhsm' in str(ex.inner_exception):
                    instance_type = 'HSM'
                raise CLIError('Max retries exceeded attempting to connect to {instance_type}. '
                               'The {instance_type} may not exist or you may need to flush your DNS cache '
                               'and try again later.'.format(instance_type=instance_type))
            raise CLIError(ex)
        else:
>           raise CLIError(ex)
E           knack.util.CLIError: Can't overwrite existing cassette ('/mnt/vss/_work/1/s/src/azure-cli/azure/cli/command_modules/keyvault/tests/latest/recordings/test_keyvault_hsm_role.yaml') in your current record mode ('once').
E           No match for the request (<Request (GET) https://clitesthsmrole000002.managedhsm.azure.net/keys/providers/Microsoft.Authorization/roleDefinitions?api-version=7.4>) was found.
E           Found 4 similar requests with 0 different matcher(s) :
E
E           1 - (<Request (GET) https://clitesthsmrole000002.managedhsm.azure.net/keys/providers/Microsoft.Authorization/roleDefinitions?api-version=7.4>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :
E
E           2 - (<Request (GET) https://clitesthsmrole000002.managedhsm.azure.net/keys/providers/Microsoft.Authorization/roleDefinitions?api-version=7.4>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :
E
E           3 - (<Request (GET) https://clitesthsmrole000002.managedhsm.azure.net/keys/providers/Microsoft.Authorization/roleDefinitions?api-version=7.4>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :
E
E           4 - (<Request (GET) https://clitesthsmrole000002.managedhsm.azure.net/keys/providers/Microsoft.Authorization/roleDefinitions?api-version=7.4>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :

src/azure-cli/azure/cli/command_modules/keyvault/_command_type.py:49: CLIError azure/cli/command_modules/keyvault/tests/latest/test_keyvault_commands.py:806

❌3.13

Type Test Case Error Message Line

Failed test_keyvault_hsm_role self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f9bfbe44050>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f9bfe1c6ad0>
command = 'keyvault role assignment list --id https://clitesthsmrole000002.managedhsm.azure.net --scope keys'
expect_failure = False

    def in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException

        if command.startswith('az '):
            command = command[3:]

        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
>           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

src/azure-cli-testsdk/azure/cli/testsdk/base.py:303:

env/lib/python3.13/site-packages/knack/cli.py:245: in invoke
    exit_code = self.exception_handler(ex)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/init.py:157: in exception_handler
    return handle_exception(ex)
           ^^^^^^^^^^^^^^^^^^^^


ex = CLIError(CannotOverwriteExistingCassetteException("Can't overwrite existing cassette ('/mnt/vss/work/1/s/src/azure-cl...chers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'custom_request_query_matcher']\nMatchers failed :\n"))
args = (), kwargs = {}

    def handle_main_exception(ex, *args, **kwargs):  # pylint: disable=unused-argument
        if isinstance(ex, CannotOverwriteExistingCassetteException):
            # This exception usually caused by a no match HTTP request. This is a product error
            # that is caused by change of SDK invocation.
            raise ex

>       raise CliExecutionError(ex)
E       azure.cli.testsdk.exceptions.CliExecutionError: The CLI throws exception CLIError during execution and fails the command.

src/azure-cli-testsdk/azure/cli/testsdk/patches.py:35: CliExecutionError

During handling of the above exception, another exception occurred:

self = <azure.cli.command_modules.keyvault.tests.latest.test_keyvault_commands.KeyVaultHSMRoleScenarioTest testMethod=test_keyvault_hsm_role>
resource_group = 'cli_test_hsm_role000001', managed_hsm = 'clitesthsmrole000002'

    @serial_test()
    @ResourceGroupPreparer(name_prefix='cli_test_hsm_role')
    @ManagedHSMPreparer(name_prefix='clitesthsmrole', certs_path=CERTS_DIR)
    def test_keyvault_hsm_role(self, resource_group, managed_hsm):
        self.kwargs.update({
            'hsm_url': f'https://{managed_hsm}.managedhsm.azure.net',
            'hsm_name': managed_hsm,
            'officer_role': 'Managed HSM Crypto Officer',
            'user_role': 'Managed HSM Crypto User',
            'user1': self.create_random_name(prefix='clihsmroletest', length=24),
            'user2': self.create_random_name(prefix='clihsmroletest', length=24),
            'domain': 'AzureSDKTeam.onmicrosoft.com',
            'password': self.create_random_name(prefix='password-', length=40)
        })

        user1_result = self.cmd('ad user create --display-name {user1} --password {password} '
                                '--user-principal-name {user1}@{domain}').get_output_in_json()
        self.kwargs['user1_id'] = user1_result['id']

        user2_result = self.cmd('ad user create --display-name {user2} --password {password} '
                                '--user-principal-name {user2}@{domain}').get_output_in_json()
        self.kwargs['user2_id'] = user2_result['id']

        role_definitions = self.cmd('keyvault role definition list --hsm-name {hsm_name}').get_output_in_json()

        officer_role_def = [r for r in role_definitions if r['roleName'] == self.kwargs['officer_role']][0]
        user_role_def = [r for r in role_definitions if r['roleName'] == self.kwargs['user_role']][0]

        self.kwargs.update({
            'officer_role_id': officer_role_def['id'],
            'user_role_id': user_role_def['id']
        })

        with mock.patch('azure.cli.command_modules.keyvault.custom.gen_guid', side_effect=self.create_guid):
            # user1 + role1/role2
            role_assignment1 = self.cmd('keyvault role assignment create --id {hsm_url} --role "{officer_role}" '
                                        '--assignee {user1}@{domain} --scope keys',
                                        checks=[
                                            self.check('roleDefinitionId', '{officer_role_id}'),
                                            self.check('roleName', '{officer_role}'),
                                            self.check('principalId', '{user1_id}'),
                                            self.check('scope', '/keys')
                                        ]).get_output_in_json()
            self.kwargs['role_assignment_id1'] = role_assignment1['id']
            self.kwargs['role_assignment_name1'] = role_assignment1['name']

            role_assignment2 = self.cmd('keyvault role assignment create --hsm-name {hsm_name} --role "{user_role}" '
                                        '--assignee {user1}@{domain} --scope "/"',
                                        checks=[
                                            self.check('roleDefinitionId', '{user_role_id}'),
                                            self.check('roleName', '{user_role}'),
                                            self.check('principalId', '{user1_id}'),
                                            self.check('scope', '/')
                                        ]).get_output_in_json()
            self.kwargs['role_assignment_id2'] = role_assignment2['id']
            self.kwargs['role_assignment_name2'] = role_assignment2['name']

            # user2 + role1/role2
            role_assignment3 = self.cmd('keyvault role assignment create --id {hsm_url} --role "{officer_role}" '
                                        '--assignee {user2_id} --scope keys',
                                        checks=[
                                            self.check('roleDefinitionId', '{officer_role_id}'),
                                            self.check('roleName', '{officer_role}'),
                                            self.check('principalId', '{user2_id}'),
                                            self.check('scope', '/keys')
                                        ]).get_output_in_json()
            self.kwargs['role_assignment_id3'] = role_assignment3['id']
            self.kwargs['role_assignment_name3'] = role_assignment3['name']

            self.cmd('keyvault role assignment create --id {hsm_url} --role "{user_role}" '
                     '--assignee-object-id {user2_id} --scope "/"',
                     checks=[
                         self.check('roleDefinitionId', '{user_role_id}'),
                         self.check('roleName', '{user_role}'),
                         self.check('principalId', '{user2_id}'),
                         self.check('scope', '/')
                     ]).get_output_in_json()

        time.sleep(100)

        # list all (including this one: assignee=administrator,role=Administrator, scope=/)
        self.cmd('keyvault role assignment list --id {hsm_url}', checks=self.check('length(@)', 5))

        # list by scope
>       self.cmd('keyvault role assignment list --id {hsm_url} --scope keys', checks=self.check('length(@)', 2))

src/azure-cli/azure/cli/command_modules/keyvault/tests/latest/test_keyvault_commands.py:891:

src/azure-cli-testsdk/azure/cli/testsdk/base.py:177: in cmd
    return execute(self.cli_ctx, command, expect_failure=expect_failure).assert_with_checks(checks)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init
    self.in_process_execute(cli_ctx, command, expect_failure=expect_failure)
src/azure-cli-testsdk/azure/cli/testsdk/base.py:315: in in_process_execute
    raise ex.exception
env/lib/python3.13/site-packages/knack/cli.py:233: in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:677: in execute
    raise ex
src/azure-cli-core/azure/cli/core/commands/init.py:820: in run_jobs_serially
    results.append(self.run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:789: in run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:335: in call
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/keyvault/command_type.py:135: in keyvault_command_handler
    return keyvault_exception_handler(ex)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                       _

ex = CannotOverwriteExistingCassetteException("Can't overwrite existing cassette ('/mnt/vss/_work/1/s/src/azure-cli/azure/c...tchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']\nMatchers failed :\n")

    def keyvault_exception_handler(ex):
        from msrest.exceptions import ValidationError, ClientRequestError
        if isinstance(ex, ValidationError):
            try:
                raise CLIError(ex.inner_exception.error.message)
            except AttributeError:
                raise CLIError(ex)
        elif isinstance(ex, ClientRequestError):
            if 'Failed to establish a new connection' in str(ex.inner_exception):
                instance_type = 'Vault'
                if 'managedhsm' in str(ex.inner_exception):
                    instance_type = 'HSM'
                raise CLIError('Max retries exceeded attempting to connect to {instance_type}. '
                               'The {instance_type} may not exist or you may need to flush your DNS cache '
                               'and try again later.'.format(instance_type=instance_type))
            raise CLIError(ex)
        else:
>           raise CLIError(ex)
E           knack.util.CLIError: Can't overwrite existing cassette ('/mnt/vss/_work/1/s/src/azure-cli/azure/cli/command_modules/keyvault/tests/latest/recordings/test_keyvault_hsm_role.yaml') in your current record mode ('once').
E           No match for the request (<Request (GET) https://clitesthsmrole000002.managedhsm.azure.net/keys/providers/Microsoft.Authorization/roleDefinitions?api-version=7.4>) was found.
E           Found 4 similar requests with 0 different matcher(s) :
E
E           1 - (<Request (GET) https://clitesthsmrole000002.managedhsm.azure.net/keys/providers/Microsoft.Authorization/roleDefinitions?api-version=7.4>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :
E
E           2 - (<Request (GET) https://clitesthsmrole000002.managedhsm.azure.net/keys/providers/Microsoft.Authorization/roleDefinitions?api-version=7.4>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :
E
E           3 - (<Request (GET) https://clitesthsmrole000002.managedhsm.azure.net/keys/providers/Microsoft.Authorization/roleDefinitions?api-version=7.4>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :
E
E           4 - (<Request (GET) https://clitesthsmrole000002.managedhsm.azure.net/keys/providers/Microsoft.Authorization/roleDefinitions?api-version=7.4>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :

src/azure-cli/azure/cli/command_modules/keyvault/_command_type.py:49: CLIError azure/cli/command_modules/keyvault/tests/latest/test_keyvault_commands.py:806

️✔️lab

️✔️latest

️✔️3.12

️✔️3.13

️✔️managedservices

️✔️latest

️✔️3.12

️✔️3.13

️✔️maps

️✔️latest

️✔️3.12

️✔️3.13

️✔️marketplaceordering

️✔️latest

️✔️3.12

️✔️3.13

️✔️monitor

️✔️latest

️✔️3.12

️✔️3.13

️✔️mysql

️✔️latest

️✔️3.12

️✔️3.13

️✔️netappfiles

️✔️latest

️✔️3.12

️✔️3.13

❌network

❌latest

❌3.12

Type Test Case Error Message Line

Failed test_network_app_gateway_ssl_cert_managed_hsm self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f5ec211eed0>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f5ecaf80530>
command = 'keyvault role assignment create --hsm-name clihsm000002 --role "Managed HSM Crypto User" --assignee 59dcd2ad-5232-4a4c-8ff5-98cfa482f0f4 --scope /keys'
expect_failure = False

    def in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException

        if command.startswith('az '):
            command = command[3:]

        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
>           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

src/azure-cli-testsdk/azure/cli/testsdk/base.py:303:

env/lib/python3.12/site-packages/knack/cli.py:245: in invoke
    exit_code = self.exception_handler(ex)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/init.py:157: in exception_handler
    return handle_exception(ex)
           ^^^^^^^^^^^^^^^^^^^^


ex = CLIError(CannotOverwriteExistingCassetteException("Can't overwrite existing cassette ('/mnt/vss/work/1/s/src/azure-cl...chers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'custom_request_query_matcher']\nMatchers failed :\n"))
args = (), kwargs = {}

    def handle_main_exception(ex, *args, **kwargs):  # pylint: disable=unused-argument
        if isinstance(ex, CannotOverwriteExistingCassetteException):
            # This exception usually caused by a no match HTTP request. This is a product error
            # that is caused by change of SDK invocation.
            raise ex

>       raise CliExecutionError(ex)
E       azure.cli.testsdk.exceptions.CliExecutionError: The CLI throws exception CLIError during execution and fails the command.

src/azure-cli-testsdk/azure/cli/testsdk/patches.py:35: CliExecutionError

During handling of the above exception, another exception occurred:

self = <azure.cli.command_modules.network.tests.latest.test_network_commands.NetworkAppGatewaySslCertManagedHsmScenarioTest testMethod=test_network_app_gateway_ssl_cert_managed_hsm>
resource_group = 'cli_test_ag_ssl_cert_hsm000001'

    @ResourceGroupPreparer(name_prefix='cli_test_ag_ssl_cert_hsm', location='uksouth')
    def test_network_app_gateway_ssl_cert_managed_hsm(self, resource_group):
        logged_in_user = self.cmd('ad signed-in-user show').get_output_in_json()
        init_admin = logged_in_user['id'] if logged_in_user is not None else ''

        self.kwargs.update({
            'ag': 'ag-hsm-test',
            'ip': 'pip-hsm-test',
            'identity': 'id-hsm-test',
            'hsm_name': self.create_random_name('clihsm', 24),
            'init_admin': init_admin,
            'cert_name': 'hsmSslCert',
            'cert_name2': 'hsmSslCert2',
        })

        # create managed identity
        identity_result = self.cmd('identity create -g {rg} -n {identity}').get_output_in_json()
        self.kwargs['identity_id'] = identity_result['id']
        self.kwargs['identity_principal'] = identity_result['principalId']

        # create Managed HSM
        self.cmd('keyvault create --hsm-name {hsm_name} -g {rg} -l uksouth '
                 '--administrators {init_admin} --retention-days 7')

        # activate HSM by downloading security domain
        cert_dir = os.path.join(TEST_DIR, 'certs')
        tmp_dir = tempfile.mkdtemp()
        self.kwargs.update({
            'sd_cert0': os.path.join(cert_dir, 'cert_0.cer').replace('\', '\\'),
            'sd_cert1': os.path.join(cert_dir, 'cert_1.cer').replace('\', '\\'),
            'sd_cert2': os.path.join(cert_dir, 'cert_2.cer').replace('\', '\\'),
            'security_domain': os.path.join(tmp_dir, 'sd.json').replace('\', '\\'),
        })
        self.cmd('keyvault security-domain download --hsm-name {hsm_name} '
                 '--sd-wrapping-keys {sd_cert0} {sd_cert1} {sd_cert2} '
                 '--sd-quorum 2 --security-domain-file {security_domain}')

        # grant signed-in user and identity access to create keys in HSM
        from unittest import mock
        with mock.patch('azure.cli.command_modules.keyvault.custom.gen_guid', side_effect=self.create_guid):
            self.cmd('keyvault role assignment create --hsm-name {hsm_name} '
                     '--role "Managed HSM Crypto User" '
                     '--assignee {init_admin} --scope /keys')
>           self.cmd('keyvault role assignment create --hsm-name {hsm_name} '
                     '--role "Managed HSM Crypto User" '
                     '--assignee {identity_principal} --scope /keys')

src/azure-cli/azure/cli/command_modules/network/tests/latest/test_network_commands.py:1446:

src/azure-cli-testsdk/azure/cli/testsdk/base.py:177: in cmd
    return execute(self.cli_ctx, command, expect_failure=expect_failure).assert_with_checks(checks)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init
    self.in_process_execute(cli_ctx, command, expect_failure=expect_failure)
src/azure-cli-testsdk/azure/cli/testsdk/base.py:315: in in_process_execute
    raise ex.exception
env/lib/python3.12/site-packages/knack/cli.py:233: in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:677: in execute
    raise ex
src/azure-cli-core/azure/cli/core/commands/init.py:820: in run_jobs_serially
    results.append(self.run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:789: in run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:335: in call
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/keyvault/command_type.py:135: in keyvault_command_handler
    return keyvault_exception_handler(ex)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                       _

ex = CannotOverwriteExistingCassetteException("Can't overwrite existing cassette ('/mnt/vss/_work/1/s/src/azure-cli/azure/c...tchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']\nMatchers failed :\n")

    def keyvault_exception_handler(ex):
        from msrest.exceptions import ValidationError, ClientRequestError
        if isinstance(ex, ValidationError):
            try:
                raise CLIError(ex.inner_exception.error.message)
            except AttributeError:
                raise CLIError(ex)
        elif isinstance(ex, ClientRequestError):
            if 'Failed to establish a new connection' in str(ex.inner_exception):
                instance_type = 'Vault'
                if 'managedhsm' in str(ex.inner_exception):
                    instance_type = 'HSM'
                raise CLIError('Max retries exceeded attempting to connect to {instance_type}. '
                               'The {instance_type} may not exist or you may need to flush your DNS cache '
                               'and try again later.'.format(instance_type=instance_type))
            raise CLIError(ex)
        else:
>           raise CLIError(ex)
E           knack.util.CLIError: Can't overwrite existing cassette ('/mnt/vss/_work/1/s/src/azure-cli/azure/cli/command_modules/network/tests/latest/recordings/test_network_app_gateway_ssl_cert_managed_hsm.yaml') in your current record mode ('once').
E           No match for the request (<Request (GET) https://clihsm000002.managedhsm.azure.net/keys/providers/Microsoft.Authorization/roleDefinitions?api-version=7.4>) was found.
E           Found 3 similar requests with 0 different matcher(s) :
E
E           1 - (<Request (GET) https://clihsm000002.managedhsm.azure.net/keys/providers/Microsoft.Authorization/roleDefinitions?api-version=7.4>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :
E
E           2 - (<Request (GET) https://clihsm000002.managedhsm.azure.net/keys/providers/Microsoft.Authorization/roleDefinitions?api-version=7.4>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :
E
E           3 - (<Request (GET) https://clihsm000002.managedhsm.azure.net/keys/providers/Microsoft.Authorization/roleDefinitions?api-version=7.4>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :

src/azure-cli/azure/cli/command_modules/keyvault/_command_type.py:49: CLIError src/azure-cli/azure/cli/command_modules/network/tests/latest/test_network_commands.py:1402

❌3.13

Type Test Case Error Message Line

Failed test_network_app_gateway_ssl_cert_managed_hsm self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f1ae43c47c0>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f1ae9b32e90>
command = 'keyvault role assignment create --hsm-name clihsm000002 --role "Managed HSM Crypto User" --assignee 59dcd2ad-5232-4a4c-8ff5-98cfa482f0f4 --scope /keys'
expect_failure = False

    def in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException

        if command.startswith('az '):
            command = command[3:]

        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
>           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

src/azure-cli-testsdk/azure/cli/testsdk/base.py:303:

env/lib/python3.13/site-packages/knack/cli.py:245: in invoke
    exit_code = self.exception_handler(ex)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/init.py:157: in exception_handler
    return handle_exception(ex)
           ^^^^^^^^^^^^^^^^^^^^


ex = CLIError(CannotOverwriteExistingCassetteException("Can't overwrite existing cassette ('/mnt/vss/work/1/s/src/azure-cl...chers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'custom_request_query_matcher']\nMatchers failed :\n"))
args = (), kwargs = {}

    def handle_main_exception(ex, *args, **kwargs):  # pylint: disable=unused-argument
        if isinstance(ex, CannotOverwriteExistingCassetteException):
            # This exception usually caused by a no match HTTP request. This is a product error
            # that is caused by change of SDK invocation.
            raise ex

>       raise CliExecutionError(ex)
E       azure.cli.testsdk.exceptions.CliExecutionError: The CLI throws exception CLIError during execution and fails the command.

src/azure-cli-testsdk/azure/cli/testsdk/patches.py:35: CliExecutionError

During handling of the above exception, another exception occurred:

self = <azure.cli.command_modules.network.tests.latest.test_network_commands.NetworkAppGatewaySslCertManagedHsmScenarioTest testMethod=test_network_app_gateway_ssl_cert_managed_hsm>
resource_group = 'cli_test_ag_ssl_cert_hsm000001'

    @ResourceGroupPreparer(name_prefix='cli_test_ag_ssl_cert_hsm', location='uksouth')
    def test_network_app_gateway_ssl_cert_managed_hsm(self, resource_group):
        logged_in_user = self.cmd('ad signed-in-user show').get_output_in_json()
        init_admin = logged_in_user['id'] if logged_in_user is not None else ''

        self.kwargs.update({
            'ag': 'ag-hsm-test',
            'ip': 'pip-hsm-test',
            'identity': 'id-hsm-test',
            'hsm_name': self.create_random_name('clihsm', 24),
            'init_admin': init_admin,
            'cert_name': 'hsmSslCert',
            'cert_name2': 'hsmSslCert2',
        })

        # create managed identity
        identity_result = self.cmd('identity create -g {rg} -n {identity}').get_output_in_json()
        self.kwargs['identity_id'] = identity_result['id']
        self.kwargs['identity_principal'] = identity_result['principalId']

        # create Managed HSM
        self.cmd('keyvault create --hsm-name {hsm_name} -g {rg} -l uksouth '
                 '--administrators {init_admin} --retention-days 7')

        # activate HSM by downloading security domain
        cert_dir = os.path.join(TEST_DIR, 'certs')
        tmp_dir = tempfile.mkdtemp()
        self.kwargs.update({
            'sd_cert0': os.path.join(cert_dir, 'cert_0.cer').replace('\', '\\'),
            'sd_cert1': os.path.join(cert_dir, 'cert_1.cer').replace('\', '\\'),
            'sd_cert2': os.path.join(cert_dir, 'cert_2.cer').replace('\', '\\'),
            'security_domain': os.path.join(tmp_dir, 'sd.json').replace('\', '\\'),
        })
        self.cmd('keyvault security-domain download --hsm-name {hsm_name} '
                 '--sd-wrapping-keys {sd_cert0} {sd_cert1} {sd_cert2} '
                 '--sd-quorum 2 --security-domain-file {security_domain}')

        # grant signed-in user and identity access to create keys in HSM
        from unittest import mock
        with mock.patch('azure.cli.command_modules.keyvault.custom.gen_guid', side_effect=self.create_guid):
            self.cmd('keyvault role assignment create --hsm-name {hsm_name} '
                     '--role "Managed HSM Crypto User" '
                     '--assignee {init_admin} --scope /keys')
>           self.cmd('keyvault role assignment create --hsm-name {hsm_name} '
                     '--role "Managed HSM Crypto User" '
                     '--assignee {identity_principal} --scope /keys')

src/azure-cli/azure/cli/command_modules/network/tests/latest/test_network_commands.py:1446:

src/azure-cli-testsdk/azure/cli/testsdk/base.py:177: in cmd
    return execute(self.cli_ctx, command, expect_failure=expect_failure).assert_with_checks(checks)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init
    self.in_process_execute(cli_ctx, command, expect_failure=expect_failure)
src/azure-cli-testsdk/azure/cli/testsdk/base.py:315: in in_process_execute
    raise ex.exception
env/lib/python3.13/site-packages/knack/cli.py:233: in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:677: in execute
    raise ex
src/azure-cli-core/azure/cli/core/commands/init.py:820: in run_jobs_serially
    results.append(self.run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:789: in run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:335: in call
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/keyvault/command_type.py:135: in keyvault_command_handler
    return keyvault_exception_handler(ex)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                       _

ex = CannotOverwriteExistingCassetteException("Can't overwrite existing cassette ('/mnt/vss/_work/1/s/src/azure-cli/azure/c...tchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']\nMatchers failed :\n")

    def keyvault_exception_handler(ex):
        from msrest.exceptions import ValidationError, ClientRequestError
        if isinstance(ex, ValidationError):
            try:
                raise CLIError(ex.inner_exception.error.message)
            except AttributeError:
                raise CLIError(ex)
        elif isinstance(ex, ClientRequestError):
            if 'Failed to establish a new connection' in str(ex.inner_exception):
                instance_type = 'Vault'
                if 'managedhsm' in str(ex.inner_exception):
                    instance_type = 'HSM'
                raise CLIError('Max retries exceeded attempting to connect to {instance_type}. '
                               'The {instance_type} may not exist or you may need to flush your DNS cache '
                               'and try again later.'.format(instance_type=instance_type))
            raise CLIError(ex)
        else:
>           raise CLIError(ex)
E           knack.util.CLIError: Can't overwrite existing cassette ('/mnt/vss/_work/1/s/src/azure-cli/azure/cli/command_modules/network/tests/latest/recordings/test_network_app_gateway_ssl_cert_managed_hsm.yaml') in your current record mode ('once').
E           No match for the request (<Request (GET) https://clihsm000002.managedhsm.azure.net/keys/providers/Microsoft.Authorization/roleDefinitions?api-version=7.4>) was found.
E           Found 3 similar requests with 0 different matcher(s) :
E
E           1 - (<Request (GET) https://clihsm000002.managedhsm.azure.net/keys/providers/Microsoft.Authorization/roleDefinitions?api-version=7.4>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :
E
E           2 - (<Request (GET) https://clihsm000002.managedhsm.azure.net/keys/providers/Microsoft.Authorization/roleDefinitions?api-version=7.4>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :
E
E           3 - (<Request (GET) https://clihsm000002.managedhsm.azure.net/keys/providers/Microsoft.Authorization/roleDefinitions?api-version=7.4>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher']
E           Matchers failed :

src/azure-cli/azure/cli/command_modules/keyvault/_command_type.py:49: CLIError src/azure-cli/azure/cli/command_modules/network/tests/latest/test_network_commands.py:1402

️✔️policyinsights

️✔️latest

️✔️3.12

️✔️3.13

️✔️postgresql

️✔️latest

️✔️3.12

️✔️3.13

️✔️privatedns

️✔️latest

️✔️3.12

️✔️3.13

️✔️profile

️✔️latest

️✔️3.12

️✔️3.13

️✔️rdbms

️✔️latest

️✔️3.12

️✔️3.13

️✔️redis

️✔️latest

️✔️3.12

️✔️3.13

️✔️relay

️✔️latest

️✔️3.12

️✔️3.13

️✔️resource

️✔️latest

️✔️3.12

️✔️3.13

️✔️role

️✔️latest

️✔️3.12

️✔️3.13

️✔️search

️✔️latest

️✔️3.12

️✔️3.13

️✔️security

️✔️latest

️✔️3.12

️✔️3.13

️✔️servicebus

️✔️latest

️✔️3.12

️✔️3.13

️✔️serviceconnector

️✔️latest

️✔️3.12

️✔️3.13

️✔️servicefabric

️✔️latest

️✔️3.12

️✔️3.13

️✔️signalr

️✔️latest

️✔️3.12

️✔️3.13

️✔️sql

️✔️latest

️✔️3.12

️✔️3.13

️✔️sqlvm

️✔️latest

️✔️3.12

️✔️3.13

️✔️storage

️✔️latest

️✔️3.12

️✔️3.13

️✔️synapse

️✔️latest

️✔️3.12

️✔️3.13

️✔️telemetry

️✔️latest

️✔️3.12

️✔️3.13

️✔️util

️✔️latest

️✔️3.12

️✔️3.13

️✔️vm

️✔️latest

️✔️3.12

️✔️3.13

azure-client-tools-bot-prd · 2026-05-28T09:58:27Z

️✔️AzureCLI-BreakingChangeTest

️✔️Non Breaking Changes

… of root scope

yonzhan · 2026-05-28T10:09:49Z

KeyVault

Initial plan

efa9673

Copilot AI assigned Copilot and a0x1ab May 28, 2026

azure-client-tools-bot-prd Bot added this to the July 2026 (2026-07-07) milestone May 28, 2026

Copilot started work on behalf of a0x1ab May 28, 2026 09:58 View session

Copilot AI linked an issue May 28, 2026 that may be closed by this pull request

az cli fails to perform RBAC assignment even with proper privileges #32719

Open

Fix keyvault role assignment create/list to use request scope instead…

620beb0

… of root scope

Copilot AI changed the title ~~[WIP] Fix az cli access denial for RBAC assignment~~ [KeyVault] Fix az keyvault role assignment create/list AccessDenied when caller lacks root-scope permissions May 28, 2026

Copilot finished work on behalf of a0x1ab May 28, 2026 10:04

Copilot AI requested a review from a0x1ab May 28, 2026 10:04

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[KeyVault] Fix `az keyvault role assignment create/list` AccessDenied when caller lacks root-scope permissions#33465

[KeyVault] Fix `az keyvault role assignment create/list` AccessDenied when caller lacks root-scope permissions#33465
Copilot wants to merge 2 commits into
devfrom
copilot/fix-az-cli-rbac-assignment-issue

Copilot AI commented May 28, 2026 •

edited

Loading

Uh oh!

azure-client-tools-bot-prd Bot commented May 28, 2026 •

edited

Loading

Uh oh!

azure-client-tools-bot-prd Bot commented May 28, 2026 •

edited

Loading

Uh oh!

yonzhan commented May 28, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

Copilot AI commented May 28, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

azure-client-tools-bot-prd Bot commented May 28, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

azure-client-tools-bot-prd Bot commented May 28, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

yonzhan commented May 28, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Copilot AI commented May 28, 2026 •

edited

Loading

azure-client-tools-bot-prd Bot commented May 28, 2026 •

edited

Loading

azure-client-tools-bot-prd Bot commented May 28, 2026 •

edited

Loading