Allow role activate

[ozbillwang]

Welcome

• Yes, I've searched similar issues on GitHub and didn't find any.

Is your feature request related to a problem? Please describe

No

Describe the solution you'd like

currently we can activate group, but not "Microsoft Entra Roles"

Describe alternatives you've considered

add feature to activate role with a new sub-command, such as

az-pim-cli activate role -n "Group Administrator"

Additional context

No response

[ozbillwang]

Seems the command role is ready, but not list in the help.

the only available command is group

bill in ~  > export PIM_TOKEN=xxxx
bill in ~  > az-pim-cli list role

bill in ~  > az-pim-cli list --help
Query Azure PIM for eligible role assignments

Usage:
  az-pim-cli list [flags]
  az-pim-cli list [command]

Aliases:
  list, l, ls

Available Commands:
  group       Query Azure PIM for eligible group assignments

Flags:
  -h, --help   help for list

Global Flags:
  -c, --config string   config file (default is $HOME/.az-pim-cli.yaml)

Use "az-pim-cli list [command] --help" for more information about a command.

not sure why I can't list roles.

https://github.com/netr0m/az-pim-cli/blob/main/pkg/utils/main.go#L14

[netr0m]

@ozbillwang Hi,

Would you be able to test the prerequisite work in #59 for me? I no longer have access to an Azure environment with this kind of PIM setup, and as such am unable to properly test whether the functionality works as it should. The PR (#59) is a breaking change, and thus I'd like to get it verified working before merging to main. Once that is in place, the work for this issue can be started.

To test it, you can do the following:

# Clone the branch for PR #59
git clone -b feature/use-proper-terms --single-branch https://github.com/netr0m/az-pim-cli.git az-pim-cli-v2
cd az-pim-cli-v2

# Build the binary
go build

# Run the binary
./az-pim-cli

See the new README for a usage guide.

If you could test the following, that'd be great!

• ./az-pim-cli list resources
• ./az-pim-cli list groups (requires a special token, see the usage guide)
• ./az-pim-cli activate resource [...]
• ./az-pim-cli activate group [...]

Thanks!

[ozbillwang]

update 1

./az-pim-cli list resources

No resources list , even I activated several subscriptions.

./az-pim-cli list groups (requires a special token, see the usage guide)

Work as normal

./az-pim-cli activate resource [...]

No resource I can choice

./az-pim-cli activate group [...]

Work as normal

Update 2

When check on Azure Portal, I don't see any resources as well at "Eligible assignments"

Anything I need do to see some resources?

But I do see some resources at "Active assignments"

[netr0m]

Thanks for the quick response!

The subcommand resources (i.e. list resources / activate resource [...]) maps to the Azure resources -> Eligible assignments tab as you showed in the screenshot. If there are no listings there, none should show when running list resources. In other words, the output is expected for your setup. (Some organizations configure "Azure resources" to be just-in-time, while it seems the ones you have access to are "always-on".). For reference, an Azure subscription is typically considered an 'Azure resource', so if it is just-in-time-activated it might appear in that list (under eligible assignments).

As for list groups / activate group [...], thanks! Sounds like that one works as it should.

• I will try to find someone to verify the list group option before proceeding with merging the PR.

Merged (#59) and released (#60)

[netr0m]

@ozbillwang Hi again,

Would you be able to test this functionality on the dev-branch? It is part of PR #61.

To test it, you can do the following:

# Clone the branch for PR #59
git clone -b feat/entra-roles --single-branch https://github.com/netr0m/az-pim-cli.git az-pim-cli-dev
cd az-pim-cli-dev

# Build the binary
go build

# Run the binary
./az-pim-cli

See the new README for a usage guide.

If you could test the following, that'd be great!

• ./az-pim-cli list roles (requires a special token, see the usage guide)
• ./az-pim-cli activate role [...]

Thanks!

[ozbillwang]

Yes, I saw the roles now

./az-pim-cli list roles
== account dev ==
	 - Groups Administrator
	 - User Administrator
	 - Application Administrator
	 - Security Reader

But doesn't work with activate

$ ./az-pim-cli activate role -n "Application Administrator"
2024/10/08 21:31:34 Unable to find a role assignment matching the parameters.

$ ./az-pim-cli activate role -r "Application Administrator"
Error: at least one of the flags in the group [name prefix] is required
Usage:
  az-pim-cli activate role [flags]

Aliases:
  role, rl, role, roles

Flags:
  -h, --help           help for role
  -t, --token string   An access token for the PIM 'Entra Roles' and 'Groups' API (required). Consult the README for more information.

Global Flags:
  -c, --config string          config file (default is $HOME/.az-pim-cli.yaml)
      --dry-run                Display the resource that would be activated, without requesting the activation
  -d, --duration int           Duration in minutes that the role should be activated for (default 480)
  -n, --name string            The name of the resource to activate
  -p, --prefix string          The name prefix of the resource to activate (e.g. 'S399'). Alternative to 'name'.
      --reason string          Reason for the activation (default "config")
  -r, --role string            Specify the role to activate, if multiple roles are found for a resource (e.g. 'Owner' and 'Contributor')
  -T, --ticket-number string   Ticket number for the activation
      --ticket-system string   Ticket system for the activation

Update 1

Ok, seems I run wrong command, with below command I did get some, but still get 404

./az-pim-cli activate role -n "account dev" -r "Application Administrator" -T "a"
2024/10/08 21:39:18 Activating role 'Application Administrator' for Entra role 'account dev' with reason 'config' (ticket: a [])
2024/10/08 21:39:19 The upstream API responded with status 404 Not Found: {"error":{"code":"RoleNotFound","message":"The role is not found."}}