Add az role deny-assignment create/delete commands (user-assigned deny assignments)

[jruttle]

Description

Adds az role deny-assignment create and az role deny-assignment delete commands for managing user-assigned deny assignments, matching the existing az role assignment pattern.

This implements the PUT/DELETE operations added in the Microsoft.Authorization/denyAssignments API (2024-07-01-preview), as specified in TypeSpec PR #41617.

Two Assignment Modes

The create command supports two modes for targeting principals:

Everyone mode (default): Denies all principals at the scope. At least one excluded principal is required via --exclude-principal-ids:

az role deny-assignment create --name "DenyAll" --scope /subscriptions/{sub} \
    --actions "Microsoft.Compute/virtualMachines/delete" \
    --exclude-principal-ids {your-object-id}

Per-principal mode: Denies a specific User or ServicePrincipal via --principal-id and --principal-type:

az role deny-assignment create --name "DenyUser" --scope /subscriptions/{sub} \
    --actions "Microsoft.Compute/virtualMachines/delete" \
    --principal-id {user-object-id} --principal-type User

Service Constraints

User-assigned deny assignments have specific restrictions enforced by the service:

• Group principals are not permitted — only User or ServicePrincipal
• No DataActions — only Actions/NotActions are supported
• No Read actions — actions like */read are not permitted
• No DoNotApplyToChildScopes — this property is not supported
• Single principal per UADA — one principal per deny assignment (enforced by backend)

Commands

• az role deny-assignment list — List deny assignments (existing, enhanced)
• az role deny-assignment show — Show a deny assignment (existing, enhanced)
• az role deny-assignment create — Create a user-assigned deny assignment
• az role deny-assignment delete — Delete a user-assigned deny assignment

Files Changed

• commands.py — Command registration for role deny-assignment group
• custom.py — Business logic with dual-mode principal handling and validation
• _params.py — Parameter definitions including --principal-id and --principal-type
• _help.py — Help text with examples for both Everyone and per-principal modes
• linter_exclusions.yml — Exclusions for long parameter names
• tests/latest/test_deny_assignment.py — Unit tests (list, show, CRUD, per-principal, Group rejection, param validation)

Dependency

Note: The create and delete operations depend on the Python SDK PR azure-sdk-for-python#46223 being merged first. The current azure-mgmt-authorization 5.0.0b1 package does not include the create or delete methods. Once the SDK PR merges and a new package version is released, this PR's SDK reference should be updated accordingly.

Testing

Tests are included in test_deny_assignment.py. Full end-to-end testing requires:

1. A subscription with the Microsoft.Authorization/SubscriptionAllowedToOperateUserAssignedDenyAssignment feature flag registered
2. The updated Python SDK with create/delete support

Related

• TypeSpec PR: azure-rest-api-specs#41617 (merged)
• Python SDK auto-gen PR: azure-sdk-for-python#46223 (awaiting review)
• Go SDK auto-gen PR: azure-sdk-for-go#26544 (awaiting review)
• Java SDK auto-gen PR: azure-sdk-for-java#48751 (awaiting review)
• JS SDK auto-gen PR: azure-sdk-for-js#38079 (awaiting review)
• PowerShell PR: azure-powershell#29340 (merged ✅)

[azure-client-tools-bot-prd]

❌AzureCLI-FullTest

🔄acr

🔄latest

🔄3.12

🔄3.13

🔄acs

🔄latest

🔄3.12

🔄3.13

️✔️advisor

️✔️latest

️✔️3.12

️✔️3.13

❌ams

❌latest

❌3.12

Type	Test Case	Error Message	Line
Failed	test_ams_sp_create_reset	self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f7e695241d0> cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f7e6afd7080> command = 'ams account sp create -a ams000003 -n ams000003-access-sp -g clitest.rg000001 -p spp1!000004 --role Owner' expect_failure = False     def in_process_execute(self, cli_ctx, command, expect_failure=False):         from io import StringIO         from vcr.errors import CannotOverwriteExistingCassetteException              if command.startswith('az '):             command = command[3:]              stdout_buf = StringIO()         logging_buf = StringIO()         try:             # issue: stderr cannot be redirect in this form, as a result some failure information             # is lost when command fails. >           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/base.py:303:                                           env/lib/python3.12/site-packages/knack/cli.py:245: in invoke     exit_code = self.exception_handler(ex)                 ^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/init.py:157: in exception_handler     return handle_exception(ex)            ^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/patches.py:33: in handle_main_exception     raise ex env/lib/python3.12/site-packages/knack/cli.py:233: in invoke     cmd_result = self.invocation.execute(args)                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:677: in execute     raise ex src/azure-cli-core/azure/cli/core/commands/init.py:820: in run_jobs_serially     results.append(self.run_job(expanded_arg, cmd_copy))                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:812: in run_job     return cmd_copy.exception_handler(ex)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/ams/exception_handler.py:16: in ams_exception_handler     raise ex src/azure-cli-core/azure/cli/core/commands/init.py:789: in run_job     result = cmd_copy(params)              ^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:335: in call     return self.handler(*args, **kwargs)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler     return op(**command_args)            ^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/ams/operations/sp.py:94: in create_or_update_assign_sp_to_mediaservice     assign_role(cmd, entity_name_string="role assignment", role=role, sp_oid=sp_oid, scope=ams.id) src/azure-cli/azure/cli/command_modules/ams/operations/sp.py:245: in inner     return func(*args, **kwargs)            ^^^^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/ams/operations/sp.py:302: in assign_role     assignments = list_role_assignments(cmd, sp_oid, scope)                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/ams/operations/sp.py:150: in list_role_assignments     assignments = search_role_assignments(assignments_client, assignee_object_id)                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/ams/operations/sp.py:296: in search_role_assignments     assignments = list(assignments_client.list_for_subscription(filter=f))                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.12/site-packages/azure/core/paging.py:136: in next     return next(self.page_iterator)            ^^^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.12/site-packages/azure/core/paging.py:82: in next     self.response = self.get_next(self.continuation_token)                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.12/site-packages/azure/mgmt/authorization/operations/operations.py:10304: in get_next     pipeline_response: PipelineResponse = self.client.pipeline.run(  # pylint: disable=protected-access env/lib/python3.12/site-packages/azure/core/pipeline/base.py:242: in run     return first_node.send(pipeline_request)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send     response = self.next.send(request)                ^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send     response = self.next.send(request)                ^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send     response = self.next.send(request)                ^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send     response = self.next.send(request)                ^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send     response = self.next.send(request)                ^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.12/site-packages/azure/mgmt/core/policies/base.py:95: in send     response = self.next.send(request)                ^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.12/site-packages/azure/core/pipeline/policies/redirect.py:205: in send     response = self.next.send(request)                ^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.12/site-packages/azure/core/pipeline/policies/retry.py:545: in send     response = self.next.send(request)                ^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.12/site-packages/azure/core/pipeline/policies/authentication.py:194: in send     response = self.next.send(request)                ^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send     response = self.next.send(request)                ^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send     response = self.next.send(request)                ^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send     response = self.next.send(request)                ^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send     response = self.next.send(request)                ^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send     response = self.next.send(request)                ^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.12/site-packages/azure/core/pipeline/base.py:130: in send     self.sender.send(request.http_request, **request.context.options),     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.12/site-packages/azure/core/pipeline/transport/requests_basic.py:375: in send     response = self.session.request(  # type: ignore env/lib/python3.12/site-packages/requests/sessions.py:592: in request     resp = self.send(prep, **send_kwargs)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.12/site-packages/requests/sessions.py:706: in send     r = adapter.send(request, **kwargs)         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.12/site-packages/requests/adapters.py:645: in send     resp = conn.urlopen( env/lib/python3.12/site-packages/urllib3/connectionpool.py:787: in urlopen     response = self.make_request( env/lib/python3.12/site-packages/urllib3/connectionpool.py:534: in make_request     response = conn.getresponse()                ^^^^^^^^^^^^^^^^^^                                          self = <VCRRequestsHTTPSConnection/mnt/vss/work/1/s/src/azure-cli/azure/cli/command_modules/ams/tests/latest/recordings/test_ams_sp_create_reset.yaml(host='management.azure.com', port=443) at 0x7f7e68de5f40>  = False, kwargs = {}     def getresponse(self, =False, **kwargs):         """Retrieve the response"""         # Check to see if the cassette has a response for this request. If so,         # then return it         if self.cassette.can_play_response_for(self.vcr_request):             log.info(f"Playing response for {self.vcr_request} from cassette")             response = self.cassette.play_response(self.vcr_request)             return VCRHTTPResponse(response)         else:             if self.cassette.write_protected and self.cassette.filter_request(self.vcr_request): >               raise CannotOverwriteExistingCassetteException(                     cassette=self.cassette,                     failed_request=self.vcr_request,                 ) E               vcr.errors.CannotOverwriteExistingCassetteException: Can't overwrite existing cassette ('/mnt/vss/work/1/s/src/azure-cli/azure/cli/command_modules/ams/tests/latest/recordings/test_ams_sp_create_reset.yaml') in your current record mode ('once'). E               No match for the request (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=principalId%20eq%20%2727e628bb-89e7-44f6-9193-9c3d4955dcff%27>)&nbsp;was&nbsp;found. E               Found 2 similar requests with 0 different matcher(s) : E                E               1 - (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=principalId%20eq%20'27e628bb-89e7-44f6-9193-9c3d4955dcff'>). E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'custom_request_query_matcher'] E               Matchers failed : E                E               2 - (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=principalId%20eq%20'27e628bb-89e7-44f6-9193-9c3d4955dcff'>). E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'custom_request_query_matcher'] E               Matchers failed : env/lib/python3.12/site-packages/vcr/stubs/init.py:277: CannotOverwriteExistingCassetteException During handling of the above exception, another exception occurred: self = <azure.cli.command_modules.ams.tests.latest.test_ams_sp_scenarios.AmsSpTests testMethod=test_ams_sp_create_reset> resource_group = 'clitest.rg000001' storage_account_for_create = 'clitest000002'     @ResourceGroupPreparer()     @StorageAccountPreparer(parameter_name='storage_account_for_create')     @AllowLargeResponse()     def test_ams_sp_create_reset(self, resource_group, storage_account_for_create):         with mock.patch('azure.cli.command_modules.ams.operations.sp.gen_guid', side_effect=self.create_guid):             amsname = self.create_random_name(prefix='ams', length=12)                  self.kwargs.update({                 'amsname': amsname,                 'storageAccount': storage_account_for_create,                 'location': 'westus2'             })                  self.cmd('az ams account create -n {amsname} -g {rg} --storage-account {storageAccount} -l {location}', checks=[                 self.check('name', '{amsname}'),                 self.check('location', 'West US 2')             ])                  spPassword = self.create_random_name(prefix='spp1!', length=16)             spNewPassword = self.create_random_name(prefix='spp1!', length=16)                  self.kwargs.update({                 'spName': '{}-access-sp'.format(amsname),                 'spPassword': spPassword,                 'spNewPassword': spNewPassword,                 'role': 'Owner'             })                  try: >               spjson = self.cmd('az ams account sp create -a {amsname} -n {spName} -g {rg} -p {spPassword} --role {role}', checks=[                     self.check('AadSecretFriendlyName', '{spPassword}'),                     self.check('ResourceGroup', '{rg}'),                     self.check('AccountName', '{amsname}'),                     self.check('Role', '{role}')                 ]).get_output_in_json() src/azure-cli/azure/cli/command_modules/ams/tests/latest/test_ams_sp_scenarios.py:42:                                           src/azure-cli-testsdk/azure/cli/testsdk/base.py:177: in cmd     return execute(self.cli_ctx, command, expect_failure=expect_failure).assert_with_checks(checks)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init     self.in_process_execute(cli_ctx, command, expect_failure=expect_failure)                                          self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f7e695241d0> cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f7e6afd7080> command = 'ams account sp create -a ams000003 -n ams000003-access-sp -g clitest.rg000001 -p spp1!000004 --role Owner' expect_failure = False     def _in_process_execute(self, cli_ctx, command, expect_failure=False):         from io import StringIO         from vcr.errors import CannotOverwriteExistingCassetteException              if command.startswith('az '):             command = command[3:]              stdout_buf = StringIO()         logging_buf = StringIO()         try:             # issue: stderr cannot be redirect in this form, as a result some failure information             # is lost when command fails.             self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0             self.output = stdout_buf.getvalue()             self.applog = logging_buf.getvalue()              except CannotOverwriteExistingCassetteException as ex: >           raise AssertionError(ex) E           AssertionError: Can't overwrite existing cassette ('/mnt/vss/_work/1/s/src/azure-cli/azure/cli/command_modules/ams/tests/latest/recordings/test_ams_sp_create_reset.yaml') in your current record mode ('once'). E           No match for the request (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=principalId%20eq%20%2727e628bb-89e7-44f6-9193-9c3d4955dcff%27>)&nbsp;was&nbsp;found. E           Found 2 similar requests with 0 different matcher(s) : E            E           1 - (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=principalId%20eq%20'27e628bb-89e7-44f6-9193-9c3d4955dcff'>). E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher'] E           Matchers failed : E            E           2 - (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=principalId%20eq%20'27e628bb-89e7-44f6-9193-9c3d4955dcff'>). E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher'] E           Matchers failed : src/azure-cli-testsdk/azure/cli/testsdk/base.py:308: AssertionError	azure/cli/command_modules/ams/tests/latest/test_ams_sp_scenarios.py:12

❌3.13

Type	Test Case	Error Message	Line
Failed	test_ams_sp_create_reset	self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f44f7ee1a90> cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f44fdb36850> command = 'ams account sp create -a ams000003 -n ams000003-access-sp -g clitest.rg000001 -p spp1!000004 --role Owner' expect_failure = False     def in_process_execute(self, cli_ctx, command, expect_failure=False):         from io import StringIO         from vcr.errors import CannotOverwriteExistingCassetteException              if command.startswith('az '):             command = command[3:]              stdout_buf = StringIO()         logging_buf = StringIO()         try:             # issue: stderr cannot be redirect in this form, as a result some failure information             # is lost when command fails. >           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/base.py:303:                                           env/lib/python3.13/site-packages/knack/cli.py:245: in invoke     exit_code = self.exception_handler(ex)                 ^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/init.py:157: in exception_handler     return handle_exception(ex)            ^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/patches.py:33: in handle_main_exception     raise ex env/lib/python3.13/site-packages/knack/cli.py:233: in invoke     cmd_result = self.invocation.execute(args)                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:677: in execute     raise ex src/azure-cli-core/azure/cli/core/commands/init.py:820: in run_jobs_serially     results.append(self.run_job(expanded_arg, cmd_copy))                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:812: in run_job     return cmd_copy.exception_handler(ex)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/ams/exception_handler.py:16: in ams_exception_handler     raise ex src/azure-cli-core/azure/cli/core/commands/init.py:789: in run_job     result = cmd_copy(params)              ^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:335: in call     return self.handler(*args, **kwargs)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler     return op(**command_args)            ^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/ams/operations/sp.py:94: in create_or_update_assign_sp_to_mediaservice     assign_role(cmd, entity_name_string="role assignment", role=role, sp_oid=sp_oid, scope=ams.id) src/azure-cli/azure/cli/command_modules/ams/operations/sp.py:245: in inner     return func(*args, **kwargs)            ^^^^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/ams/operations/sp.py:302: in assign_role     assignments = list_role_assignments(cmd, sp_oid, scope)                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/ams/operations/sp.py:150: in list_role_assignments     assignments = search_role_assignments(assignments_client, assignee_object_id)                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/ams/operations/sp.py:296: in search_role_assignments     assignments = list(assignments_client.list_for_subscription(filter=f))                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.13/site-packages/azure/core/paging.py:136: in next     return next(self.page_iterator)            ^^^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.13/site-packages/azure/core/paging.py:82: in next     self.response = self.get_next(self.continuation_token)                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.13/site-packages/azure/mgmt/authorization/operations/operations.py:10304: in get_next     pipeline_response: PipelineResponse = self.client.pipeline.run(  # pylint: disable=protected-access env/lib/python3.13/site-packages/azure/core/pipeline/base.py:242: in run     return first_node.send(pipeline_request)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send     response = self.next.send(request)                ^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send     response = self.next.send(request)                ^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send     response = self.next.send(request)                ^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send     response = self.next.send(request)                ^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send     response = self.next.send(request)                ^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.13/site-packages/azure/mgmt/core/policies/base.py:95: in send     response = self.next.send(request)                ^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.13/site-packages/azure/core/pipeline/policies/redirect.py:205: in send     response = self.next.send(request)                ^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.13/site-packages/azure/core/pipeline/policies/retry.py:545: in send     response = self.next.send(request)                ^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.13/site-packages/azure/core/pipeline/policies/authentication.py:194: in send     response = self.next.send(request)                ^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send     response = self.next.send(request)                ^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send     response = self.next.send(request)                ^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send     response = self.next.send(request)                ^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send     response = self.next.send(request)                ^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send     response = self.next.send(request)                ^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.13/site-packages/azure/core/pipeline/base.py:130: in send     self.sender.send(request.http_request, **request.context.options),     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.13/site-packages/azure/core/pipeline/transport/requests_basic.py:375: in send     response = self.session.request(  # type: ignore env/lib/python3.13/site-packages/requests/sessions.py:592: in request     resp = self.send(prep, **send_kwargs)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.13/site-packages/requests/sessions.py:706: in send     r = adapter.send(request, **kwargs)         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ env/lib/python3.13/site-packages/requests/adapters.py:645: in send     resp = conn.urlopen( env/lib/python3.13/site-packages/urllib3/connectionpool.py:787: in urlopen     response = self.make_request( env/lib/python3.13/site-packages/urllib3/connectionpool.py:534: in make_request     response = conn.getresponse()                ^^^^^^^^^^^^^^^^^^                                          self = <VCRRequestsHTTPSConnection/mnt/vss/work/1/s/src/azure-cli/azure/cli/command_modules/ams/tests/latest/recordings/test_ams_sp_create_reset.yaml(host='management.azure.com', port=443) at 0x7f44f7add320>  = False, kwargs = {}     def getresponse(self, =False, **kwargs):         """Retrieve the response"""         # Check to see if the cassette has a response for this request. If so,         # then return it         if self.cassette.can_play_response_for(self.vcr_request):             log.info(f"Playing response for {self.vcr_request} from cassette")             response = self.cassette.play_response(self.vcr_request)             return VCRHTTPResponse(response)         else:             if self.cassette.write_protected and self.cassette.filter_request(self.vcr_request): >               raise CannotOverwriteExistingCassetteException(                     cassette=self.cassette,                     failed_request=self.vcr_request,                 ) E               vcr.errors.CannotOverwriteExistingCassetteException: Can't overwrite existing cassette ('/mnt/vss/work/1/s/src/azure-cli/azure/cli/command_modules/ams/tests/latest/recordings/test_ams_sp_create_reset.yaml') in your current record mode ('once'). E               No match for the request (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=principalId%20eq%20%2727e628bb-89e7-44f6-9193-9c3d4955dcff%27>)&nbsp;was&nbsp;found. E               Found 2 similar requests with 0 different matcher(s) : E                E               1 - (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=principalId%20eq%20'27e628bb-89e7-44f6-9193-9c3d4955dcff'>). E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'custom_request_query_matcher'] E               Matchers failed : E                E               2 - (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=principalId%20eq%20'27e628bb-89e7-44f6-9193-9c3d4955dcff'>). E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', 'custom_request_query_matcher'] E               Matchers failed : env/lib/python3.13/site-packages/vcr/stubs/init.py:277: CannotOverwriteExistingCassetteException During handling of the above exception, another exception occurred: self = <azure.cli.command_modules.ams.tests.latest.test_ams_sp_scenarios.AmsSpTests testMethod=test_ams_sp_create_reset> resource_group = 'clitest.rg000001' storage_account_for_create = 'clitest000002'     @ResourceGroupPreparer()     @StorageAccountPreparer(parameter_name='storage_account_for_create')     @AllowLargeResponse()     def test_ams_sp_create_reset(self, resource_group, storage_account_for_create):         with mock.patch('azure.cli.command_modules.ams.operations.sp.gen_guid', side_effect=self.create_guid):             amsname = self.create_random_name(prefix='ams', length=12)                  self.kwargs.update({                 'amsname': amsname,                 'storageAccount': storage_account_for_create,                 'location': 'westus2'             })                  self.cmd('az ams account create -n {amsname} -g {rg} --storage-account {storageAccount} -l {location}', checks=[                 self.check('name', '{amsname}'),                 self.check('location', 'West US 2')             ])                  spPassword = self.create_random_name(prefix='spp1!', length=16)             spNewPassword = self.create_random_name(prefix='spp1!', length=16)                  self.kwargs.update({                 'spName': '{}-access-sp'.format(amsname),                 'spPassword': spPassword,                 'spNewPassword': spNewPassword,                 'role': 'Owner'             })                  try: >               spjson = self.cmd('az ams account sp create -a {amsname} -n {spName} -g {rg} -p {spPassword} --role {role}', checks=[                     self.check('AadSecretFriendlyName', '{spPassword}'),                     self.check('ResourceGroup', '{rg}'),                     self.check('AccountName', '{amsname}'),                     self.check('Role', '{role}')                 ]).get_output_in_json() src/azure-cli/azure/cli/command_modules/ams/tests/latest/test_ams_sp_scenarios.py:42:                                           src/azure-cli-testsdk/azure/cli/testsdk/base.py:177: in cmd     return execute(self.cli_ctx, command, expect_failure=expect_failure).assert_with_checks(checks)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init     self.in_process_execute(cli_ctx, command, expect_failure=expect_failure)                                          self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f44f7ee1a90> cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f44fdb36850> command = 'ams account sp create -a ams000003 -n ams000003-access-sp -g clitest.rg000001 -p spp1!000004 --role Owner' expect_failure = False     def _in_process_execute(self, cli_ctx, command, expect_failure=False):         from io import StringIO         from vcr.errors import CannotOverwriteExistingCassetteException              if command.startswith('az '):             command = command[3:]              stdout_buf = StringIO()         logging_buf = StringIO()         try:             # issue: stderr cannot be redirect in this form, as a result some failure information             # is lost when command fails.             self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0             self.output = stdout_buf.getvalue()             self.applog = logging_buf.getvalue()              except CannotOverwriteExistingCassetteException as ex: >           raise AssertionError(ex) E           AssertionError: Can't overwrite existing cassette ('/mnt/vss/_work/1/s/src/azure-cli/azure/cli/command_modules/ams/tests/latest/recordings/test_ams_sp_create_reset.yaml') in your current record mode ('once'). E           No match for the request (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=principalId%20eq%20%2727e628bb-89e7-44f6-9193-9c3d4955dcff%27>)&nbsp;was&nbsp;found. E           Found 2 similar requests with 0 different matcher(s) : E            E           1 - (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=principalId%20eq%20'27e628bb-89e7-44f6-9193-9c3d4955dcff'>). E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher'] E           Matchers failed : E            E           2 - (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=principalId%20eq%20'27e628bb-89e7-44f6-9193-9c3d4955dcff'>). E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path', '_custom_request_query_matcher'] E           Matchers failed : src/azure-cli-testsdk/azure/cli/testsdk/base.py:308: AssertionError	azure/cli/command_modules/ams/tests/latest/test_ams_sp_scenarios.py:12

🔄apim

🔄latest

🔄3.12

🔄3.13

️✔️appconfig

️✔️latest

️✔️3.12

️✔️3.13

️✔️appservice

️✔️latest

️✔️3.12

️✔️3.13

🔄aro

🔄latest

🔄3.12

🔄3.13

️✔️backup

️✔️latest

️✔️3.12

️✔️3.13

️✔️batch

️✔️latest

️✔️3.12

️✔️3.13

️✔️batchai

️✔️latest

️✔️3.12

️✔️3.13

🔄billing

🔄latest

🔄3.12

🔄3.13

️✔️botservice

️✔️latest

️✔️3.12

️✔️3.13

🔄cdn

🔄latest

🔄3.12

🔄3.13

🔄cloud

🔄latest

🔄3.12

🔄3.13

️✔️cognitiveservices

️✔️latest

️✔️3.12

️✔️3.13

️✔️compute_recommender

️✔️latest

️✔️3.12

️✔️3.13

️✔️computefleet

️✔️latest

️✔️3.12

️✔️3.13

️✔️config

️✔️latest

️✔️3.12

️✔️3.13

️✔️configure

️✔️latest

️✔️3.12

️✔️3.13

️✔️consumption

️✔️latest

️✔️3.12

️✔️3.13

️✔️container

️✔️latest

️✔️3.12

️✔️3.13

🔄containerapp

🔄latest

🔄3.12

🔄3.13

️✔️core

️✔️latest

️✔️3.12

️✔️3.13

🔄cosmosdb

🔄latest

🔄3.12

🔄3.13

🔄databoxedge

🔄latest

🔄3.12

🔄3.13

🔄dls

🔄latest

🔄3.12

🔄3.13

️✔️dms

️✔️latest

️✔️3.12

️✔️3.13

🔄eventgrid

🔄latest

🔄3.12

🔄3.13

🔄eventhubs

🔄latest

🔄3.12

🔄3.13

️✔️feedback

️✔️latest

️✔️3.12

️✔️3.13

🔄find

🔄latest

🔄3.12

🔄3.13

️✔️hdinsight

️✔️latest

️✔️3.12

️✔️3.13

🔄identity

🔄latest

🔄3.12

🔄3.13

❌iot

❌latest

❌3.12

Type	Test Case	Error Message	Line
Failed	test_hub_file_upload	self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f5a1d29cd10> cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f5a20525520> command = 'role assignment create --role "Storage Blob Data Contributor" --assignee "b597ae69-37e9-451e-a22d-1bf80efd5f9f" --sco...0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Storage/storageAccounts/clitest000002"' expect_failure = False     def in_process_execute(self, cli_ctx, command, expect_failure=False):         from io import StringIO         from vcr.errors import CannotOverwriteExistingCassetteException              if command.startswith('az '):             command = command[3:]              stdout_buf = StringIO()         logging_buf = StringIO()         try:             # issue: stderr cannot be redirect in this form, as a result some failure information             # is lost when command fails. >           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/base.py:303:                                           env/lib/python3.12/site-packages/knack/cli.py:245: in invoke     exit_code = self.exception_handler(ex)                 ^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/init.py:157: in exception_handler     return handle_exception(ex)            ^^^^^^^^^^^^^^^^^^^^                                          ex = TypeError('RoleDefinitionsOperations.list() takes 2 positional arguments but 3 were given') args = (), kwargs = {}     def handle_main_exception(ex, *args, **kwargs):  # pylint: disable=unused-argument         if isinstance(ex, CannotOverwriteExistingCassetteException):             # This exception usually caused by a no match HTTP request. This is a product error             # that is caused by change of SDK invocation.             raise ex      >       raise CliExecutionError(ex) E       azure.cli.testsdk.exceptions.CliExecutionError: The CLI throws exception TypeError during execution and fails the command. src/azure-cli-testsdk/azure/cli/testsdk/patches.py:35: CliExecutionError During handling of the above exception, another exception occurred: self = <azure.cli.command_modules.iot.tests.latest.test_iot_commands.IoTHubTest testMethod=test_hub_file_upload> resource_group = 'clitest.rg000001', resource_group_location = 'westus2' storage_account = 'clitest000002'     @AllowLargeResponse()     @ResourceGroupPreparer(location='westus2')     @StorageAccountPreparer()     def test_hub_file_upload(self, resource_group, resource_group_location, storage_account):         from time import sleep         from azure.cli.core.azclierror import UnclassifiedUserFault         hub = self.create_random_name(prefix='cli-file-upload-hub', length=32)         user_identity_name = self.create_random_name(prefix='hub-user-identity', length=32)         rg = resource_group         containerName = self.create_random_name(prefix='iothubcontainer1', length=24)         storageConnectionString = self.get_azurestorage_connectionstring(rg, containerName, storage_account)         identity_based_auth = 'identityBased'         key_based_auth = 'keyBased'         storage_cs_pattern = 'DefaultEndpointsProtocol=https;EndpointSuffix=core.windows.net;'              # create user-assigned identity         with mock.patch('azure.cli.command_modules.role.custom.gen_guid', side_effect=self.create_guid):             user_identity_obj = self.cmd('identity create -n {0} -g {1}'.format(user_identity_name, rg)).get_output_in_json()         user_identity = user_identity_obj['id']         user_identity_id = user_identity_obj['principalId']              self.cmd('iot hub create -n {0} -g {1}'.format(hub, rg))              # File upload - set to identity based (fail because no identity)         self.cmd('iot hub update -n {0} -g {1} --fc {2} --fcs {3} --fsa {4}'                  .format(hub, rg, containerName, storageConnectionString, identity_based_auth),                  expect_failure=True)              # File upload - set fileupload-identity /user/identity or [system] - fail         self.cmd('iot hub update -n {0} -g {1} --fc {2} --fcs {3} --fsi /test/user/identity'                  .format(hub, rg, containerName, storageConnectionString),                  expect_failure=True)         self.cmd('iot hub update -n {0} -g {1} --fc {2} --fcs {3} --fsi [system]'                  .format(hub, rg, containerName, storageConnectionString),                  expect_failure=True)              # Testing hub update without $default storage endpoint         self.kwargs.update({             'hub': hub,             'rg': rg         })         self.cmd('iot hub update -n {hub} -g {rg} --set "properties.storageEndpoints={{}}"',                  checks=[self.not_exists('properties.storageEndpoints')])         # update with fileUpload args (not container and cstring) should error         with self.assertRaises(UnclassifiedUserFault) as ex:             # configure fileupload SAS TTL             self.cmd('iot hub update -n {hub} -g {rg} --fst 2')         self.assertTrue('This hub has no default storage endpoint' in str(ex.exception))              with self.assertRaises(UnclassifiedUserFault) as ex:             # configure fileupload SAS TTL, with container name             self.cmd('iot hub update -n {0} -g {1} --fst 2 --fc {2}'.format(hub, rg, containerName))         self.assertTrue('This hub has no default storage endpoint' in str(ex.exception))              # update with non-fileupload args should succeed (c2d TTL)         self.cmd('iot hub update -n {hub} -g {rg} --ct 13',                  checks=[self.check('properties.cloudToDevice.defaultTtlAsIso8601', '13:00:00')])         # # --set identity         self.cmd('iot hub update -n {hub} -g {rg} --set identity.type="SystemAssigned"',                  checks=[self.check('identity.type', IdentityType.system_assigned.value)])              # # reset identity for following tests         self.cmd('iot hub identity remove -n {hub} -g {rg} --system',                  checks=[self.check('type', IdentityType.none.value)])              # File upload - add connection string and containername - keybased         updated_hub = self.cmd('iot hub update -n {0} -g {1} --fc {2} --fcs {3}'                                .format(hub, rg, containerName, storageConnectionString)).get_output_in_json()         assert not updated_hub['properties']['storageEndpoints']['$default']['authenticationType']         assert storage_cs_pattern in updated_hub['properties']['storageEndpoints']['$default']['connectionString']         assert updated_hub['properties']['storageEndpoints']['$default']['containerName'] == containerName              updated_hub = self.cmd('iot hub update -n {0} -g {1} --fsa {2}'                                .format(hub, rg, key_based_auth)).get_output_in_json()         assert updated_hub['properties']['storageEndpoints']['$default']['authenticationType'] == key_based_auth         assert storage_cs_pattern in updated_hub['properties']['storageEndpoints']['$default']['connectionString']         assert updated_hub['properties']['storageEndpoints']['$default']['containerName'] == containerName              # Change to identity-based (with no identity) - fail         self.cmd('iot hub update -n {0} -g {1} --fsa identitybased'.format(hub, rg), expect_failure=True)              # change to use a user/identity or system identity - fail         self.cmd('iot hub update -n {0} -g {1} --fsi [system]'.format(hub, rg), expect_failure=True)         self.cmd('iot hub update -n {0} -g {1} --fsi /test/user/identity'.format(hub, rg), expect_failure=True)              # add system identity, assign access to storage account         hub_identity = self.cmd('iot hub identity assign --system -n {0} -g {1}'.format(hub, rg), checks=[             self.check('type', IdentityType.system_assigned.value)         ]).get_output_in_json()['principalId']              storage_role = 'Storage Blob Data Contributor'         storage_id = self.cmd('storage account show -n {0} -g {1}'.format(storage_account, rg)).get_output_in_json()['id']         with mock.patch('azure.cli.command_modules.role.custom.gen_guid', side_effect=self.create_guid): >           self.cmd('role assignment create --role "{0}" --assignee "{1}" --scope "{2}"'.format(storage_role, hub_identity, storage_id)) src/azure-cli/azure/cli/command_modules/iot/tests/latest/test_iot_commands.py:795:                                           src/azure-cli-testsdk/azure/cli/testsdk/base.py:177: in cmd     return execute(self.cli_ctx, command, expect_failure=expect_failure).assert_with_checks(checks)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init     self.in_process_execute(cli_ctx, command, expect_failure=expect_failure) src/azure-cli-testsdk/azure/cli/testsdk/base.py:315: in in_process_execute     raise ex.exception env/lib/python3.12/site-packages/knack/cli.py:233: in invoke     cmd_result = self.invocation.execute(args)                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:677: in execute     raise ex src/azure-cli-core/azure/cli/core/commands/init.py:820: in run_jobs_serially     results.append(self.run_job(expanded_arg, cmd_copy))                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:789: in run_job     result = cmd_copy(params)              ^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:335: in call     return self.handler(*args, **kwargs)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler     return op(**command_args)            ^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/role/custom.py:198: in create_role_assignment     return create_role_assignment(cmd.cli_ctx, role, object_id, scope=scope, resolve_assignee=False, src/azure-cli/azure/cli/command_modules/role/custom.py:219: in create_role_assignment     role_id = resolve_role_id(role, scope, definitions_client)               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/role/custom.py:710: in resolve_role_id     role_defs = list(definitions_client.list(scope, "roleName eq '{}'".format(role)))                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                                          args = (<azure.mgmt.authorization.operations._operations.RoleDefinitionsOperations object at 0x7f5a1d0de210>, '/subscriptions...est.rg000001/providers/Microsoft.Storage/storageAccounts/clitest000002', "roleName eq 'Storage Blob Data Contributor'") kwargs = {}, merge_span = False, passed_in_parent = None, tracing_options = {} tracing_enabled = False, user_enabled = None     @functools.wraps(func)     def wrapper_use_tracer(*args: Any, **kwargs: Any) -> T:         merge_span = kwargs.pop("merge_span", False)         passed_in_parent = kwargs.pop("parent_span", None)              # If we are already in the span context of a decorated function, don't trace.         if _in_span_context.get():             return func(*args, **kwargs)              # This will be popped in the pipeline or transport runner.         tracing_options: TracingOptions = kwargs.get("tracing_options", {})         tracing_enabled = settings.tracing_enabled()              # User can explicitly disable tracing for this request.         user_enabled = tracing_options.get("enabled")              # If tracing is disabled globally and user didn't explicitly enable it, don't trace.         if user_enabled is False or (not tracing_enabled and user_enabled is None): >           return func(*args, **kwargs)                    ^^^^^^^^^^^^^^^^^^^^^ E           TypeError: RoleDefinitionsOperations.list() takes 2 positional arguments but 3 were given env/lib/python3.12/site-packages/azure/core/tracing/decorator.py:119: TypeError	azure/cli/command_modules/iot/tests/latest/test_iot_commands.py:701
Failed	test_identity_hub	self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f5a1d041370> cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f5a203d5dc0> command = 'role assignment create --role "Azure Event Hubs Data Sender" --assignee "2513c08b-66af-4cc3-ae78-3c21f7c25c25" --scop...g000001/providers/Microsoft.EventHub/namespaces/ehNamespaceiothubfortest1000009/eventhubs/eventHubiothubfortest000010"' expect_failure = False     def in_process_execute(self, cli_ctx, command, expect_failure=False):         from io import StringIO         from vcr.errors import CannotOverwriteExistingCassetteException              if command.startswith('az '):             command = command[3:]              stdout_buf = StringIO()         logging_buf = StringIO()         try:             # issue: stderr cannot be redirect in this form, as a result some failure information             # is lost when command fails. >           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/base.py:303:                                           env/lib/python3.12/site-packages/knack/cli.py:245: in invoke     exit_code = self.exception_handler(ex)                 ^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/init.py:157: in exception_handler     return handle_exception(ex)            ^^^^^^^^^^^^^^^^^^^^                                          ex = TypeError('RoleDefinitionsOperations.list() takes 2 positional arguments but 3 were given') args = (), kwargs = {}     def handle_main_exception(ex, *args, **kwargs):  # pylint: disable=unused-argument         if isinstance(ex, CannotOverwriteExistingCassetteException):             # This exception usually caused by a no match HTTP request. This is a product error             # that is caused by change of SDK invocation.             raise ex      >       raise CliExecutionError(ex) E       azure.cli.testsdk.exceptions.CliExecutionError: The CLI throws exception TypeError during execution and fails the command. src/azure-cli-testsdk/azure/cli/testsdk/patches.py:35: CliExecutionError During handling of the above exception, another exception occurred: self = <azure.cli.command_modules.iot.tests.latest.test_iot_commands.IoTHubTest testMethod=test_identity_hub> resource_group = 'clitest.rg000001', resource_group_location = 'westus2' storage_account = 'clitest000002'     @AllowLargeResponse()     @ResourceGroupPreparer(location='westus2')     @StorageAccountPreparer()     def test_identity_hub(self, resource_group, resource_group_location, storage_account):         # Test IoT Hub create with identity         from time import sleep              subscription_id = self.get_subscription_id()         rg = resource_group         location = resource_group_location              private_endpoint_type = 'Microsoft.Devices/IoTHubs'         identity_hub = self.create_random_name(prefix='identitytesthub', length=32)         identity_based_auth = 'identityBased'         event_hub_system_identity_endpoint_name = self.create_random_name(prefix='EHSystemIdentityEndpoint', length=32)         event_hub_user_identity_endpoint_name = self.create_random_name(prefix='EHUserIdentityEndpoint', length=32)              containerName = 'iothubcontainer'         storageConnectionString = self.get_azurestorage_connectionstring(rg, containerName, storage_account)         endpoint_name = 'Event1'         endpoint_type = 'EventHub'         storage_cs_pattern = 'DefaultEndpointsProtocol=https;EndpointSuffix=core.windows.net;'              identity_storage_role = 'Storage Blob Data Contributor'         storage_account_id = self.cmd('storage account show -n {0} -g {1}'.format(storage_account, rg)).get_output_in_json()['id']              # identities         user_identity_names = [             self.create_random_name(prefix='iot-user-identity', length=32),             self.create_random_name(prefix='iot-user-identity', length=32),             self.create_random_name(prefix='iot-user-identity', length=32)         ]              # create user-assigned identity         with mock.patch('azure.cli.command_modules.role.custom.gen_guid', side_effect=self.create_guid):             user_identity_1 = self.cmd('identity create -n {0} -g {1}'.format(user_identity_names[0], rg)).get_output_in_json()['id']             user_identity_2 = self.cmd('identity create -n {0} -g {1}'.format(user_identity_names[1], rg)).get_output_in_json()['id']             user_identity_3 = self.cmd('identity create -n {0} -g {1}'.format(user_identity_names[2], rg)).get_output_in_json()['id']              # create hub with system-assigned identity, user-assigned identity, and assign storage roles         with mock.patch('azure.cli.core.commands.arm.gen_guid', side_effect=self.create_guid):             self.cmd('iot hub create -n {0} -g {1} --sku s1 --location {2} --mintls "1.2" --mi-system-assigned --mi-user-assigned {3} --role "{4}" --scopes "{5}"'                      .format(identity_hub, rg, location, user_identity_1, identity_storage_role, storage_account_id))              hub_props = self.cmd('iot hub show --name {0}'.format(identity_hub), checks=[             self.check('properties.minTlsVersion', '1.2'),             self.check('identity.type', 'SystemAssigned, UserAssigned')]).get_output_in_json()              hub_object_id = hub_props['identity']['principalId']         assert hub_object_id              # Allow time for RBAC and Identity Service         if self.is_live:             sleep(60)              # Test 'az iot hub update' with Identity-based fileUpload         updated_hub = self.cmd('iot hub update -n {0} --fsa {1} --fsi [system] --fcs {2} --fc {3} --fnld 15'                                .format(identity_hub, identity_based_auth, storageConnectionString, containerName)).get_output_in_json()         assert updated_hub['properties']['storageEndpoints']['$default']['authenticationType'] == identity_based_auth         assert updated_hub['properties']['messagingEndpoints']['fileNotifications']['lockDurationAsIso8601'] == '0:00:15'         assert storage_cs_pattern in updated_hub['properties']['storageEndpoints']['$default']['connectionString']         # Test fileupload authentication type settings         # Setting key-based file upload (identity based commands should fail)         updated_hub = self.cmd('iot hub update -n {0} -g {1} --fsa keyBased'.format(identity_hub, rg)).get_output_in_json()         assert updated_hub['properties']['storageEndpoints']['$default']['authenticationType'] == 'keyBased'         updated_hub = self.cmd('iot hub update -n {0} -g {1} --fsi test/user/'.format(identity_hub, rg), expect_failure=True)         updated_hub = self.cmd('iot hub update -n {0} -g {1} --fsi [system]'.format(identity_hub, rg), expect_failure=True)              # Back to identity-based file upload         updated_hub = self.cmd('iot hub update -n {0} -g {1} --fsa {2}'.format(identity_hub, rg, identity_based_auth)).get_output_in_json()         assert updated_hub['properties']['storageEndpoints']['$default']['authenticationType'] == identity_based_auth              # Create EH and link identity >       eh_info = self.create_eventhub_and_link_identity(rg, hub_object_id, [user_identity_1])                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/iot/tests/latest/test_iot_commands.py:515:                                           src/azure-cli/azure/cli/command_modules/iot/tests/latest/test_iot_commands.py:906: in create_eventhub_and_link_identity     self.cmd('role assignment create --role "{0}" --assignee "{1}" --scope "{2}"'.format(role, hub_object_id, eh['id'])) src/azure-cli-testsdk/azure/cli/testsdk/base.py:177: in cmd     return execute(self.cli_ctx, command, expect_failure=expect_failure).assert_with_checks(checks)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init     self.in_process_execute(cli_ctx, command, expect_failure=expect_failure) src/azure-cli-testsdk/azure/cli/testsdk/base.py:315: in in_process_execute     raise ex.exception env/lib/python3.12/site-packages/knack/cli.py:233: in invoke     cmd_result = self.invocation.execute(args)                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:677: in execute     raise ex src/azure-cli-core/azure/cli/core/commands/init.py:820: in run_jobs_serially     results.append(self.run_job(expanded_arg, cmd_copy))                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:789: in run_job     result = cmd_copy(params)              ^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:335: in call     return self.handler(*args, **kwargs)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler     return op(**command_args)            ^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/role/custom.py:198: in create_role_assignment     return create_role_assignment(cmd.cli_ctx, role, object_id, scope=scope, resolve_assignee=False, src/azure-cli/azure/cli/command_modules/role/custom.py:219: in create_role_assignment     role_id = resolve_role_id(role, scope, definitions_client)               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/role/custom.py:710: in resolve_role_id     role_defs = list(definitions_client.list(scope, "roleName eq '{}'".format(role)))                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                                          args = (<azure.mgmt.authorization.operations._operations.RoleDefinitionsOperations object at 0x7f5a1d068440>, '/subscriptions...s/ehNamespaceiothubfortest1000009/eventhubs/eventHubiothubfortest000010', "roleName eq 'Azure Event Hubs Data Sender'") kwargs = {}, merge_span = False, passed_in_parent = None, tracing_options = {} tracing_enabled = False, user_enabled = None     @functools.wraps(func)     def wrapper_use_tracer(*args: Any, **kwargs: Any) -> T:         merge_span = kwargs.pop("merge_span", False)         passed_in_parent = kwargs.pop("parent_span", None)              # If we are already in the span context of a decorated function, don't trace.         if _in_span_context.get():             return func(*args, **kwargs)              # This will be popped in the pipeline or transport runner.         tracing_options: TracingOptions = kwargs.get("tracing_options", {})         tracing_enabled = settings.tracing_enabled()              # User can explicitly disable tracing for this request.         user_enabled = tracing_options.get("enabled")              # If tracing is disabled globally and user didn't explicitly enable it, don't trace.         if user_enabled is False or (not tracing_enabled and user_enabled is None): >           return func(*args, **kwargs)                    ^^^^^^^^^^^^^^^^^^^^^ E           TypeError: RoleDefinitionsOperations.list() takes 2 positional arguments but 3 were given env/lib/python3.12/site-packages/azure/core/tracing/decorator.py:119: TypeError	azure/cli/command_modules/iot/tests/latest/test_iot_commands.py:441

❌3.13

Type	Test Case	Error Message	Line
Failed	test_hub_file_upload	self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f9ef6f08370> cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f9efa1c2710> command = 'role assignment create --role "Storage Blob Data Contributor" --assignee "b597ae69-37e9-451e-a22d-1bf80efd5f9f" --sco...0000-0000-0000-000000000000/resourceGroups/clitest.rg000001/providers/Microsoft.Storage/storageAccounts/clitest000002"' expect_failure = False     def in_process_execute(self, cli_ctx, command, expect_failure=False):         from io import StringIO         from vcr.errors import CannotOverwriteExistingCassetteException              if command.startswith('az '):             command = command[3:]              stdout_buf = StringIO()         logging_buf = StringIO()         try:             # issue: stderr cannot be redirect in this form, as a result some failure information             # is lost when command fails. >           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/base.py:303:                                           env/lib/python3.13/site-packages/knack/cli.py:245: in invoke     exit_code = self.exception_handler(ex)                 ^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/init.py:157: in exception_handler     return handle_exception(ex)            ^^^^^^^^^^^^^^^^^^^^                                          ex = TypeError('RoleDefinitionsOperations.list() takes 2 positional arguments but 3 were given') args = (), kwargs = {}     def handle_main_exception(ex, *args, **kwargs):  # pylint: disable=unused-argument         if isinstance(ex, CannotOverwriteExistingCassetteException):             # This exception usually caused by a no match HTTP request. This is a product error             # that is caused by change of SDK invocation.             raise ex      >       raise CliExecutionError(ex) E       azure.cli.testsdk.exceptions.CliExecutionError: The CLI throws exception TypeError during execution and fails the command. src/azure-cli-testsdk/azure/cli/testsdk/patches.py:35: CliExecutionError During handling of the above exception, another exception occurred: self = <azure.cli.command_modules.iot.tests.latest.test_iot_commands.IoTHubTest testMethod=test_hub_file_upload> resource_group = 'clitest.rg000001', resource_group_location = 'westus2' storage_account = 'clitest000002'     @AllowLargeResponse()     @ResourceGroupPreparer(location='westus2')     @StorageAccountPreparer()     def test_hub_file_upload(self, resource_group, resource_group_location, storage_account):         from time import sleep         from azure.cli.core.azclierror import UnclassifiedUserFault         hub = self.create_random_name(prefix='cli-file-upload-hub', length=32)         user_identity_name = self.create_random_name(prefix='hub-user-identity', length=32)         rg = resource_group         containerName = self.create_random_name(prefix='iothubcontainer1', length=24)         storageConnectionString = self.get_azurestorage_connectionstring(rg, containerName, storage_account)         identity_based_auth = 'identityBased'         key_based_auth = 'keyBased'         storage_cs_pattern = 'DefaultEndpointsProtocol=https;EndpointSuffix=core.windows.net;'              # create user-assigned identity         with mock.patch('azure.cli.command_modules.role.custom.gen_guid', side_effect=self.create_guid):             user_identity_obj = self.cmd('identity create -n {0} -g {1}'.format(user_identity_name, rg)).get_output_in_json()         user_identity = user_identity_obj['id']         user_identity_id = user_identity_obj['principalId']              self.cmd('iot hub create -n {0} -g {1}'.format(hub, rg))              # File upload - set to identity based (fail because no identity)         self.cmd('iot hub update -n {0} -g {1} --fc {2} --fcs {3} --fsa {4}'                  .format(hub, rg, containerName, storageConnectionString, identity_based_auth),                  expect_failure=True)              # File upload - set fileupload-identity /user/identity or [system] - fail         self.cmd('iot hub update -n {0} -g {1} --fc {2} --fcs {3} --fsi /test/user/identity'                  .format(hub, rg, containerName, storageConnectionString),                  expect_failure=True)         self.cmd('iot hub update -n {0} -g {1} --fc {2} --fcs {3} --fsi [system]'                  .format(hub, rg, containerName, storageConnectionString),                  expect_failure=True)              # Testing hub update without $default storage endpoint         self.kwargs.update({             'hub': hub,             'rg': rg         })         self.cmd('iot hub update -n {hub} -g {rg} --set "properties.storageEndpoints={{}}"',                  checks=[self.not_exists('properties.storageEndpoints')])         # update with fileUpload args (not container and cstring) should error         with self.assertRaises(UnclassifiedUserFault) as ex:             # configure fileupload SAS TTL             self.cmd('iot hub update -n {hub} -g {rg} --fst 2')         self.assertTrue('This hub has no default storage endpoint' in str(ex.exception))              with self.assertRaises(UnclassifiedUserFault) as ex:             # configure fileupload SAS TTL, with container name             self.cmd('iot hub update -n {0} -g {1} --fst 2 --fc {2}'.format(hub, rg, containerName))         self.assertTrue('This hub has no default storage endpoint' in str(ex.exception))              # update with non-fileupload args should succeed (c2d TTL)         self.cmd('iot hub update -n {hub} -g {rg} --ct 13',                  checks=[self.check('properties.cloudToDevice.defaultTtlAsIso8601', '13:00:00')])         # # --set identity         self.cmd('iot hub update -n {hub} -g {rg} --set identity.type="SystemAssigned"',                  checks=[self.check('identity.type', IdentityType.system_assigned.value)])              # # reset identity for following tests         self.cmd('iot hub identity remove -n {hub} -g {rg} --system',                  checks=[self.check('type', IdentityType.none.value)])              # File upload - add connection string and containername - keybased         updated_hub = self.cmd('iot hub update -n {0} -g {1} --fc {2} --fcs {3}'                                .format(hub, rg, containerName, storageConnectionString)).get_output_in_json()         assert not updated_hub['properties']['storageEndpoints']['$default']['authenticationType']         assert storage_cs_pattern in updated_hub['properties']['storageEndpoints']['$default']['connectionString']         assert updated_hub['properties']['storageEndpoints']['$default']['containerName'] == containerName              updated_hub = self.cmd('iot hub update -n {0} -g {1} --fsa {2}'                                .format(hub, rg, key_based_auth)).get_output_in_json()         assert updated_hub['properties']['storageEndpoints']['$default']['authenticationType'] == key_based_auth         assert storage_cs_pattern in updated_hub['properties']['storageEndpoints']['$default']['connectionString']         assert updated_hub['properties']['storageEndpoints']['$default']['containerName'] == containerName              # Change to identity-based (with no identity) - fail         self.cmd('iot hub update -n {0} -g {1} --fsa identitybased'.format(hub, rg), expect_failure=True)              # change to use a user/identity or system identity - fail         self.cmd('iot hub update -n {0} -g {1} --fsi [system]'.format(hub, rg), expect_failure=True)         self.cmd('iot hub update -n {0} -g {1} --fsi /test/user/identity'.format(hub, rg), expect_failure=True)              # add system identity, assign access to storage account         hub_identity = self.cmd('iot hub identity assign --system -n {0} -g {1}'.format(hub, rg), checks=[             self.check('type', IdentityType.system_assigned.value)         ]).get_output_in_json()['principalId']              storage_role = 'Storage Blob Data Contributor'         storage_id = self.cmd('storage account show -n {0} -g {1}'.format(storage_account, rg)).get_output_in_json()['id']         with mock.patch('azure.cli.command_modules.role.custom.gen_guid', side_effect=self.create_guid): >           self.cmd('role assignment create --role "{0}" --assignee "{1}" --scope "{2}"'.format(storage_role, hub_identity, storage_id)) src/azure-cli/azure/cli/command_modules/iot/tests/latest/test_iot_commands.py:795:                                           src/azure-cli-testsdk/azure/cli/testsdk/base.py:177: in cmd     return execute(self.cli_ctx, command, expect_failure=expect_failure).assert_with_checks(checks)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init     self.in_process_execute(cli_ctx, command, expect_failure=expect_failure) src/azure-cli-testsdk/azure/cli/testsdk/base.py:315: in in_process_execute     raise ex.exception env/lib/python3.13/site-packages/knack/cli.py:233: in invoke     cmd_result = self.invocation.execute(args)                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:677: in execute     raise ex src/azure-cli-core/azure/cli/core/commands/init.py:820: in run_jobs_serially     results.append(self.run_job(expanded_arg, cmd_copy))                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:789: in run_job     result = cmd_copy(params)              ^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:335: in call     return self.handler(*args, **kwargs)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler     return op(**command_args)            ^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/role/custom.py:198: in create_role_assignment     return create_role_assignment(cmd.cli_ctx, role, object_id, scope=scope, resolve_assignee=False, src/azure-cli/azure/cli/command_modules/role/custom.py:219: in create_role_assignment     role_id = resolve_role_id(role, scope, definitions_client)               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/role/custom.py:710: in resolve_role_id     role_defs = list(definitions_client.list(scope, "roleName eq '{}'".format(role)))                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                                          args = (<azure.mgmt.authorization.operations._operations.RoleDefinitionsOperations object at 0x7f9ef650a510>, '/subscriptions...est.rg000001/providers/Microsoft.Storage/storageAccounts/clitest000002', "roleName eq 'Storage Blob Data Contributor'") kwargs = {}, merge_span = False, passed_in_parent = None, tracing_options = {} tracing_enabled = False, user_enabled = None     @functools.wraps(func)     def wrapper_use_tracer(*args: Any, **kwargs: Any) -> T:         merge_span = kwargs.pop("merge_span", False)         passed_in_parent = kwargs.pop("parent_span", None)              # If we are already in the span context of a decorated function, don't trace.         if _in_span_context.get():             return func(*args, **kwargs)              # This will be popped in the pipeline or transport runner.         tracing_options: TracingOptions = kwargs.get("tracing_options", {})         tracing_enabled = settings.tracing_enabled()              # User can explicitly disable tracing for this request.         user_enabled = tracing_options.get("enabled")              # If tracing is disabled globally and user didn't explicitly enable it, don't trace.         if user_enabled is False or (not tracing_enabled and user_enabled is None): >           return func(*args, **kwargs)                    ^^^^^^^^^^^^^^^^^^^^^ E           TypeError: RoleDefinitionsOperations.list() takes 2 positional arguments but 3 were given env/lib/python3.13/site-packages/azure/core/tracing/decorator.py:119: TypeError	azure/cli/command_modules/iot/tests/latest/test_iot_commands.py:701
Failed	test_identity_hub	self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f9ef5f8cf50> cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f9efa1c0cd0> command = 'role assignment create --role "Azure Event Hubs Data Sender" --assignee "2513c08b-66af-4cc3-ae78-3c21f7c25c25" --scop...g000001/providers/Microsoft.EventHub/namespaces/ehNamespaceiothubfortest1000009/eventhubs/eventHubiothubfortest000010"' expect_failure = False     def in_process_execute(self, cli_ctx, command, expect_failure=False):         from io import StringIO         from vcr.errors import CannotOverwriteExistingCassetteException              if command.startswith('az '):             command = command[3:]              stdout_buf = StringIO()         logging_buf = StringIO()         try:             # issue: stderr cannot be redirect in this form, as a result some failure information             # is lost when command fails. >           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/base.py:303:                                           env/lib/python3.13/site-packages/knack/cli.py:245: in invoke     exit_code = self.exception_handler(ex)                 ^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/init.py:157: in exception_handler     return handle_exception(ex)            ^^^^^^^^^^^^^^^^^^^^                                          ex = TypeError('RoleDefinitionsOperations.list() takes 2 positional arguments but 3 were given') args = (), kwargs = {}     def handle_main_exception(ex, *args, **kwargs):  # pylint: disable=unused-argument         if isinstance(ex, CannotOverwriteExistingCassetteException):             # This exception usually caused by a no match HTTP request. This is a product error             # that is caused by change of SDK invocation.             raise ex      >       raise CliExecutionError(ex) E       azure.cli.testsdk.exceptions.CliExecutionError: The CLI throws exception TypeError during execution and fails the command. src/azure-cli-testsdk/azure/cli/testsdk/patches.py:35: CliExecutionError During handling of the above exception, another exception occurred: self = <azure.cli.command_modules.iot.tests.latest.test_iot_commands.IoTHubTest testMethod=test_identity_hub> resource_group = 'clitest.rg000001', resource_group_location = 'westus2' storage_account = 'clitest000002'     @AllowLargeResponse()     @ResourceGroupPreparer(location='westus2')     @StorageAccountPreparer()     def test_identity_hub(self, resource_group, resource_group_location, storage_account):         # Test IoT Hub create with identity         from time import sleep              subscription_id = self.get_subscription_id()         rg = resource_group         location = resource_group_location              private_endpoint_type = 'Microsoft.Devices/IoTHubs'         identity_hub = self.create_random_name(prefix='identitytesthub', length=32)         identity_based_auth = 'identityBased'         event_hub_system_identity_endpoint_name = self.create_random_name(prefix='EHSystemIdentityEndpoint', length=32)         event_hub_user_identity_endpoint_name = self.create_random_name(prefix='EHUserIdentityEndpoint', length=32)              containerName = 'iothubcontainer'         storageConnectionString = self.get_azurestorage_connectionstring(rg, containerName, storage_account)         endpoint_name = 'Event1'         endpoint_type = 'EventHub'         storage_cs_pattern = 'DefaultEndpointsProtocol=https;EndpointSuffix=core.windows.net;'              identity_storage_role = 'Storage Blob Data Contributor'         storage_account_id = self.cmd('storage account show -n {0} -g {1}'.format(storage_account, rg)).get_output_in_json()['id']              # identities         user_identity_names = [             self.create_random_name(prefix='iot-user-identity', length=32),             self.create_random_name(prefix='iot-user-identity', length=32),             self.create_random_name(prefix='iot-user-identity', length=32)         ]              # create user-assigned identity         with mock.patch('azure.cli.command_modules.role.custom.gen_guid', side_effect=self.create_guid):             user_identity_1 = self.cmd('identity create -n {0} -g {1}'.format(user_identity_names[0], rg)).get_output_in_json()['id']             user_identity_2 = self.cmd('identity create -n {0} -g {1}'.format(user_identity_names[1], rg)).get_output_in_json()['id']             user_identity_3 = self.cmd('identity create -n {0} -g {1}'.format(user_identity_names[2], rg)).get_output_in_json()['id']              # create hub with system-assigned identity, user-assigned identity, and assign storage roles         with mock.patch('azure.cli.core.commands.arm.gen_guid', side_effect=self.create_guid):             self.cmd('iot hub create -n {0} -g {1} --sku s1 --location {2} --mintls "1.2" --mi-system-assigned --mi-user-assigned {3} --role "{4}" --scopes "{5}"'                      .format(identity_hub, rg, location, user_identity_1, identity_storage_role, storage_account_id))              hub_props = self.cmd('iot hub show --name {0}'.format(identity_hub), checks=[             self.check('properties.minTlsVersion', '1.2'),             self.check('identity.type', 'SystemAssigned, UserAssigned')]).get_output_in_json()              hub_object_id = hub_props['identity']['principalId']         assert hub_object_id              # Allow time for RBAC and Identity Service         if self.is_live:             sleep(60)              # Test 'az iot hub update' with Identity-based fileUpload         updated_hub = self.cmd('iot hub update -n {0} --fsa {1} --fsi [system] --fcs {2} --fc {3} --fnld 15'                                .format(identity_hub, identity_based_auth, storageConnectionString, containerName)).get_output_in_json()         assert updated_hub['properties']['storageEndpoints']['$default']['authenticationType'] == identity_based_auth         assert updated_hub['properties']['messagingEndpoints']['fileNotifications']['lockDurationAsIso8601'] == '0:00:15'         assert storage_cs_pattern in updated_hub['properties']['storageEndpoints']['$default']['connectionString']         # Test fileupload authentication type settings         # Setting key-based file upload (identity based commands should fail)         updated_hub = self.cmd('iot hub update -n {0} -g {1} --fsa keyBased'.format(identity_hub, rg)).get_output_in_json()         assert updated_hub['properties']['storageEndpoints']['$default']['authenticationType'] == 'keyBased'         updated_hub = self.cmd('iot hub update -n {0} -g {1} --fsi test/user/'.format(identity_hub, rg), expect_failure=True)         updated_hub = self.cmd('iot hub update -n {0} -g {1} --fsi [system]'.format(identity_hub, rg), expect_failure=True)              # Back to identity-based file upload         updated_hub = self.cmd('iot hub update -n {0} -g {1} --fsa {2}'.format(identity_hub, rg, identity_based_auth)).get_output_in_json()         assert updated_hub['properties']['storageEndpoints']['$default']['authenticationType'] == identity_based_auth              # Create EH and link identity >       eh_info = self.create_eventhub_and_link_identity(rg, hub_object_id, [user_identity_1])                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/iot/tests/latest/test_iot_commands.py:515:                                           src/azure-cli/azure/cli/command_modules/iot/tests/latest/test_iot_commands.py:906: in create_eventhub_and_link_identity     self.cmd('role assignment create --role "{0}" --assignee "{1}" --scope "{2}"'.format(role, hub_object_id, eh['id'])) src/azure-cli-testsdk/azure/cli/testsdk/base.py:177: in cmd     return execute(self.cli_ctx, command, expect_failure=expect_failure).assert_with_checks(checks)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init     self.in_process_execute(cli_ctx, command, expect_failure=expect_failure) src/azure-cli-testsdk/azure/cli/testsdk/base.py:315: in in_process_execute     raise ex.exception env/lib/python3.13/site-packages/knack/cli.py:233: in invoke     cmd_result = self.invocation.execute(args)                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:677: in execute     raise ex src/azure-cli-core/azure/cli/core/commands/init.py:820: in run_jobs_serially     results.append(self.run_job(expanded_arg, cmd_copy))                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:789: in run_job     result = cmd_copy(params)              ^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:335: in call     return self.handler(*args, **kwargs)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler     return op(**command_args)            ^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/role/custom.py:198: in create_role_assignment     return create_role_assignment(cmd.cli_ctx, role, object_id, scope=scope, resolve_assignee=False, src/azure-cli/azure/cli/command_modules/role/custom.py:219: in create_role_assignment     role_id = resolve_role_id(role, scope, definitions_client)               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/role/custom.py:710: in resolve_role_id     role_defs = list(definitions_client.list(scope, "roleName eq '{}'".format(role)))                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                                          args = (<azure.mgmt.authorization.operations._operations.RoleDefinitionsOperations object at 0x7f9ef5f71e50>, '/subscriptions...s/ehNamespaceiothubfortest1000009/eventhubs/eventHubiothubfortest000010', "roleName eq 'Azure Event Hubs Data Sender'") kwargs = {}, merge_span = False, passed_in_parent = None, tracing_options = {} tracing_enabled = False, user_enabled = None     @functools.wraps(func)     def wrapper_use_tracer(*args: Any, **kwargs: Any) -> T:         merge_span = kwargs.pop("merge_span", False)         passed_in_parent = kwargs.pop("parent_span", None)              # If we are already in the span context of a decorated function, don't trace.         if _in_span_context.get():             return func(*args, **kwargs)              # This will be popped in the pipeline or transport runner.         tracing_options: TracingOptions = kwargs.get("tracing_options", {})         tracing_enabled = settings.tracing_enabled()              # User can explicitly disable tracing for this request.         user_enabled = tracing_options.get("enabled")              # If tracing is disabled globally and user didn't explicitly enable it, don't trace.         if user_enabled is False or (not tracing_enabled and user_enabled is None): >           return func(*args, **kwargs)                    ^^^^^^^^^^^^^^^^^^^^^ E           TypeError: RoleDefinitionsOperations.list() takes 2 positional arguments but 3 were given env/lib/python3.13/site-packages/azure/core/tracing/decorator.py:119: TypeError	azure/cli/command_modules/iot/tests/latest/test_iot_commands.py:441

️✔️keyvault

️✔️latest

️✔️3.12

️✔️3.13

️✔️lab

️✔️latest

️✔️3.12

️✔️3.13

️✔️managedservices

️✔️latest

️✔️3.12

️✔️3.13

️✔️maps

️✔️latest

️✔️3.12

️✔️3.13

🔄marketplaceordering

🔄latest

🔄3.12

🔄3.13

🔄monitor

🔄latest

🔄3.12

🔄3.13

️✔️mysql

️✔️latest

️✔️3.12

️✔️3.13

️✔️netappfiles

️✔️latest

️✔️3.12

️✔️3.13

️✔️network

️✔️latest

️✔️3.12

️✔️3.13

️✔️policyinsights

️✔️latest

️✔️3.12

️✔️3.13

🔄postgresql

🔄latest

🔄3.12

🔄3.13

🔄privatedns

🔄latest

🔄3.12

🔄3.13

🔄profile

🔄latest

🔄3.12

🔄3.13

️✔️rdbms

️✔️latest

️✔️3.12

️✔️3.13

️✔️redis

️✔️latest

️✔️3.12

️✔️3.13

️✔️relay

️✔️latest

️✔️3.12

️✔️3.13

🔄resource

🔄latest

🔄3.12

🔄3.13

❌role

❌latest

❌3.12

Type	Test Case	Error Message	Line
Failed	test_deny_assignment_list	self = <azure.cli.testsdk.base.ExecutionResult object at 0x7ff78bbfc470> cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7ff791ed2960> command = 'role deny-assignment list', expect_failure = False     def in_process_execute(self, cli_ctx, command, expect_failure=False):         from io import StringIO         from vcr.errors import CannotOverwriteExistingCassetteException              if command.startswith('az '):             command = command[3:]              stdout_buf = StringIO()         logging_buf = StringIO()         try:             # issue: stderr cannot be redirect in this form, as a result some failure information             # is lost when command fails. >           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/base.py:303:                                           env/lib/python3.12/site-packages/knack/cli.py:245: in invoke     exit_code = self.exception_handler(ex)                 ^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/init.py:157: in exception_handler     return handle_exception(ex)            ^^^^^^^^^^^^^^^^^^^^                                          ex = CLIError("Please run 'az login' to setup account."), args = (), kwargs = {}     def handle_main_exception(ex, *args, **kwargs):  # pylint: disable=unused-argument         if isinstance(ex, CannotOverwriteExistingCassetteException):             # This exception usually caused by a no match HTTP request. This is a product error             # that is caused by change of SDK invocation.             raise ex      >       raise CliExecutionError(ex) E       azure.cli.testsdk.exceptions.CliExecutionError: The CLI throws exception CLIError during execution and fails the command. src/azure-cli-testsdk/azure/cli/testsdk/patches.py:35: CliExecutionError During handling of the above exception, another exception occurred: self = <azure.cli.command_modules.role.tests.latest.test_deny_assignment.DenyAssignmentListTest testMethod=test_deny_assignment_list>     def test_deny_assignment_list(self):         """List deny assignments at the subscription scope.""" >       result = self.cmd('role deny-assignment list').get_output_in_json()                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/role/tests/latest/test_deny_assignment.py:19:                                           src/azure-cli-testsdk/azure/cli/testsdk/base.py:177: in cmd     return execute(self.cli_ctx, command, expect_failure=expect_failure).assert_with_checks(checks)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init     self.in_process_execute(cli_ctx, command, expect_failure=expect_failure) src/azure-cli-testsdk/azure/cli/testsdk/base.py:315: in in_process_execute     raise ex.exception env/lib/python3.12/site-packages/knack/cli.py:233: in invoke     cmd_result = self.invocation.execute(args)                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:677: in execute     raise ex src/azure-cli-core/azure/cli/core/commands/init.py:820: in run_jobs_serially     results.append(self.run_job(expanded_arg, cmd_copy))                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:789: in run_job     result = cmd_copy(params)              ^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:335: in call     return self.handler(*args, **kwargs)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler     return op(**command_args)            ^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/role/custom.py:555: in list_deny_assignments     authorization_client = auth_client_factory(cmd.cli_ctx, scope)                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/role/client_factory.py:16: in auth_client_factory     return get_mgmt_service_client(cli_ctx, ResourceType.MGMT_AUTHORIZATION, subscription_id=subscription_id)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/client_factory.py:83: in get_mgmt_service_client     client,  = get_mgmt_service_client(cli_ctx, client_type, subscription_id=subscription_id, src/azure-cli-core/azure/cli/core/commands/client_factory.py:234: in get_mgmt_service_client     credential, subscription_id,  = profile.get_login_credentials( src/azure-cli-core/azure/cli/core/profile.py:342: in get_login_credentials     account = self.get_subscription(subscription_id)               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                                        _  self = <azure.cli.core._profile.Profile object at 0x7ff78bd67a70> subscription = None     def get_subscription(self, subscription=None):  # take id or name         subscriptions = self.load_cached_subscriptions()         if not subscriptions: >           raise CLIError(_AZ_LOGIN_MESSAGE) E           knack.util.CLIError: Please run 'az login' to setup account. src/azure-cli-core/azure/cli/core/_profile.py:603: CLIError	azure/cli/command_modules/role/tests/latest/test_deny_assignment.py:16
Failed	test_deny_assignment_list_with_filter	self = <azure.cli.testsdk.base.ExecutionResult object at 0x7ff78bd65670> cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7ff791f91e50> command = 'role deny-assignment list --filter "atScope()"' expect_failure = False     def in_process_execute(self, cli_ctx, command, expect_failure=False):         from io import StringIO         from vcr.errors import CannotOverwriteExistingCassetteException              if command.startswith('az '):             command = command[3:]              stdout_buf = StringIO()         logging_buf = StringIO()         try:             # issue: stderr cannot be redirect in this form, as a result some failure information             # is lost when command fails. >           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/base.py:303:                                           env/lib/python3.12/site-packages/knack/cli.py:245: in invoke     exit_code = self.exception_handler(ex)                 ^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/init.py:157: in exception_handler     return handle_exception(ex)            ^^^^^^^^^^^^^^^^^^^^                                          ex = CLIError("Please run 'az login' to setup account."), args = (), kwargs = {}     def handle_main_exception(ex, *args, **kwargs):  # pylint: disable=unused-argument         if isinstance(ex, CannotOverwriteExistingCassetteException):             # This exception usually caused by a no match HTTP request. This is a product error             # that is caused by change of SDK invocation.             raise ex      >       raise CliExecutionError(ex) E       azure.cli.testsdk.exceptions.CliExecutionError: The CLI throws exception CLIError during execution and fails the command. src/azure-cli-testsdk/azure/cli/testsdk/patches.py:35: CliExecutionError During handling of the above exception, another exception occurred: self = <azure.cli.command_modules.role.tests.latest.test_deny_assignment.DenyAssignmentListTest testMethod=test_deny_assignment_list_with_filter>     def test_deny_assignment_list_with_filter(self):         """List deny assignments with OData filter.""" >       result = self.cmd(             'role deny-assignment list --filter "atScope()"'         ).get_output_in_json() src/azure-cli/azure/cli/command_modules/role/tests/latest/test_deny_assignment.py:30:                                           src/azure-cli-testsdk/azure/cli/testsdk/base.py:177: in cmd     return execute(self.cli_ctx, command, expect_failure=expect_failure).assert_with_checks(checks)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init     self.in_process_execute(cli_ctx, command, expect_failure=expect_failure) src/azure-cli-testsdk/azure/cli/testsdk/base.py:315: in in_process_execute     raise ex.exception env/lib/python3.12/site-packages/knack/cli.py:233: in invoke     cmd_result = self.invocation.execute(args)                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:677: in execute     raise ex src/azure-cli-core/azure/cli/core/commands/init.py:820: in run_jobs_serially     results.append(self.run_job(expanded_arg, cmd_copy))                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:789: in run_job     result = cmd_copy(params)              ^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:335: in call     return self.handler(*args, **kwargs)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler     return op(**command_args)            ^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/role/custom.py:555: in list_deny_assignments     authorization_client = auth_client_factory(cmd.cli_ctx, scope)                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/role/client_factory.py:16: in auth_client_factory     return get_mgmt_service_client(cli_ctx, ResourceType.MGMT_AUTHORIZATION, subscription_id=subscription_id)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/client_factory.py:83: in get_mgmt_service_client     client,  = get_mgmt_service_client(cli_ctx, client_type, subscription_id=subscription_id, src/azure-cli-core/azure/cli/core/commands/client_factory.py:234: in get_mgmt_service_client     credential, subscription_id,  = profile.get_login_credentials( src/azure-cli-core/azure/cli/core/profile.py:342: in get_login_credentials     account = self.get_subscription(subscription_id)               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                                        _  self = <azure.cli.core._profile.Profile object at 0x7ff78b8539b0> subscription = None     def get_subscription(self, subscription=None):  # take id or name         subscriptions = self.load_cached_subscriptions()         if not subscriptions: >           raise CLIError(_AZ_LOGIN_MESSAGE) E           knack.util.CLIError: Please run 'az login' to setup account. src/azure-cli-core/azure/cli/core/_profile.py:603: CLIError	azure/cli/command_modules/role/tests/latest/test_deny_assignment.py:27
Failed	test_deny_assignment_list_with_scope	self = <azure.cli.command_modules.role.tests.latest.test_deny_assignment.DenyAssignmentListTest testMethod=test_deny_assignment_list_with_scope> val = 'role deny-assignment list --scope /subscriptions/{sub}'     def apply_kwargs(self, val):         try: >           return val.format(**self.kwargs)                    ^^^^^^^^^^^^^^^^^^^^^^^^^ E           KeyError: 'sub' src/azure-cli-testsdk/azure/cli/testsdk/base.py:41: KeyError During handling of the above exception, another exception occurred: self = <azure.cli.command_modules.role.tests.latest.test_deny_assignment.DenyAssignmentListTest testMethod=test_deny_assignment_list_with_scope>     def test_deny_assignment_list_with_scope(self):         """List deny assignments at a specific scope.""" >       self.cmd('role deny-assignment list --scope /subscriptions/{sub}',                  checks=[self.check('type(@)', 'array')]) src/azure-cli/azure/cli/command_modules/role/tests/latest/test_deny_assignment.py:25:                                           src/azure-cli-testsdk/azure/cli/testsdk/base.py:176: in cmd     command = self.apply_kwargs(command)               ^^^^^^^^^^^^^^^^^^^^^^^^^^^                                          self = <azure.cli.command_modules.role.tests.latest.test_deny_assignment.DenyAssignmentListTest testMethod=test_deny_assignment_list_with_scope> val = 'role deny-assignment list --scope /subscriptions/{sub}'     def _apply_kwargs(self, val):         try:             return val.format(**self.kwargs)         except AttributeError:             return val         except KeyError as ex:             # due to mis-spelled kwarg >           raise KeyError("Key '{}' not found in kwargs. Check spelling and ensure it has been registered."                            .format(ex.args[0])) E           KeyError: "Key 'sub' not found in kwargs. Check spelling and ensure it has been registered." src/azure-cli-testsdk/azure/cli/testsdk/base.py:46: KeyError	azure/cli/command_modules/role/tests/latest/test_deny_assignment.py:22
Failed	test_deny_assignment_show_missing_args	def in_process_execute(self, cli_ctx, command, expect_failure=False):         from io import StringIO         from vcr.errors import CannotOverwriteExistingCassetteException              if command.startswith('az '):             command = command[3:]              stdout_buf = StringIO()         logging_buf = StringIO()         try:             # issue: stderr cannot be redirect in this form, as a result some failure information             # is lost when command fails. >           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/base.py:303:                                           env/lib/python3.12/site-packages/knack/cli.py:245: in invoke     exit_code = self.exception_handler(ex)                 ^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/init.py:157: in exception_handler     return handle_exception(ex)            ^^^^^^^^^^^^^^^^^^^^                                          ex = CLIError("Please run 'az login' to setup account."), args = (), kwargs = {}     def handle_main_exception(ex, *args, **kwargs):  # pylint: disable=unused-argument         if isinstance(ex, CannotOverwriteExistingCassetteException):             # This exception usually caused by a no match HTTP request. This is a product error             # that is caused by change of SDK invocation.             raise ex      >       raise CliExecutionError(ex) E       azure.cli.testsdk.exceptions.CliExecutionError: The CLI throws exception CLIError during execution and fails the command. src/azure-cli-testsdk/azure/cli/testsdk/patches.py:35: CliExecutionError During handling of the above exception, another exception occurred: self = <azure.cli.command_modules.role.tests.latest.test_deny_assignment.DenyAssignmentShowTest testMethod=test_deny_assignment_show_missing_args>     def test_deny_assignment_show_missing_args(self):         """Should fail if neither --id nor --name+--scope are provided."""         with self.assertRaises(SystemExit): >           self.cmd('role deny-assignment show') src/azure-cli/azure/cli/command_modules/role/tests/latest/test_deny_assignment.py:42:                                           src/azure-cli-testsdk/azure/cli/testsdk/base.py:177: in cmd     return execute(self.cli_ctx, command, expect_failure=expect_failure).assert_with_checks(checks)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init     self.in_process_execute(cli_ctx, command, expect_failure=expect_failure) src/azure-cli-testsdk/azure/cli/testsdk/base.py:315: in in_process_execute     raise ex.exception env/lib/python3.12/site-packages/knack/cli.py:233: in invoke     cmd_result = self.invocation.execute(args)                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:677: in execute     raise ex src/azure-cli-core/azure/cli/core/commands/init.py:820: in run_jobs_serially     results.append(self.run_job(expanded_arg, cmd_copy))                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:789: in run_job     result = cmd_copy(params)              ^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:335: in call     return self.handler(*args, **kwargs)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/command_operation.py:362: in handler     show_exception_handler(ex) src/azure-cli-core/azure/cli/core/commands/arm.py:476: in show_exception_handler     raise ex src/azure-cli-core/azure/cli/core/commands/command_operation.py:360: in handler     return op(**command_args)            ^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/role/custom.py:568: in show_deny_assignment     authorization_client = auth_client_factory(cmd.cli_ctx, scope)                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/role/client_factory.py:16: in auth_client_factory     return get_mgmt_service_client(cli_ctx, ResourceType.MGMT_AUTHORIZATION, subscription_id=subscription_id)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/client_factory.py:83: in get_mgmt_service_client     client,  = get_mgmt_service_client(cli_ctx, client_type, subscription_id=subscription_id, src/azure-cli-core/azure/cli/core/commands/client_factory.py:234: in get_mgmt_service_client     credential, subscription_id,  = profile.get_login_credentials( src/azure-cli-core/azure/cli/core/profile.py:342: in get_login_credentials     account = self.get_subscription(subscription_id)               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                                        _      def get_subscription(self, subscription=None):  # take id or name         subscriptions = self.load_cached_subscriptions()         if not subscriptions: >           raise CLIError(_AZ_LOGIN_MESSAGE) E           knack.util.CLIError: Please run 'az login' to setup account. src/azure-cli-core/azure/cli/core/_profile.py:603: CLIError	azure/cli/command_modules/role/tests/latest/test_deny_assignment.py:38
Failed	test_create_for_rbac_password_with_assignment	The error message is too long, please check the pipeline log for details.	azure/cli/command_modules/role/tests/latest/test_role.py:156
Failed	test_role_assignment_audits	The error message is too long, please check the pipeline log for details.	azure/cli/command_modules/role/tests/latest/test_role.py:680
Failed	test_role_assignment_create_update	The error message is too long, please check the pipeline log for details.	azure/cli/command_modules/role/tests/latest/test_role.py:553
Failed	test_role_assignment_create_using_principal_type	The error message is too long, please check the pipeline log for details.	azure/cli/command_modules/role/tests/latest/test_role.py:459
Failed	test_role_assignment_scenario	The error message is too long, please check the pipeline log for details.	azure/cli/command_modules/role/tests/latest/test_role.py:322
Failed	test_role_assignment_handle_conflicted_assignments	The error message is too long, please check the pipeline log for details.	azure/cli/command_modules/role/tests/latest/test_role.py:765

❌3.13

Type	Test Case	Error Message	Line
Failed	test_deny_assignment_list	self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f3bdc0d8980> cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f3bde3e7250> command = 'role deny-assignment list', expect_failure = False     def in_process_execute(self, cli_ctx, command, expect_failure=False):         from io import StringIO         from vcr.errors import CannotOverwriteExistingCassetteException              if command.startswith('az '):             command = command[3:]              stdout_buf = StringIO()         logging_buf = StringIO()         try:             # issue: stderr cannot be redirect in this form, as a result some failure information             # is lost when command fails. >           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/base.py:303:                                           env/lib/python3.13/site-packages/knack/cli.py:245: in invoke     exit_code = self.exception_handler(ex)                 ^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/init.py:157: in exception_handler     return handle_exception(ex)            ^^^^^^^^^^^^^^^^^^^^                                          ex = CLIError("Please run 'az login' to setup account."), args = (), kwargs = {}     def handle_main_exception(ex, *args, **kwargs):  # pylint: disable=unused-argument         if isinstance(ex, CannotOverwriteExistingCassetteException):             # This exception usually caused by a no match HTTP request. This is a product error             # that is caused by change of SDK invocation.             raise ex      >       raise CliExecutionError(ex) E       azure.cli.testsdk.exceptions.CliExecutionError: The CLI throws exception CLIError during execution and fails the command. src/azure-cli-testsdk/azure/cli/testsdk/patches.py:35: CliExecutionError During handling of the above exception, another exception occurred: self = <azure.cli.command_modules.role.tests.latest.test_deny_assignment.DenyAssignmentListTest testMethod=test_deny_assignment_list>     def test_deny_assignment_list(self):         """List deny assignments at the subscription scope.""" >       result = self.cmd('role deny-assignment list').get_output_in_json()                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/role/tests/latest/test_deny_assignment.py:19:                                           src/azure-cli-testsdk/azure/cli/testsdk/base.py:177: in cmd     return execute(self.cli_ctx, command, expect_failure=expect_failure).assert_with_checks(checks)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init     self.in_process_execute(cli_ctx, command, expect_failure=expect_failure) src/azure-cli-testsdk/azure/cli/testsdk/base.py:315: in in_process_execute     raise ex.exception env/lib/python3.13/site-packages/knack/cli.py:233: in invoke     cmd_result = self.invocation.execute(args)                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:677: in execute     raise ex src/azure-cli-core/azure/cli/core/commands/init.py:820: in run_jobs_serially     results.append(self.run_job(expanded_arg, cmd_copy))                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:789: in run_job     result = cmd_copy(params)              ^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:335: in call     return self.handler(*args, **kwargs)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler     return op(**command_args)            ^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/role/custom.py:555: in list_deny_assignments     authorization_client = auth_client_factory(cmd.cli_ctx, scope)                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/role/client_factory.py:16: in auth_client_factory     return get_mgmt_service_client(cli_ctx, ResourceType.MGMT_AUTHORIZATION, subscription_id=subscription_id)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/client_factory.py:83: in get_mgmt_service_client     client,  = get_mgmt_service_client(cli_ctx, client_type, subscription_id=subscription_id, src/azure-cli-core/azure/cli/core/commands/client_factory.py:234: in get_mgmt_service_client     credential, subscription_id,  = profile.get_login_credentials( src/azure-cli-core/azure/cli/core/profile.py:342: in get_login_credentials     account = self.get_subscription(subscription_id)               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                                        _  self = <azure.cli.core._profile.Profile object at 0x7f3bdf622ba0> subscription = None     def get_subscription(self, subscription=None):  # take id or name         subscriptions = self.load_cached_subscriptions()         if not subscriptions: >           raise CLIError(_AZ_LOGIN_MESSAGE) E           knack.util.CLIError: Please run 'az login' to setup account. src/azure-cli-core/azure/cli/core/_profile.py:603: CLIError	azure/cli/command_modules/role/tests/latest/test_deny_assignment.py:16
Failed	test_deny_assignment_list_with_filter	self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f3bdc0d8980> cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f3bde3e7b10> command = 'role deny-assignment list --filter "atScope()"' expect_failure = False     def in_process_execute(self, cli_ctx, command, expect_failure=False):         from io import StringIO         from vcr.errors import CannotOverwriteExistingCassetteException              if command.startswith('az '):             command = command[3:]              stdout_buf = StringIO()         logging_buf = StringIO()         try:             # issue: stderr cannot be redirect in this form, as a result some failure information             # is lost when command fails. >           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/base.py:303:                                           env/lib/python3.13/site-packages/knack/cli.py:245: in invoke     exit_code = self.exception_handler(ex)                 ^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/init.py:157: in exception_handler     return handle_exception(ex)            ^^^^^^^^^^^^^^^^^^^^                                          ex = CLIError("Please run 'az login' to setup account."), args = (), kwargs = {}     def handle_main_exception(ex, *args, **kwargs):  # pylint: disable=unused-argument         if isinstance(ex, CannotOverwriteExistingCassetteException):             # This exception usually caused by a no match HTTP request. This is a product error             # that is caused by change of SDK invocation.             raise ex      >       raise CliExecutionError(ex) E       azure.cli.testsdk.exceptions.CliExecutionError: The CLI throws exception CLIError during execution and fails the command. src/azure-cli-testsdk/azure/cli/testsdk/patches.py:35: CliExecutionError During handling of the above exception, another exception occurred: self = <azure.cli.command_modules.role.tests.latest.test_deny_assignment.DenyAssignmentListTest testMethod=test_deny_assignment_list_with_filter>     def test_deny_assignment_list_with_filter(self):         """List deny assignments with OData filter.""" >       result = self.cmd(             'role deny-assignment list --filter "atScope()"'         ).get_output_in_json() src/azure-cli/azure/cli/command_modules/role/tests/latest/test_deny_assignment.py:30:                                           src/azure-cli-testsdk/azure/cli/testsdk/base.py:177: in cmd     return execute(self.cli_ctx, command, expect_failure=expect_failure).assert_with_checks(checks)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init     self.in_process_execute(cli_ctx, command, expect_failure=expect_failure) src/azure-cli-testsdk/azure/cli/testsdk/base.py:315: in in_process_execute     raise ex.exception env/lib/python3.13/site-packages/knack/cli.py:233: in invoke     cmd_result = self.invocation.execute(args)                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:677: in execute     raise ex src/azure-cli-core/azure/cli/core/commands/init.py:820: in run_jobs_serially     results.append(self.run_job(expanded_arg, cmd_copy))                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:789: in run_job     result = cmd_copy(params)              ^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:335: in call     return self.handler(*args, **kwargs)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler     return op(**command_args)            ^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/role/custom.py:555: in list_deny_assignments     authorization_client = auth_client_factory(cmd.cli_ctx, scope)                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/role/client_factory.py:16: in auth_client_factory     return get_mgmt_service_client(cli_ctx, ResourceType.MGMT_AUTHORIZATION, subscription_id=subscription_id)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/client_factory.py:83: in get_mgmt_service_client     client,  = get_mgmt_service_client(cli_ctx, client_type, subscription_id=subscription_id, src/azure-cli-core/azure/cli/core/commands/client_factory.py:234: in get_mgmt_service_client     credential, subscription_id,  = profile.get_login_credentials( src/azure-cli-core/azure/cli/core/profile.py:342: in get_login_credentials     account = self.get_subscription(subscription_id)               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                                        _  self = <azure.cli.core._profile.Profile object at 0x7f3bdc3f7770> subscription = None     def get_subscription(self, subscription=None):  # take id or name         subscriptions = self.load_cached_subscriptions()         if not subscriptions: >           raise CLIError(_AZ_LOGIN_MESSAGE) E           knack.util.CLIError: Please run 'az login' to setup account. src/azure-cli-core/azure/cli/core/_profile.py:603: CLIError	azure/cli/command_modules/role/tests/latest/test_deny_assignment.py:27
Failed	test_deny_assignment_list_with_scope	self = <azure.cli.command_modules.role.tests.latest.test_deny_assignment.DenyAssignmentListTest testMethod=test_deny_assignment_list_with_scope> val = 'role deny-assignment list --scope /subscriptions/{sub}'     def apply_kwargs(self, val):         try: >           return val.format(**self.kwargs)                    ^^^^^^^^^^^^^^^^^^^^^^^^^ E           KeyError: 'sub' src/azure-cli-testsdk/azure/cli/testsdk/base.py:41: KeyError During handling of the above exception, another exception occurred: self = <azure.cli.command_modules.role.tests.latest.test_deny_assignment.DenyAssignmentListTest testMethod=test_deny_assignment_list_with_scope>     def test_deny_assignment_list_with_scope(self):         """List deny assignments at a specific scope.""" >       self.cmd('role deny-assignment list --scope /subscriptions/{sub}',                  checks=[self.check('type(@)', 'array')]) src/azure-cli/azure/cli/command_modules/role/tests/latest/test_deny_assignment.py:25:                                           src/azure-cli-testsdk/azure/cli/testsdk/base.py:176: in cmd     command = self.apply_kwargs(command)               ^^^^^^^^^^^^^^^^^^^^^^^^^^^                                          self = <azure.cli.command_modules.role.tests.latest.test_deny_assignment.DenyAssignmentListTest testMethod=test_deny_assignment_list_with_scope> val = 'role deny-assignment list --scope /subscriptions/{sub}'     def _apply_kwargs(self, val):         try:             return val.format(**self.kwargs)         except AttributeError:             return val         except KeyError as ex:             # due to mis-spelled kwarg >           raise KeyError("Key '{}' not found in kwargs. Check spelling and ensure it has been registered."                            .format(ex.args[0])) E           KeyError: "Key 'sub' not found in kwargs. Check spelling and ensure it has been registered." src/azure-cli-testsdk/azure/cli/testsdk/base.py:46: KeyError	azure/cli/command_modules/role/tests/latest/test_deny_assignment.py:22
Failed	test_deny_assignment_show_missing_args	def in_process_execute(self, cli_ctx, command, expect_failure=False):         from io import StringIO         from vcr.errors import CannotOverwriteExistingCassetteException              if command.startswith('az '):             command = command[3:]              stdout_buf = StringIO()         logging_buf = StringIO()         try:             # issue: stderr cannot be redirect in this form, as a result some failure information             # is lost when command fails. >           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/base.py:303:                                           env/lib/python3.13/site-packages/knack/cli.py:245: in invoke     exit_code = self.exception_handler(ex)                 ^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/init.py:157: in exception_handler     return handle_exception(ex)            ^^^^^^^^^^^^^^^^^^^^                                          ex = CLIError("Please run 'az login' to setup account."), args = (), kwargs = {}     def handle_main_exception(ex, *args, **kwargs):  # pylint: disable=unused-argument         if isinstance(ex, CannotOverwriteExistingCassetteException):             # This exception usually caused by a no match HTTP request. This is a product error             # that is caused by change of SDK invocation.             raise ex      >       raise CliExecutionError(ex) E       azure.cli.testsdk.exceptions.CliExecutionError: The CLI throws exception CLIError during execution and fails the command. src/azure-cli-testsdk/azure/cli/testsdk/patches.py:35: CliExecutionError During handling of the above exception, another exception occurred: self = <azure.cli.command_modules.role.tests.latest.test_deny_assignment.DenyAssignmentShowTest testMethod=test_deny_assignment_show_missing_args>     def test_deny_assignment_show_missing_args(self):         """Should fail if neither --id nor --name+--scope are provided."""         with self.assertRaises(SystemExit): >           self.cmd('role deny-assignment show') src/azure-cli/azure/cli/command_modules/role/tests/latest/test_deny_assignment.py:42:                                           src/azure-cli-testsdk/azure/cli/testsdk/base.py:177: in cmd     return execute(self.cli_ctx, command, expect_failure=expect_failure).assert_with_checks(checks)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init     self.in_process_execute(cli_ctx, command, expect_failure=expect_failure) src/azure-cli-testsdk/azure/cli/testsdk/base.py:315: in in_process_execute     raise ex.exception env/lib/python3.13/site-packages/knack/cli.py:233: in invoke     cmd_result = self.invocation.execute(args)                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:677: in execute     raise ex src/azure-cli-core/azure/cli/core/commands/init.py:820: in run_jobs_serially     results.append(self.run_job(expanded_arg, cmd_copy))                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:789: in run_job     result = cmd_copy(params)              ^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/init.py:335: in call     return self.handler(*args, **kwargs)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/command_operation.py:362: in handler     show_exception_handler(ex) src/azure-cli-core/azure/cli/core/commands/arm.py:476: in show_exception_handler     raise ex src/azure-cli-core/azure/cli/core/commands/command_operation.py:360: in handler     return op(**command_args)            ^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/role/custom.py:568: in show_deny_assignment     authorization_client = auth_client_factory(cmd.cli_ctx, scope)                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli/azure/cli/command_modules/role/client_factory.py:16: in auth_client_factory     return get_mgmt_service_client(cli_ctx, ResourceType.MGMT_AUTHORIZATION, subscription_id=subscription_id)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ src/azure-cli-core/azure/cli/core/commands/client_factory.py:83: in get_mgmt_service_client     client,  = get_mgmt_service_client(cli_ctx, client_type, subscription_id=subscription_id, src/azure-cli-core/azure/cli/core/commands/client_factory.py:234: in get_mgmt_service_client     credential, subscription_id,  = profile.get_login_credentials( src/azure-cli-core/azure/cli/core/profile.py:342: in get_login_credentials     account = self.get_subscription(subscription_id)               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                                        _      def get_subscription(self, subscription=None):  # take id or name         subscriptions = self.load_cached_subscriptions()         if not subscriptions: >           raise CLIError(_AZ_LOGIN_MESSAGE) E           knack.util.CLIError: Please run 'az login' to setup account. src/azure-cli-core/azure/cli/core/_profile.py:603: CLIError	azure/cli/command_modules/role/tests/latest/test_deny_assignment.py:38
Failed	test_create_for_rbac_password_with_assignment	The error message is too long, please check the pipeline log for details.	azure/cli/command_modules/role/tests/latest/test_role.py:156
Failed	test_role_assignment_audits	The error message is too long, please check the pipeline log for details.	azure/cli/command_modules/role/tests/latest/test_role.py:680
Failed	test_role_assignment_create_update	The error message is too long, please check the pipeline log for details.	azure/cli/command_modules/role/tests/latest/test_role.py:553
Failed	test_role_assignment_create_using_principal_type	The error message is too long, please check the pipeline log for details.	azure/cli/command_modules/role/tests/latest/test_role.py:459
Failed	test_role_assignment_scenario	The error message is too long, please check the pipeline log for details.	azure/cli/command_modules/role/tests/latest/test_role.py:322
Failed	test_role_assignment_handle_conflicted_assignments	The error message is too long, please check the pipeline log for details.	azure/cli/command_modules/role/tests/latest/test_role.py:765

️✔️search

️✔️latest

️✔️3.12

️✔️3.13

️✔️security

️✔️latest

️✔️3.12

️✔️3.13

️✔️servicebus

️✔️latest

️✔️3.12

️✔️3.13

️✔️serviceconnector

️✔️latest

️✔️3.12

️✔️3.13

️✔️servicefabric

️✔️latest

️✔️3.12

️✔️3.13

🔄signalr

🔄latest

🔄3.12

🔄3.13

️✔️sql

️✔️latest

️✔️3.12

️✔️3.13

️✔️sqlvm

️✔️latest

️✔️3.12

️✔️3.13

🔄storage

🔄latest

🔄3.12

🔄3.13

️✔️synapse

️✔️latest

️✔️3.12

️✔️3.13

️✔️telemetry

️✔️latest

️✔️3.12

️✔️3.13

️✔️util

️✔️latest

️✔️3.12

️✔️3.13

🔄vm

🔄latest

🔄3.12

🔄3.13

[azure-client-tools-bot-prd]

⚠️AzureCLI-BreakingChangeTest

⚠️role

rule	cmd_name	rule_message	suggest_message
⚠️ 1011 - SubgroupAdd	role deny-assignment	sub group role deny-assignment added

[yonzhan]

Thank you for your contribution! We will review the pull request and get back to you soon.

[github-actions]

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

[Copilot]

Pull request overview

Adds first-class az role deny-assignment CRUD support (focused on PP1 user-assigned deny assignments) to align with existing role assignment workflows, including command registration, parameters, help, and tests.

Changes:

• Register az role deny-assignment list/show/create/delete commands and add a table transformer for list output.
• Implement deny-assignment list/show/create/delete custom handlers with PP1 validation.
• Add help/params, linter exclusions for long options, and introduce a new deny-assignment test file.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
src/azure-cli/azure/cli/command_modules/role/custom.py	Adds deny-assignment list/show/create/delete implementations and PP1 input validation.
src/azure-cli/azure/cli/command_modules/role/commands.py	Registers new role deny-assignment commands and list table transformer.
src/azure-cli/azure/cli/command_modules/role/_params.py	Defines CLI parameters for deny-assignment commands.
src/azure-cli/azure/cli/command_modules/role/_help.py	Adds help text and examples for the new/updated deny-assignment commands.
src/azure-cli/azure/cli/command_modules/role/linter_exclusions.yml	Excludes option-length lint rules for new long parameter names.
src/azure-cli/azure/cli/command_modules/role/tests/latest/test_deny_assignment.py	Adds scenario/live tests covering list/show and PP1 create/delete validation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

create_deny_assignment builds the request body as a plain dict using snake_case keys (e.g. deny_assignment_name, not_actions, exclude_principals). For mgmt SDK operations, dicts are typically serialized as-is, so the service will receive incorrect field names (it expects camelCase JSON, or a proper SDK model instance). Use the azure-mgmt-authorization model types via get_sdk(..., mod='models') (similar to RoleApiHelper.create_role_assignment) or ensure the payload keys match the service JSON contract exactly.

Suggested change

	'deny_assignment_name': deny_assignment_name,
	'description': description or '',
	'permissions': [{
	'actions': actions or [],
	'not_actions': not_actions or [],
	'data_actions': [],
	'not_data_actions': []
	}],
	'scope': scope,
	'principals': principals,
	'exclude_principals': exclude_principals,
	'is_system_protected': False
	'denyAssignmentName': deny_assignment_name,
	'description': description or '',
	'permissions': [{
	'actions': actions or [],
	'notActions': not_actions or [],
	'dataActions': [],
	'notDataActions': []
	}],
	'scope': scope,
	'principals': principals,
	'excludePrincipals': exclude_principals,
	'isSystemProtected': False

[Copilot]

This calls authorization_client.deny_assignments.create(...), but the repo currently pins azure-mgmt-authorization==5.0.0b1 (which does not include denyAssignments create/delete per the PR description). Without bumping the SDK dependency (or adding a fallback implementation / friendly error), this command will raise AttributeError at runtime.

[Copilot]

Same dependency issue as create: deny_client.delete(...)/delete_by_id(...) will fail at runtime unless the pinned azure-mgmt-authorization version includes these methods. Consider either updating the dependency in this PR or detecting missing methods and raising a clear CLIError instructing users to upgrade.

[Copilot]

deny_assignment_name is defined at the role deny-assignment group level, which makes --name/-n show up for subcommands like list even though list_deny_assignments doesn't accept that parameter. If a user supplies --name on list, the handler will receive an unexpected kwarg and fail. Recommend removing deny_assignment_name from the group context and defining --name only on show/create/delete where it is supported.

Suggested change

	c.argument('deny_assignment_name', options_list=['--name', '-n'],
	help='The display name of the deny assignment.')

[Copilot]

--exclude-principal-types is documented as having accepted values, but the argument doesn't enforce them. To keep validation consistent with role assignment create --assignee-principal-type, use arg_type=get_enum_type([...]) (or an Enum) so invalid values are caught client-side with a clear error.

Suggested change

	c.argument('exclude_principal_types', nargs='+', options_list=['--exclude-principal-types'],
	c.argument('exclude_principal_types', nargs='+', options_list=['--exclude-principal-types'],
	arg_type=get_enum_type(['User', 'Group', 'ServicePrincipal']),

[Copilot]

This file adds ScenarioTest cases for role deny-assignment list that will require a new VCR recording to pass in playback mode, but no corresponding recording YAML is added under tests/latest/recordings. Either add recordings for these scenario tests or convert them to mock-based tests (or LiveScenarioTest if they must be live-only) so CI doesn't fail.

[Copilot]

exclude_id is set to self.create_guid(), which is a random GUID and is unlikely to correspond to a real principal in the tenant. If the denyAssignment API validates excluded principals, this live test will fail reliably. Prefer creating a real principal in the test setup (or using the signed-in user/service principal object id) and passing its object ID here.

Suggested change

	self.kwargs.update({
	'scope': '/subscriptions/{sub}',
	'name': 'CLI Test Deny Assignment',
	'action': 'Microsoft.Authorization/roleAssignments/write',
	# Use a well-known object ID for exclusion (replace with a real SP in your test env)
	'exclude_id': self.create_guid()
	signed_in_user = self.cmd('ad signed-in-user show').get_output_in_json()
	exclude_id = signed_in_user['id']
	self.kwargs.update({
	'scope': '/subscriptions/{sub}',
	'name': 'CLI Test Deny Assignment',
	'action': 'Microsoft.Authorization/roleAssignments/write',
	'exclude_id': exclude_id

[Copilot]

Unused import: from unittest import mock is not used in this test file. Please remove it to keep linting clean.

Suggested change

from unittest import mock

[jruttle]

Bumped azure-mgmt-authorization from 5.0.0b1 → 5.0.0b2 in src/azure-cli/setup.py (commit 20fe3a79).

This picks up the new DenyAssignment management-plane operations (BeginCreateOrUpdate / BeginDelete) that shipped in azure-mgmt-authorization 5.0.0b2 on PyPI today (release request Azure/azure-sdk-for-python#46551, released by @msyyc at 10:30 UTC).

This was the last upstream blocker on this PR — the CLI commands here now have a real published SDK surface to call against. CC for review awareness: prior reviewers / CLI mgmt module owners.

[jruttle]

Follow-up to commit 20fe3a79 — the setup.py bump alone wasn't enough; the CI errors

`ERROR: Cannot install azure-cli==2.85.0 and azure-mgmt-authorization==5.0.0b1 because these package versions have conflicting dependencies.`
`  The user requested azure-mgmt-authorization==5.0.0b1`
`  azure-cli 2.85.0 depends on azure-mgmt-authorization==5.0.0b2`

…showed the platform lock files (requirements.py3.Linux.txt, Darwin.txt, windows.txt) were still pinning the old beta. Now bumped in three follow-up commits:

• Linux: 71adba81
• Darwin: 11394613
• windows: 5c4caa29

CI should now re-run cleanly on the new HEAD.

[jruttle]

/azp run

[azure-pipelines]

Commenter does not have sufficient privileges for PR 33109 in repo Azure/azure-cli

[jruttle]

Hi @yonzhan @isra-fel — could one of you (or anyone with write access) re-trigger the Azure DevOps validation pipelines on this PR?

The two required checks Azure.azure-cli and Azure.azure-cli Full Test are stuck on "Expected — Waiting for status to be reported". They successfully ran when the PR was first opened on 31 March (per the azure-client-tools-bot-prd "Validation for Azure CLI Full Test Starting..." comments), but those statuses are stale because today's four follow-up commits (SDK version bump from 5.0.0b1 → 5.0.0b2 in setup.py + the three platform lock files) advanced HEAD to 5c4caa29, and the AzDO pipelines don't auto-re-trigger on subsequent pushes from a fork.

Either of these comments should kick them off:

• /azp run
• @azure-client-tools-bot-prd run

Background context: the SDK dependency bump unblocks this PR — azure-mgmt-authorization 5.0.0b2 was published to PyPI earlier today (2026-05-07 10:30 UTC) and contains the new DenyAssignment management-plane operations this PR consumes. All GitHub-side checks (azdev-linter, azdev-style, license/cla) are green on the new HEAD.

Thanks!

[yonzhan]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 3 pipeline(s).