traffic-manager endpoint create ignores subscription argument

[fgendc]

Describe the bug

After updating to azure-cli 2.42.0, using a service principal with access to multiple subscriptions, having SUBSCRIPTION_B as the default the active subscription, and a Traffic Manager in SUBSCRIPTION_A the az traffic-manager endpoint create command fails even when using the --subscription argument.

az login --service-principal \
  -p="$AZURE_CLIENT_SECRET" \
  --tenant "$AZURE_TENANT_ID" \
  --username "$AZURE_CLIENT_ID"

az network traffic-manager endpoint create \
  --name "eastus" \
  --resource-group "us-rg-name" \
  --profile-name "traffic-manager-name" \
  --type externalEndpoints \
  --target "X.X.X.X" \
  --endpoint-location "eastus" \
  --endpoint-status Enabled \
  --subscription "SUBSCRIPTION_A"

Same issue was observed in alpine

Command Name
az network traffic-manager endpoint create

Errors:

(AuthorizationFailed) The client '{client_id}' with object id '{client_id}' does not have authorization to perform action 'Microsoft.Network/trafficmanagerprofiles/externalEndpoints/write' over scope '/subscriptions/SUBSCRIPTION_B/resourceGroups/us-rg-name/providers/Microsoft.Network/trafficmanagerprofiles/traffic-manager-name/externalEndpoints/eastus' or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed
Message: The client '{client_id}' with object id '{client_id}' does not have authorization to perform action 'Microsoft.Network/trafficmanagerprofiles/externalEndpoints/write' over scope '/subscriptions/SUBSCRIPTION_B/resourceGroups/us-rg-name/providers/Microsoft.Network/trafficmanagerprofiles/traffic-manager-name/externalEndpoints/eastus' or the scope is invalid. If access was recently granted, please refresh your credentials.

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

• Update azure-cli to 2.42.0 brew upgrade azure-ci
• Login with a Service Principal with access to multiple subscription
• Active subscripton other than the one with the Traffic Manager
• Create traffic manager endpoint specifying a subscription, as seen in the code snippet above az network traffic-manager endpoint create --name {} --resource-group {} --profile-name {} --type {} --target {} --endpoint-location {} --endpoint-status {} --subscription {}

Expected Behavior

Despite having a different active subscription, command takes the --subscription into account and applies it to the right resource in the right subscription.

Environment Summary

Observed in both macOS and alpine container

macOS-12.6.1-x86_64-i386-64bit, Darwin 21.6.0
Python 3.10.8
Installer: HOMEBREW

azure-cli 2.42.0

Extensions:
azure-firewall 0.12.0
account 0.2.1

Dependencies:
msal 1.20.0
azure-mgmt-resource 21.1.0b1

Linux-5.4.0-1078-azure-x86_64-with, Alpine Linux v3.15
Python 3.9.15
Installer: PIP

azure-cli 2.42.0

Additional Context

[yonzhan]

@necusjz for awareness

[benpearson84]

This is also an issue on az network traffic-manager endpoint list, the active subscription is persisted in the GET request to the Azure API even though a different subscription is being passed into the command. Resulting in a 404 Resource Group Not Found.

Appears to have been introduced in version 2.41, as 2.40 is working as expected.

[ognjengrubac-tomtom]

Could someone please react on this? We are not able to use latest az cli version in our pipelines for quite some time.

[jsntcy]

@necusjz, could you please help look at the issue?