[AZINTS-4454] Don't log expected az role assignment list --assignee error#155
Merged
mshvartsberg merged 4 commits intoMar 30, 2026
Merged
Conversation
mshvartsberg
force-pushed
the
meggan.shvartsberg/azints-4406/removing-lfo-scopes
branch
from
33b3348 to
195f9c1
Compare
mshvartsberg
force-pushed
the
meggan.shvartsberg/azints-4454/role-exists-error
branch
from
f4c786f to
9807b12
Compare
Base automatically changed from
meggan.shvartsberg/azints-4406/removing-lfo-scopes
to
main
March 27, 2026 18:46
benjjs
approved these changes
Mar 27, 2026
| log.error(f"Failed to check if role assignment exists: {e}") | ||
| # Graph lag on list --assignee; omit error log (create path still runs). | ||
| if not ( | ||
| "Cannot find user or service principal in graph database" in str(e) and principal_id in str(e) |
Collaborator
There was a problem hiding this comment.
We should import this string from az_shared, mostly to make sure there's a single source of truth in case we need to change it in future.
mshvartsberg
deleted the
meggan.shvartsberg/azints-4454/role-exists-error
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
az role assignment list --assigneeoften fails right after a principal is created because Microsoft Graph has not resolved the assignee yet. That shows up as "Cannot find user or service principal in graph database for '<principal_id>'. The installer already treats a failed existence check as “no assignment” and continues with role assignment create, so this case is expected and non-blocking.We still logged it at ERROR in two places:
execute()always logged failed CLI stderr before raising, androle_existslogged again on catch. This would show an error to the user in the cloud shell / terminal for a non-blocking, benign error. We want to stop this error log.Changes
execute_cmd.py: If stderr contains the Graph assignee-resolution message, log the failure at DEBUG instead of ERROR, still raise RuntimeError (callers unchanged).role_setup.py: Inrole_exists, skip log.error when the caught exception matches the expected Graph related message and includes the same principal_id; always return False from the handler so assignment creation still runs.Testing
test_execute_role_list_graph_assignee_logs_debug_not_errorintest_execute_cmd.py