azure-clijmespath

AZ CLI query filter on multiple properties using &&

I am trying to create an az cli query that can evaluate if I am logged into the correct tenant and subscription. I know I have to use the ? and && operators but have not been able to get them in the correct combination yet that will work. When I query for just a single value using the line below, works fine:

az account list --query "[?id=='my_subscription_id']" --output json

But when I try either of the lines below, it tells me it is invalid jmespath_type value:

az account list --query "[?id=='my_subscription_id' && ?tenantId=='my_tenant_id']"  --output json
az account list --query "[(?id=='my_subscription_id') && (?tenantId=='my_tenant_id')]"  --output json

when I try the line below, it gives me the error ] was unexpected at this time:

az account list --query "[(?id=='my_subscription_id')&&(?tenantId=='my_tenant_id')]"  --output json

I know this can be done, just can't seem to find the right mixture yet.

UPDATED INFO:

Upon further testing, I made some progress but still not exactly what I was expecting. Assume that the tenant ID is 123, the subscription ID of the sub I am wanting is ABC and my account also has access to the subscription ID EFG. When running the command below:

az account list --query "[].{subscriptionId:id,tenantId:tenantId}"

I get the output:

  {
    "subscriptionId": "ABC",
    "tenantId": "123"
  },
  {
    "subscriptionId": "EFG",
    "tenantId": "123"
  }

I would expect that running the command below, would return just the single record that matches:

az account list --query "[?id == 'ABC' && tenantid == '123'].{subscriptionId:id,tenantId:tenantId}" --output json

But, it does not. It returns [].

Running the command below returns the single record that matches both conditions:

az account list --query "[?id == 'ABC' || tenantid == '123'].{subscriptionId:id,tenantId:tenantId}" --output json

Based on the documentation, && is an AND, and || is an OR. I would think when running the command line that has the || in it would return BOTH records but it only returns the one that contains both values.

Solution

  • I am trying to create an az cli query that can evaluate if I am logged into the correct tenant and subscription.

    In fact, one subscription can only trust one tenant, so you can just filter the subscription Id, it will get the only one match tenant ID. Read more details in this blog.

    A directory is the Azure AD service and each directory may have one or more domains. An Azure subscription has a trust relationship with Azure Active Directory which means that the subscription trusts Azure AD to authenticate users, services, and devices.

    A directory can have many subscriptions associated with it, but only one tenant. Multiple subscriptions can trust the same Azure AD directory, but each subscription can only trust a single directory.

    In this case, you have known the subscription Id. You also got the output of the subscription id and tenant Id mapping records. You can get accurate results by filtering your subscription Id like this. Or use it as you knew it: az account list --query "[?id=='my_subscription_id']" --output json

    Then you can verify if you have logged in the correct tenant.

    az account list --query "[].{SubID:id,TenantID:tenantId}[?SubID=='my_subscription_id']" -o table

    result enter image description here