From ea2a68a7dd32a626e9b0023587b0bbaa26b50c11 Mon Sep 17 00:00:00 2001
From: Slawomir Koszewski <slawek@koszewscy.waw.pl>
Date: Fri, 22 May 2026 12:21:04 +0200
Subject: [PATCH] fix: add missing principal-type option for assign-role
 command to specify user/group/service principal

---
 package-lock.json | 4 ++--
 package.json      | 2 +-
 src/cli.ts        | 4 +++-
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 3dded99..f92121d 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "azure-acme-provisioner",
-  "version": "0.4.2",
+  "version": "0.4.3",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "azure-acme-provisioner",
-      "version": "0.4.2",
+      "version": "0.4.3",
       "license": "MIT",
       "dependencies": {
         "@azure/arm-authorization": "^9.0.0",
diff --git a/package.json b/package.json
index 22bbeaf..ba37666 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "azure-acme-provisioner",
-  "version": "0.4.2",
+  "version": "0.4.3",
   "author": {
     "name": "Sławomir Koszewski",
     "url": "https://github.com/skoszewski"
diff --git a/src/cli.ts b/src/cli.ts
index db6e125..75d140e 100644
--- a/src/cli.ts
+++ b/src/cli.ts
@@ -137,6 +137,7 @@ sharedOptions(
     .command('assign-role <domain>')
     .description('Assign Key Vault Certificate User and Secrets User roles to a principal for a domain certificate')
     .requiredOption('--principal-id <id>', 'Azure principal ID to assign roles to')
+    .requiredOption('--principal-type <type>', 'Principal type: User | Group | ServicePrincipal (use ServicePrincipal for managed identities)')
     .option('--dry-run', 'Show what would be assigned without making changes')
 ).action(async (domain: string, options: Record<string, unknown>) => {
   applyOverrides(options);
@@ -148,6 +149,7 @@ sharedOptions(
 
   const sub = config.subscriptionId;
   const principalId = String(options['principalId']);
+  const principalType = String(options['principalType']) as 'User' | 'Group' | 'ServicePrincipal';
   const vaultName = new URL(config.keyVaultUrl).hostname.split('.')[0];
   const certName = domainToCertName(domain);
   const vaultBase = `/subscriptions/${sub}/resourceGroups/${kvRg}/providers/Microsoft.KeyVault/vaults/${vaultName}`;
@@ -165,7 +167,7 @@ sharedOptions(
       console.log(`[dry-run] Would assign '${role}' to ${principalId} on ${scope}`);
     } else {
       const roleDefinitionId = `/subscriptions/${sub}/providers/Microsoft.Authorization/roleDefinitions/${ROLE_IDS[role]}`;
-      await authClient.roleAssignments.create(scope, randomUUID(), { roleDefinitionId, principalId });
+      await authClient.roleAssignments.create(scope, randomUUID(), { roleDefinitionId, principalId, principalType });
       console.log(`Assigned '${role}' to ${principalId} on ${scope}`);
     }
   }