Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Creating service principal failed - When using this permission, the backing application of the service principal being created must in the local tenant

See original GitHub issue

When creating a service principal in the Azure US Government Cloud (I did not face the issue with Azure Public Cloud) with Azure CLI, I see the error “When using this permission, the backing application of the service principal being created must in the local tenant”. This appears intermittently and the operation succeeds in the next one or two attempts.

Command Name az ad sp create-for-rbac

Errors:

Creating service principal failed for appid 'http://chethan1-sp'. Trace followed:
{'Cache-Control': 'no-cache', 'Pragma': 'no-cache', 'Content-Type': 'application/json; odata=minimalmetadata; streaming=true; charset=utf-8', 'Expires': '-1', 'ocp-aad-diagnostics-server-name': 'AX01WP8UrUZ+t1UfXh+CNVWXjkMVa+MRGWdcQJOSriA=', 'request-id': '8aa1f2d0-6f89-4c2c-81b8-aa9549229b9d', 'client-request-id': 'ce0ca1c0-dd44-11ea-80e4-00155d105809', 'x-ms-dirapi-data-contract-version': '1.6', 'ocp-aad-session-key': 'nOb19qb35xGesfB0mYy06u-CrMjhmNw8HNHKMTHy7icX2x2Rmiba_l-1z0xhZsPFTtnlkWTMpsRKrKUB7QDvx_GPr8A2SCrchMZsAJ3x6SXu7Mv_6E37q79Tb8WMCJOeiuGDMae6XqSqalb57jtujSnuOYnfkW-t6bHQQbGmK3v0oCK3gnHf3YmAAToCQ3EqYoqDYJb2hE0SbtPUOvKog.zODOfl-Y-xOarA46pFF-7YnuA3J-dCaM3TCle03YWAE', 'DataServiceVersion': '3.0;', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains', 'Access-Control-Allow-Origin': '*', 'Duration': '1374142, 13351672', 'X-AspNet-Version': '4.0.30319', 'X-Powered-By': 'ASP.NET', 'Date': 'Thu, 13 Aug 2020 09:10:23 GMT', 'Content-Length': '284'}
When using this permission, the backing application of the service principal being created must in the local tenant

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information. Run this command - az ad sp create-for-rbac --name http://chethan1-sp --role Contributor --scopes /subscriptions/<subscription id>

The first attempt often resulted in the error shown above. The next attempt was mostly successful like below -

az ad sp create-for-rbac --name http://chethan1-sp --role Contributor --scopes /subscriptions/<subscription id>
Found an existing application instance of "1bb1c184-b9bc-4ecf-a96c-07f1637xxxxx". We will patch it
Creating a role assignment under the scope of "/subscriptions/<subscription id>"
{
  "appId": "<value>",
  "displayName": "chethan1-sp",
  "name": "http://chethan1-sp",
  "password": "<value>",
  "tenant": "<value>"
}

Expected Behavior

The service principal is created successfully.

Environment Summary

Linux-4.4.0-18362-Microsoft-x86_64-with-debian-bullseye-sid
Python 3.6.10
Installer: DEB

azure-cli 2.10.1

Additional Context

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:4
  • Comments:7 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
jiaslicommented, Mar 19, 2021

@gischethans, I previously commented at https://github.com/Azure/azure-cli/issues/14086#issuecomment-671685599 for this issue. It was also discussed at https://github.com/Azure/azure-cli/issues/7375#issuecomment-423410402.

This error message:

When using this permission, the backing application of the service principal being created must in the local tenant

is not the same as the public cloud’s exception:

… does not reference … … does not exist …

So it bypasses the retryable check:

https://github.com/Azure/azure-cli/blob/88a6056229413f3a8326a2fe295a10d1daceb09d/src/azure-cli/azure/cli/command_modules/role/custom.py#L1455-L1456

I am considering maybe we can loose the check and also decrease

https://github.com/Azure/azure-cli/blob/88a6056229413f3a8326a2fe295a10d1daceb09d/src/azure-cli/azure/cli/command_modules/role/custom.py#L1396

So that all kinds of exceptions can be retried. Just thinking…

0reactions
bmc-msftcommented, Mar 23, 2021

Note, I’m seeing this on the public cloud.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Creating Service Principal for Azure CDN is failing with ...
The error. When using this permission, the backing application of the service principal being created must in the local tenant.
Read more >
Azure Service Principal Different Tenant
When using this permission, the backing application of the service principal being created must in the local tenant.
Read more >
Error while creating service principal using power shell
Error Message: az ad sp create-for-rbac -n "SvcPrincipal1" : This command or command group has been migrated to Microsoft Graph API.
Read more >
Azure Native Installation & Configuration
How to set up credentials to use the Pulumi Azure Native Provider and choose configuration ... To use a Service Principal, you must...
Read more >
How to create an SPN for Azure Stack Hub using PowerShell
Permissions. What is a service principal name? An Azure SPN is a security identity used by user-created applications, services, and automation ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

ACR login does not work with podman

Next page

Webapp:az webapp create failed with an unexpected error after upgrade to azure-cli 2.10.1