Creating service principal failed - When using this permission, the backing application of the service principal being created must in the local tenant
See original GitHub issueWhen creating a service principal in the Azure US Government Cloud (I did not face the issue with Azure Public Cloud) with Azure CLI, I see the error “When using this permission, the backing application of the service principal being created must in the local tenant”. This appears intermittently and the operation succeeds in the next one or two attempts.
Command Name
az ad sp create-for-rbac
Errors:
Creating service principal failed for appid 'http://chethan1-sp'. Trace followed:
{'Cache-Control': 'no-cache', 'Pragma': 'no-cache', 'Content-Type': 'application/json; odata=minimalmetadata; streaming=true; charset=utf-8', 'Expires': '-1', 'ocp-aad-diagnostics-server-name': 'AX01WP8UrUZ+t1UfXh+CNVWXjkMVa+MRGWdcQJOSriA=', 'request-id': '8aa1f2d0-6f89-4c2c-81b8-aa9549229b9d', 'client-request-id': 'ce0ca1c0-dd44-11ea-80e4-00155d105809', 'x-ms-dirapi-data-contract-version': '1.6', 'ocp-aad-session-key': 'nOb19qb35xGesfB0mYy06u-CrMjhmNw8HNHKMTHy7icX2x2Rmiba_l-1z0xhZsPFTtnlkWTMpsRKrKUB7QDvx_GPr8A2SCrchMZsAJ3x6SXu7Mv_6E37q79Tb8WMCJOeiuGDMae6XqSqalb57jtujSnuOYnfkW-t6bHQQbGmK3v0oCK3gnHf3YmAAToCQ3EqYoqDYJb2hE0SbtPUOvKog.zODOfl-Y-xOarA46pFF-7YnuA3J-dCaM3TCle03YWAE', 'DataServiceVersion': '3.0;', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains', 'Access-Control-Allow-Origin': '*', 'Duration': '1374142, 13351672', 'X-AspNet-Version': '4.0.30319', 'X-Powered-By': 'ASP.NET', 'Date': 'Thu, 13 Aug 2020 09:10:23 GMT', 'Content-Length': '284'}
When using this permission, the backing application of the service principal being created must in the local tenant
To Reproduce:
Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.
Run this command -
az ad sp create-for-rbac --name http://chethan1-sp --role Contributor --scopes /subscriptions/<subscription id>
The first attempt often resulted in the error shown above. The next attempt was mostly successful like below -
az ad sp create-for-rbac --name http://chethan1-sp --role Contributor --scopes /subscriptions/<subscription id>
Found an existing application instance of "1bb1c184-b9bc-4ecf-a96c-07f1637xxxxx". We will patch it
Creating a role assignment under the scope of "/subscriptions/<subscription id>"
{
"appId": "<value>",
"displayName": "chethan1-sp",
"name": "http://chethan1-sp",
"password": "<value>",
"tenant": "<value>"
}
Expected Behavior
The service principal is created successfully.
Environment Summary
Linux-4.4.0-18362-Microsoft-x86_64-with-debian-bullseye-sid
Python 3.6.10
Installer: DEB
azure-cli 2.10.1
Additional Context
Issue Analytics
- State:
- Created 3 years ago
- Reactions:4
- Comments:7 (4 by maintainers)
Top GitHub Comments
@gischethans, I previously commented at https://github.com/Azure/azure-cli/issues/14086#issuecomment-671685599 for this issue. It was also discussed at https://github.com/Azure/azure-cli/issues/7375#issuecomment-423410402.
This error message:
is not the same as the public cloud’s exception:
So it bypasses the retryable check:
https://github.com/Azure/azure-cli/blob/88a6056229413f3a8326a2fe295a10d1daceb09d/src/azure-cli/azure/cli/command_modules/role/custom.py#L1455-L1456
I am considering maybe we can loose the check and also decrease
https://github.com/Azure/azure-cli/blob/88a6056229413f3a8326a2fe295a10d1daceb09d/src/azure-cli/azure/cli/command_modules/role/custom.py#L1396
So that all kinds of exceptions can be retried. Just thinking…
Note, I’m seeing this on the public cloud.