Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Usage error: To create role assignments, specify both --role and --scopes.

See original GitHub issue

Describe the bug

Previously working az ad sp create-for-rbac command has stopped working.

Command Name az ad sp create-for-rbac

Errors:

Usage error: To create role assignments, specify both --role and --scopes.

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

az ad sp create-for-rbac --name {} --scopes {} --sdk-auth

Expected Behavior

Service principal is created.

Environment Summary

Linux-5.4.0-1074-azure-x86_64-with-glibc2.28 (Cloud Shell), Common Base Linux Delridge (quinault)
Python 3.8.12
Installer: DEB

azure-cli 2.35.0

Extensions:
ai-examples 0.2.5
ssh 1.0.1

Dependencies:
msal 1.17.0
azure-mgmt-resource 20.0.0

Additional Context

Issue Analytics

State:
Created a year ago
Reactions:3
Comments:6 (3 by maintainers)

Top GitHub Comments

5reactions

ConcreteGannetcommented, Apr 7, 2022

This is a deliberate breaking change, see #21323. I think it’s a good idea to insist you choose the scope you want - it could well be tighter than the entire subscription. So just specify your scope! The documentation at https://docs.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az-ad-sp-create-for-rbac says what to to to get your subscription ID if that’s the scope you want.

1reaction

SSPJcommented, Apr 7, 2022

Appreciate the replies.

In case anyone else finds this helpful, it seems you can still do az ad sp create-for-rbac --name <name> (just leave --scope and --role entirely off).

To be clear, that won’t create a role assignment, but it suited my use case perfectly.