Usage error: To create role assignments, specify both --role and --scopes.
See original GitHub issueDescribe the bug
Previously working az ad sp create-for-rbac
command has stopped working.
Command Name
az ad sp create-for-rbac
Errors:
Usage error: To create role assignments, specify both --role and --scopes.
To Reproduce:
Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.
az ad sp create-for-rbac --name {} --scopes {} --sdk-auth
Expected Behavior
Service principal is created.
Environment Summary
Linux-5.4.0-1074-azure-x86_64-with-glibc2.28 (Cloud Shell), Common Base Linux Delridge (quinault)
Python 3.8.12
Installer: DEB
azure-cli 2.35.0
Extensions:
ai-examples 0.2.5
ssh 1.0.1
Dependencies:
msal 1.17.0
azure-mgmt-resource 20.0.0
Additional Context
Issue Analytics
- State:
- Created a year ago
- Reactions:3
- Comments:6 (3 by maintainers)
Top Results From Across the Web
Troubleshoot Azure RBAC | Microsoft Learn
When you try to assign a role, you get the following error message: ... Make common role assignments at a higher scope, such...
Read more >What Role or Scopes Does An Azure Service Principal Need ...
I need the service principal to have enough permissions to create/modify/delete various Azure AD resources including Applications, other Service ...
Read more >What is the default RBAC scope used when assigning a role ...
Show activity on this post. Apparently, when the --scope parameter is not provided its value depends on whether the --resource-group parameter ...
Read more >azurerm_role_assignment | Resources | hashicorp/azurerm
Example Usage (Custom Role & Service Principal) ... name - (Optional) A unique UUID/GUID for this Role Assignment - one will be generated...
Read more >Role Assignment Errors and How To Fix Them
However, if the role that assigns the compensation plan also is used to assign the payment plan, then both will be updated with...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
This is a deliberate breaking change, see #21323. I think it’s a good idea to insist you choose the scope you want - it could well be tighter than the entire subscription. So just specify your scope! The documentation at https://docs.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az-ad-sp-create-for-rbac says what to to to get your subscription ID if that’s the scope you want.
Appreciate the replies.
In case anyone else finds this helpful, it seems you can still do
az ad sp create-for-rbac --name <name>
(just leave--scope
and--role
entirely off).To be clear, that won’t create a role assignment, but it suited my use case perfectly.