Unable to create service principal with azure cli from git bash shell: InvalidSchema: No connection adapters were found for 'C:/Program Files/Git/...

[mruepp]

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

Describe the bug
When trying to create an azure service principal from git bash or programatically from bash scripts, the task fails with the following error:

Creating a role assignment under the scope of "C:/Program Files/Git/subscriptions/yyy-yyy-xxx-xxx"
Role assignment creation failed.

ClientError: Error occurred in request., InvalidSchema: No connection adapters were found for 'C:/Program Files/Git/subscriptions/yyy-yyy-xxx-xxx
xxx-xxx-yyy-yyy/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName%20eq%20%27Contributor%27&api-version=2018-01-01-preview'

This is a long persistent error and is still not solved. We need to bootstrap environments programatically.

The command involved is:

ARM_CLIENT_SECRET=$(az ad sp create-for-rbac
--name "http://$ARM_PRINCIPAL_NAME"
--role Contributor
--scopes "/subscriptions/$ARM_SUBSCRIPTION_ID"
--query password
--output tsv)

I also tried to change the read write permissions of the
C:/Program Files/Git and its subfolders, no change.

Strange is, the sp gets created but incomplete and the command does not return the client secret. Also the role assigment gets created to an unknown identity - see screenshot

To Reproduce
Issue the following command:

ARM_CLIENT_SECRET=$(az ad sp create-for-rbac
--name "http://$ARM_PRINCIPAL_NAME"
--role Contributor
--scopes "/subscriptions/$ARM_SUBSCRIPTION_ID"
--query password
--output tsv)

Expected behavior
Execute command and return client secret or other variable depending on the query

Environment summary
Windows 10
Git Bash

Additional context

[yungezz]

HI @fengzhou-msft could you pls help to check if this related with git bash? If not, psl help to redirect to Yong's team. thanks

[mruepp]

This Bug was never solved. The issue Brian mentioned was created in the wrong repo and never solved by the azure-cli team. Any updates? Thanks

[BrianBasor]

Since the az ad sp create-for-rbac command has this bug when used from Git Bash on Windows, I used the following work-around in my bash script:

1. Build a request URL and payload for the REST API as described as described in

• https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-rest
• and https://docs.microsoft.com/en-us/rest/api/authorization/roleassignments/create
• including a random role assignment UUID

2. Send the payload to the Azure management URL using the az rest command: https://docs.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest#az_rest

Which gets around the bug in the Azure CLI and let me create a role assignment programmatically.

[fengzhou-msft]

You need to set MSYS_NO_PATHCONV=1 to avoid auto-translation of the resource id: https://github.com/Azure/azure-cli/blob/dev/doc/use_cli_with_git_bash.md#auto-translation-of-resource-ids

[BrianBasor]

Thank you @fengzhou-msft for pointing us in the right direction.

[devniel93]

Thanks @fengzhou-msft. I had to do something like this
SP_PASSWD=$(MSYS_NO_PATHCONV=1 az ad sp create-for-rbac
--name http://$ACR_NAME-pull
--scopes $ACR_REGISTRY_ID
--role acrpull
--query password
--output tsv)

[mruepp]

I can confirm that if setting MSYS_NO_PATHCONV=1 and using the newest cli it works as intended with gitbash. This issue can be closed. Thanks everyone!

[frederic-gendebien]

I can confirm that if setting MSYS_NO_PATHCONV=1 and using the newest cli it works as intended with gitbash. This issue can be closed. Thanks everyone!

Just my 2 cents for unix newbies:

export MSYS_NO_PATHCONV=1
./<awsome_script>.sh

[jgrandydevops]

I don't think this should be closed.

By default az ad sp create-for-rbac should recognize simple paths as such.

[jiasli]

By default az ad sp create-for-rbac should recognize simple paths as such.

This is not an issue of Azure CLI, but Git Bash which translates the URL before Azure CLI can even receive it. Please see #16317 (comment)

[cybersmithio]

Definitely an issue with git bash versus powershell. I was in VS Code on Windows and tried the command below:
az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/xxxxxxx"

and received the error:
Error occurred in request., InvalidSchema: No connection adapters were found for...

When I put the exact same command in Powershell, it worked fine.

I tried the workaround of using MSYS_NO_PATHCONV=1 and was still having the problem.