az role assignment create fails in Cloud Shell: 400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token

[simongdavies]

Describe the bug

Running in CloudShell , command fails, works correctly on client.

Command Name
az role assignment create

Errors:

The command failed with an unexpected error. Here is the traceback:


400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token
Traceback (most recent call last):
  File "/opt/az/lib/python3.6/site-packages/knack/cli.py", line 206, in invoke
    cmd_result = self.invocation.execute(args)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 560, in execute
    raise ex
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 618, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 611, in _run_job
    six.reraise(*sys.exc_info())
  File "/opt/az/lib/python3.6/site-packages/six.py", line 693, in reraise
    raise value
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 588, in _run_job
    result = cmd_copy(params)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 297, in __call__
    return self.handler(*args, **kwargs)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/__init__.py", line 453, in default_command_handler
    return op(**command_args)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/role/custom.py", line 134, in create_role_assignment
    resolve_assignee=(not assignee_object_id))
  File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/role/custom.py", line 150, in _create_role_assignment
    object_id = _resolve_object_id(cli_ctx, assignee) if resolve_assignee else assignee
  File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/role/custom.py", line 1614, in _resolve_object_id
    filter="servicePrincipalNames/any(c:c eq '{}')".format(assignee)))
  File "/opt/az/lib/python3.6/site-packages/msrest/paging.py", line 143, in __next__
    self.advance_page()
  File "/opt/az/lib/python3.6/site-packages/msrest/paging.py", line 129, in advance_page
    self._response = self._get_next(self.next_link)
  File "/opt/az/lib/python3.6/site-packages/azure/graphrbac/operations/service_principals_operations.py", line 156, in internal_paging
    response = self._client.send(request, stream=False, **operation_config)
  File "/opt/az/lib/python3.6/site-packages/msrest/service_client.py", line 336, in send
    pipeline_response = self.config.pipeline.run(request, **kwargs)
  File "/opt/az/lib/python3.6/site-packages/msrest/pipeline/__init__.py", line 197, in run
    return first_node.send(pipeline_request, **kwargs)  # type: ignore
  File "/opt/az/lib/python3.6/site-packages/msrest/pipeline/__init__.py", line 150, in send
    response = self.next.send(request, **kwargs)
  File "/opt/az/lib/python3.6/site-packages/msrest/pipeline/requests.py", line 65, in send
    self._creds.signed_session(session)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/adal_authentication.py", line 26, in signed_session
    scheme, token, _ = self._token_retriever()
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/_profile.py", line 532, in _retrieve_token
    return self._get_token_from_cloud_shell(resource)
  File "/opt/az/lib/python3.6/site-packages/azure/cli/core/_profile.py", line 365, in _get_token_from_cloud_shell
    auth = MSIAuthentication(resource=resource)
  File "/opt/az/lib/python3.6/site-packages/msrestazure/azure_active_directory.py", line 576, in __init__
    self.set_token()
  File "/opt/az/lib/python3.6/site-packages/msrestazure/azure_active_directory.py", line 582, in set_token
    self.scheme, _, self.token = get_msi_token(self.resource, self.port, self.msi_conf)
  File "/opt/az/lib/python3.6/site-packages/msrestazure/azure_active_directory.py", line 485, in get_msi_token
    result.raise_for_status()
  File "/opt/az/lib/python3.6/site-packages/requests/models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

• Put any pre-requisite steps here...
• az role assignment create --assignee {} --role {} --scope {}

Expected Behavior

Environment Summary

Linux-4.15.0-1041-azure-x86_64-with-debian-stretch-sid
Python 3.6.5
Shell: bash

azure-cli 2.0.64

Extensions:
resource-graph 0.1.8
interactive 0.4.1

Additional Context

Thanks for your feedback!
command ran in 4.050 seconds.

[yugangw-msft]

This is a cloud shell bug, that the token endpoint stops to respond. Can you try again?

[jmwoloso]

@yugangw-msft Mine fails as well, though for a different reason.

When I run:

az role assignment create --role 'Storage Blob Data Contributor' --assignee http://my_sp

I get this error (I've removed the PII):

The client '<user>@<domain>' with object id 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/<subscription-id>'.

When attempting the same operation with the same login credentials through the portal, this operation does work.

[yugangw-msft]

@jmwoloso, if you run CLI from your desktop (instead of cloud shell), does it work?

[jiasli]

Could you run again to see if it is working? If not, please run with --debug and share the output.

[jiasli]

Seems to be Cloud Shell issue and we are working on it. Please use az login as a workaround.

[yonzhan]

Can we close this issue?

[jiasli]

Closing due to no response. If the issue happens again, please reply to this issue or create a new one.

[justSteve]

I'm getting this error via the Azure Cloud Shell from MS Terminal (Preview). I've been running lots of other 'create' scripts on other services with no problem so I'm logged in. I've rebooted and returned to terminal's shell as a first stop and still get same error.

Running az keyvault list --resource-group myRg will return an existing KeyVault but the create statement tossed the error.

After posting this I opened the online cloud shell editor and ran the same command. This time the editor window replied back with validation error: Parameter 'vault_name' must conform to the following pattern: '^[a-zA-Z0-9-]{3,24}$'. I shortened the name and tried again from Terminal's shell and things worked.

SUMMARY: The portal's integrated Cloud Shell produced a meaningful error message (--name was too long) while the shell via MS Terminal produced the non-helpful 400 Client Error message.

[harshvirbhati]

I had the same error but found there was a spelling mistake in my command on AZ CLI. It was working after correcting the spelling. I hope this is helpful to someone.

[jiasli]

Hi @justSteve, the 400 error you got is from Cloud Shell itself, instead of the az command. This is a known issue of Cloud Shell: #11749.

[kaukin]

per my experience, git hub forms are not informative. try stockoverflow

[jiasli]

@kaukin, we are the developers of Azure CLI. 😉

GitHub Issues page is currently the only forum we monitor. We don't usually work on stackoverflow.