Skip to content

az role assignment list/create fail when listing/creating by Service Principal name #27257

New issue
New issue
Closed
Closed
az role assignment list/create fail when listing/creating by Service Principal name#27257
Assignees
jiasli
Labels
AADAuto-AssignAuto assign by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamGraphaz adOKR CandidateThis label is used to track how many GitHub issues we have resolved for OKR purpose.RBACaz rolecustomer-reportedIssues that are reported by GitHub users external to the Azure organization.feature-request
Milestone
Backlog
@rzunigams

Description

@rzunigams
rzunigams
opened on Aug 24, 2023

Describe the bug

When I try to list the role assignments or create a role assignment for a specific Enterprise Application using its name with the --assignee parameter, I get the following error:

"Cannot find user or service principal in graph database for '{enterprise_application_name}'. If the assignee is an appId, make sure the corresponding service principal is created with 'az ad sp create --id {enterprise_application_name}'."

However, if I use the same exact command (see below on the Related command section) but only replace the name with the Enterprise Application Object ID, it works.

According to this portion of the documentation https://learn.microsoft.com/en-us/cli/azure/role/assignment?view=azure-cli-latest#az-role-assignment-list, the --assignee parameter can recieve an object id, user sign-in name, or service principal name.

Dynamically getting the Enterprise Application Object ID would involve providing more permissions at the AAD level. Therefore, we would like to be able to list or create the role assignment with the name.

Note: The same error shows up with the az role assignment create command, which is the one that we actually want to use. It also happens with App Registrations and shorter names.

Related command

az role assignment list --assignee {enterprise_application_name} --role '{role_name}' --scope {scope_to_specific_resource}

Errors

"Cannot find user or service principal in graph database for '{enterprise_application_name}'. If the assignee is an appId, make sure the corresponding service principal is created with 'az ad sp create --id {enterprise_application_name}'."

Issue script & Debug output

cli.knack.cli: Command arguments: ['role', 'assignment', 'list', '--assignee', '{enterprise_application_name}', '--role', '{role_name}', '--scope', '{scope_to_specific_resource}', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0268A4A8>, <function OutputProducer.on_global_arguments at 0x0288D6E8>, <function CLIQuery.on_global_arguments at 0x028A8340>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'role': ['azure.cli.command_modules.role']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: role 0.013 17 61
cli.azure.cli.core: Total (1) 0.013 17 61
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: Total (0) 0.000 0 0
cli.azure.cli.core: Loaded 17 groups, 61 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : role assignment list
cli.azure.cli.core: Command table: role assignment list
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x04A4B580>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '{home_directory}.azure\commands\2023-08-24.11-18-52.role_assignment_list.32480.log'.
az_command_data_logger: command args: role assignment list --assignee {} --role {} --scope {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x04A73898>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x04A87808>, <function register_cache_arguments..add_cache_arguments at 0x04A87A00>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x0288D730>, <function CLIQuery.handle_query_parameter at 0x028A8388>, <function register_ids_argument..parse_ids_arguments at 0x04A879B8>]
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=AuthorizationManagementClient
cli.azure.cli.core.auth.persistence: build_persistence: location='{home_directory}\.azure\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: {home_directory}.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/{id_removed}/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/{id_removed}/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/{id_removed}/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/{id_removed}/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/{id_removed}/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/{id_removed}/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/{id_removed}/kerberos', 'tenant_region_scope': 'WW', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com/
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/{removed_id}/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/{removed_id}/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/{removed_id}/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/{removed_id}/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/{removed_id}/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/{removed_id}/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/{removed_id}/kerberos', 'tenant_region_scope': 'WW', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://graph.microsoft.com//.default',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 83ef04f5-480f-482b-a23e-384a04dbd2f3
cli.azure.cli.core.util: Request URL: 'https://graph.microsoft.com/v1.0/servicePrincipals?$filter=servicePrincipalNames%2Fany%28c%3Ac%20eq%20%27{enterprise_application_name}%27%29'
cli.azure.cli.core.util: Request method: 'GET'
cli.azure.cli.core.util: Request headers:
cli.azure.cli.core.util: 'User-Agent': 'python/3.10.10 (Windows-10-10.0.22621-SP0) AZURECLI/2.51.0 (MSI)'
cli.azure.cli.core.util: 'Accept-Encoding': 'gzip, deflate'
cli.azure.cli.core.util: 'Accept': '/'
cli.azure.cli.core.util: 'Connection': 'keep-alive'
cli.azure.cli.core.util: 'x-ms-client-request-id': 'ec2a92dd-2991-48e7-aa8a-64a9af4c7f4a'
cli.azure.cli.core.util: 'CommandName': 'role assignment list'
cli.azure.cli.core.util: 'ParameterSetName': '--assignee --role --scope --debug'
cli.azure.cli.core.util: 'Authorization': 'Bearer {removed}...'
cli.azure.cli.core.util: Request body:
cli.azure.cli.core.util: None
urllib3.connectionpool: Starting new HTTPS connection (1): graph.microsoft.com:443
urllib3.connectionpool: https://graph.microsoft.com:443 "GET /v1.0/servicePrincipals?$filter=servicePrincipalNames%2Fany%28c%3Ac%20eq%20%27{enterprise_application_name}%27%29 HTTP/1.1" 200 None
cli.azure.cli.core.util: Response status: 200
cli.azure.cli.core.util: Response headers:
cli.azure.cli.core.util: 'Cache-Control': 'no-cache'
cli.azure.cli.core.util: 'Transfer-Encoding': 'chunked'
cli.azure.cli.core.util: 'Content-Type': 'application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8'
cli.azure.cli.core.util: 'Content-Encoding': 'gzip'
cli.azure.cli.core.util: 'Vary': 'Accept-Encoding'
cli.azure.cli.core.util: 'Strict-Transport-Security': 'max-age=31536000'
cli.azure.cli.core.util: 'request-id': '{removed}'
cli.azure.cli.core.util: 'client-request-id': '{removed}'
cli.azure.cli.core.util: 'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"North Central US","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"CH01EPF00003EAD"}}'
cli.azure.cli.core.util: 'x-ms-resource-unit': '1'
cli.azure.cli.core.util: 'OData-Version': '4.0'
cli.azure.cli.core.util: 'Date': 'Thu, 24 Aug 2023 17:18:54 GMT'
cli.azure.cli.core.util: Response content:
cli.azure.cli.core.util: {"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#servicePrincipals","value":[]}
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 663, in execute
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 726, in _run_jobs_serially
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 697, in _run_job
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 333, in call
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/custom.py", line 235, in list_role_assignments
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/custom.py", line 551, in _search_role_assignments
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/custom.py", line 1532, in _resolve_object_id
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/custom.py", line 1558, in _resolve_object_id_and_type
knack.util.CLIError: Cannot find user or service principal in graph database for '{enterprise_application_name}'. If the assignee is an appId, make sure the corresponding service principal is created with 'az ad sp create --id {enterprise_application_name}'.

cli.azure.cli.core.azclierror: Cannot find user or service principal in graph database for '{enterprise_application_name}'. If the assignee is an appId, make sure the corresponding service principal is created with 'az ad sp create --id {enterprise_application_name}'.
az_command_data_logger: Cannot find user or service principal in graph database for '{enterprise_application_name}'. If the assignee is an appId, make sure the corresponding service principal is created with 'az ad sp create --id {enterprise_application_name}'.
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x04A4B6A0>]
az_command_data_logger: exit code: 1
cli.main: Command ran in 2.039 seconds (init: 0.753, invoke: 1.286)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3701 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry_init_.pyc {home_path}.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

Expected behavior

Find or create (depending on whether it is az role assignment list or create) the specified role assignment with the specified Enterprise Application name. If there's no such role assignment, then return a "[]" but not fail.

Environment Summary

azure-cli 2.51.0

core 2.51.0
telemetry 1.1.0

Extensions:
ml 2.18.0

Dependencies:
msal 1.24.0b1
azure-mgmt-resource 23.1.0b2

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory '{home_path}.azure\cliextensions'

Python (Windows) 3.10.10 (tags/v3.10.10:aad5f6a, Feb 7 2023, 17:05:00) [MSC v.1929 32 bit (Intel)]

Additional context

No response

Metadata

Metadata

Assignees

Labels

AADAuto-AssignAuto assign by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamGraphaz adOKR CandidateThis label is used to track how many GitHub issues we have resolved for OKR purpose.RBACaz rolecustomer-reportedIssues that are reported by GitHub users external to the Azure organization.feature-request

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions