az identity federated-credential create now requires an audience parameter.Β #31598
Description
Describe the bug
In v2.74 of az, az identity federated-credential create no longer has a default audience set, so commands which worked with v2.68 without the --audience set now fail with the error given below.
Setting the audience explicitly to the old default with --audience api://AzureADTokenExchange works with v2.74, but this breaks existing examples and infrastructure until we can make the change.
Related command
az identity federated-credential create
Errors
(InvalidFederatedIdentityCredentialsAudienceLength) Federated identity credentials must have exactly 1 audience.
Code: InvalidFederatedIdentityCredentialsAudienceLength
Message: Federated identity credentials must have exactly 1 audience.
Issue script & Debug output
No script necessary. One command:
az identity federated-credential create --name js-fci4 --identity-name js-uai-sse --resource-group demo3 --issuer https://unitedkingdom.oic.prod-arc.azure.com/fa70992e-c529-440b-ba3e-8e4db061d63d/b1383592-c1be-4922-9587-7463b385547c/ --subject system:serviceaccount:js-namespace:js-sa --debug
Output:
`cli.knack.cli: Command arguments: ['identity', 'federated-credential', 'create', '--name', 'js-fci4', '--identity-name', 'js-uai-sse', '--resource-group', 'demo3', '--issuer', 'https://unitedkingdom.oic.prod-arc.azure.com/fa70992e-c529-440b-ba3e-8e4db061d63d/b1383592-c1be-4922-9587-7463b385547c/', '--subject', 'system:serviceaccount:js-namespace:js-sa', '--audience', 'api://AzureADTokenExchange', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7f5911a1fa60>, <function OutputProducer.on_global_arguments at 0x7f5911766980>, <function CLIQuery.on_global_arguments at 0x7f59117abec0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'identity': ['azure.cli.command_modules.identity']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: identity 0.144 2 11
cli.azure.cli.core: Total (1) 0.144 2 11
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: Total (0) 0.000 0 0
cli.azure.cli.core: Loaded 2 groups, 11 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : identity federated-credential create
cli.azure.cli.core: Command table: identity federated-credential create
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7f59109e8360>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/gary/.azure/commands/2025-06-04.11-36-57.identity_federated-credential_create.6048.log'.
az_command_data_logger: command args: identity federated-credential create --name {} --identity-name {} --resource-group {} --issuer {} --subject {} --audience {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x7f5910a47100>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x7f5910a471a0>, <function register_cache_arguments..add_cache_arguments at 0x7f5910a472e0>, <function register_upcoming_breaking_change_info..update_breaking_change_info at 0x7f5910a47380>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.azure.cli.core.util: invalid syntax (, line 1)
cli.azure.cli.core.aaz._arg_action: Failed to parse string as JSON:
api://AzureADTokenExchange
Error detail: Expecting value: line 1 column 1 (char 0)
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7f5911766a20>, <function CLIQuery.handle_query_parameter at 0x7f59117abf60>, <function register_ids_argument..parse_ids_arguments at 0x7f5910a47240>]
cli.azure.cli.core.auth.persistence: build_persistence: location='/home/gary/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /home/gary/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/fa70992e-c529-440b-ba3e-8e4db061d63d
msal.authority: openid_config("https://login.microsoftonline.com/fa70992e-c529-440b-ba3e-8e4db061d63d/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/fa70992e-c529-440b-ba3e-8e4db061d63d/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/fa70992e-c529-440b-ba3e-8e4db061d63d/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/fa70992e-c529-440b-ba3e-8e4db061d63d/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/fa70992e-c529-440b-ba3e-8e4db061d63d/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/fa70992e-c529-440b-ba3e-8e4db061d63d/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/fa70992e-c529-440b-ba3e-8e4db061d63d/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/fa70992e-c529-440b-ba3e-8e4db061d63d/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
cli.azure.cli.core.auth.msal_credentials: UserCredential.acquire_token: scopes=['https://management.core.windows.net//.default'], claims_challenge=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: e0e6009b-c7a0-4968-8066-8195a7c74ade
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/f980c412-9931-40d8-b260-c52da8d8adbc/resourceGroups/demo3/providers/Microsoft.ManagedIdentity/userAssignedIdentities/js-uai-sse/federatedIdentityCredentials/js-fci4?api-version=2025-01-31-preview'
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'Content-Length': '249'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': 'd705e51c-412f-11f0-8efb-47356ed342e0'
cli.azure.cli.core.sdk.policies: 'CommandName': 'identity federated-credential create'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--name --identity-name --resource-group --issuer --subject --audience --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.74.0 (DEB) azsdk-python-core/1.31.0 Python/3.12.10 (Linux-5.15.153.1-microsoft-standard-WSL2-x86_64-with-glibc2.35)'
cli.azure.cli.core.sdk.policies: 'Authorization': ''
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"properties": {"audiences": ["api://AzureADTokenExchange"], "issuer": "https://unitedkingdom.oic.prod-arc.azure.com/fa70992e-c529-440b-ba3e-8e4db061d63d/b1383592-c1be-4922-9587-7463b385547c/", "subject": "system:serviceaccount:js-namespace:js-sa"}}
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/f980c412-9931-40d8-b260-c52da8d8adbc/resourceGroups/demo3/providers/Microsoft.ManagedIdentity/userAssignedIdentities/js-uai-sse/federatedIdentityCredentials/js-fci4?api-version=2025-01-31-preview HTTP/1.1" 201 534
cli.azure.cli.core.sdk.policies: Response status: 201
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '534'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'Location': '/subscriptions/f980c412-9931-40d8-b260-c52da8d8adbc/resourcegroups/demo3/providers/Microsoft.ManagedIdentity/userAssignedIdentities/js-uai-sse/federatedIdentityCredentials/js-fci4'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'x-ms-operation-identifier': 'tenantId=fa70992e-c529-440b-ba3e-8e4db061d63d,objectId=30948278-d097-48b3-be96-f09cd3cb3f25/uksouth/f0a27145-963c-4fca-bd49-02aa1f585f4a'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-writes': '199'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-global-writes': '2999'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '1a871a5d-e438-437f-8bae-027b48fbb67b'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '1a871a5d-e438-437f-8bae-027b48fbb67b'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'UKSOUTH:20250604T103658Z:1a871a5d-e438-437f-8bae-027b48fbb67b'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: 81671B176F1546D0896F86F6B7737784 Ref B: AMS231020614037 Ref C: 2025-06-04T10:36:57Z'
cli.azure.cli.core.sdk.policies: 'Date': 'Wed, 04 Jun 2025 10:36:58 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"id":"/subscriptions/f980c412-9931-40d8-b260-c52da8d8adbc/resourcegroups/demo3/providers/Microsoft.ManagedIdentity/userAssignedIdentities/js-uai-sse/federatedIdentityCredentials/js-fci4","name":"js-fci4","type":"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials","properties":{"issuer":"https://unitedkingdom.oic.prod-arc.azure.com/fa70992e-c529-440b-ba3e-8e4db061d63d/b1383592-c1be-4922-9587-7463b385547c/","subject":"system:serviceaccount:js-namespace:js-sa","audiences":["api://AzureADTokenExchange"]}}
cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x7f5910a445e0>, <function _x509_from_base64_to_hex_transform at 0x7f5910a44680>]
cli.knack.cli: Event: CommandInvoker.OnFilterResult []
{
"audiences": [
"api://AzureADTokenExchange"
],
"id": "/subscriptions/f980c412-9931-40d8-b260-c52da8d8adbc/resourcegroups/demo3/providers/Microsoft.ManagedIdentity/userAssignedIdentities/js-uai-sse/federatedIdentityCredentials/js-fci4",
"issuer": "https://unitedkingdom.oic.prod-arc.azure.com/fa70992e-c529-440b-ba3e-8e4db061d63d/b1383592-c1be-4922-9587-7463b385547c/",
"name": "js-fci4",
"resourceGroup": "demo3",
"subject": "system:serviceaccount:js-namespace:js-sa",
"type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials"
}
cli.knack.cli: Event: Cli.SuccessfulExecute []
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f59109e85e0>]
az_command_data_logger: exit code: 0
cli.main: Command ran in 0.962 seconds (init: 0.135, invoke: 0.827)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4062 in cache file under /home/gary/.azure/telemetry/20250604113658422
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/opt/az/bin/python3 /opt/az/lib/python3.12/site-packages/azure/cli/telemetry/init.py /home/gary/.azure /home/gary/.azure/telemetry/20250604113658422"
telemetry.process: Return from creating process 6053
telemetry.main: Finish creating telemetry upload process.
gary@MS-PLUMBRIDGE3:/mnt/c/Users/gplumbridge$ az identity federated-credential create --name js-fci4 --identity-name js-uai-sse --resource-group demo3 --issuer https://unitedkingdom.oic.prod-arc.azure.com/fa70992e-c529-440b-ba3e-8e4db061d63d/b1383592-c1be-4922-9587-7463b385547c/ --subject system:serviceaccount:js-namespace:js-sa --debug
cli.knack.cli: Command arguments: ['identity', 'federated-credential', 'create', '--name', 'js-fci4', '--identity-name', 'js-uai-sse', '--resource-group', 'demo3', '--issuer', 'https://unitedkingdom.oic.prod-arc.azure.com/fa70992e-c529-440b-ba3e-8e4db061d63d/b1383592-c1be-4922-9587-7463b385547c/', '--subject', 'system:serviceaccount:js-namespace:js-sa', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7f238d10f9c0>, <function OutputProducer.on_global_arguments at 0x7f238ce5a8e0>, <function CLIQuery.on_global_arguments at 0x7f238ce9fe20>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'identity': ['azure.cli.command_modules.identity']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: identity 0.270 2 11
cli.azure.cli.core: Total (1) 0.270 2 11
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: Total (0) 0.000 0 0
cli.azure.cli.core: Loaded 2 groups, 11 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : identity federated-credential create
cli.azure.cli.core: Command table: identity federated-credential create
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7f238c0d02c0>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/gary/.azure/commands/2025-06-04.11-37-29.identity_federated-credential_create.6057.log'.
az_command_data_logger: command args: identity federated-credential create --name {} --identity-name {} --resource-group {} --issuer {} --subject {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x7f238c12f060>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x7f238c12f100>, <function register_cache_arguments..add_cache_arguments at 0x7f238c12f240>, <function register_upcoming_breaking_change_info..update_breaking_change_info at 0x7f238c12f2e0>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7f238ce5a980>, <function CLIQuery.handle_query_parameter at 0x7f238ce9fec0>, <function register_ids_argument..parse_ids_arguments at 0x7f238c12f1a0>]
cli.azure.cli.core.auth.persistence: build_persistence: location='/home/gary/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /home/gary/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/fa70992e-c529-440b-ba3e-8e4db061d63d
msal.authority: openid_config("https://login.microsoftonline.com/fa70992e-c529-440b-ba3e-8e4db061d63d/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/fa70992e-c529-440b-ba3e-8e4db061d63d/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/fa70992e-c529-440b-ba3e-8e4db061d63d/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/fa70992e-c529-440b-ba3e-8e4db061d63d/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/fa70992e-c529-440b-ba3e-8e4db061d63d/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/fa70992e-c529-440b-ba3e-8e4db061d63d/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/fa70992e-c529-440b-ba3e-8e4db061d63d/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/fa70992e-c529-440b-ba3e-8e4db061d63d/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
cli.azure.cli.core.auth.msal_credentials: UserCredential.acquire_token: scopes=['https://management.core.windows.net//.default'], claims_challenge=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: e927510b-3944-496e-89cb-b2967e2750bf
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/f980c412-9931-40d8-b260-c52da8d8adbc/resourceGroups/demo3/providers/Microsoft.ManagedIdentity/userAssignedIdentities/js-uai-sse/federatedIdentityCredentials/js-fci4?api-version=2025-01-31-preview'
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'Content-Length': '204'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': 'e9cc9448-412f-11f0-8efb-47356ed342e0'
cli.azure.cli.core.sdk.policies: 'CommandName': 'identity federated-credential create'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--name --identity-name --resource-group --issuer --subject --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.74.0 (DEB) azsdk-python-core/1.31.0 Python/3.12.10 (Linux-5.15.153.1-microsoft-standard-WSL2-x86_64-with-glibc2.35)'
cli.azure.cli.core.sdk.policies: 'Authorization': ''
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"properties": {"issuer": "https://unitedkingdom.oic.prod-arc.azure.com/fa70992e-c529-440b-ba3e-8e4db061d63d/b1383592-c1be-4922-9587-7463b385547c/", "subject": "system:serviceaccount:js-namespace:js-sa"}}
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/f980c412-9931-40d8-b260-c52da8d8adbc/resourceGroups/demo3/providers/Microsoft.ManagedIdentity/userAssignedIdentities/js-uai-sse/federatedIdentityCredentials/js-fci4?api-version=2025-01-31-preview HTTP/1.1" 400 143
cli.azure.cli.core.sdk.policies: Response status: 400
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '143'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'x-ms-operation-identifier': 'tenantId=fa70992e-c529-440b-ba3e-8e4db061d63d,objectId=30948278-d097-48b3-be96-f09cd3cb3f25/uksouth/5ee59360-bb3e-4f7e-8e62-fe117ac12926'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-writes': '199'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-global-writes': '2999'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': 'ed8dd38e-cd70-4df1-b042-62902dd9c52f'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': 'ed8dd38e-cd70-4df1-b042-62902dd9c52f'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'UKSOUTH:20250604T103729Z:ed8dd38e-cd70-4df1-b042-62902dd9c52f'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: 7A561739BC374260A86ED9CD6AEE485A Ref B: DB3EDGE3114 Ref C: 2025-06-04T10:37:29Z'
cli.azure.cli.core.sdk.policies: 'Date': 'Wed, 04 Jun 2025 10:37:29 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"error":{"code":"InvalidFederatedIdentityCredentialsAudienceLength","message":"Federated identity credentials must have exactly 1 audience."}}
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "/opt/az/lib/python3.12/site-packages/knack/cli.py", line 233, in invoke
cmd_result = self.invocation.execute(args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 666, in execute
raise ex
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 734, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 703, in _run_job
result = cmd_copy(params)
^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/aaz/_command.py", line 155, in call
return self._handler(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/command_modules/identity/aaz/latest/identity/federated_credential/_create.py", line 36, in _handler
self._execute_operations()
File "/opt/az/lib/python3.12/site-packages/azure/cli/command_modules/identity/aaz/latest/identity/federated_credential/_create.py", line 109, in _execute_operations
self.FederatedIdentityCredentialsCreateOrUpdate(ctx=self.ctx)()
File "/opt/az/lib/python3.12/site-packages/azure/cli/command_modules/identity/aaz/latest/identity/federated_credential/_create.py", line 133, in call
return self.on_error(session.http_response)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.12/site-packages/azure/cli/core/aaz/_operation.py", line 327, in on_error
raise HttpResponseError(response=response, error_format=error_format)
azure.core.exceptions.HttpResponseError: (InvalidFederatedIdentityCredentialsAudienceLength) Federated identity credentials must have exactly 1 audience.
Code: InvalidFederatedIdentityCredentialsAudienceLength
Message: Federated identity credentials must have exactly 1 audience.
cli.azure.cli.core.azclierror: (InvalidFederatedIdentityCredentialsAudienceLength) Federated identity credentials must have exactly 1 audience.
Code: InvalidFederatedIdentityCredentialsAudienceLength
Message: Federated identity credentials must have exactly 1 audience.
az_command_data_logger: (InvalidFederatedIdentityCredentialsAudienceLength) Federated identity credentials must have exactly 1 audience.
Code: InvalidFederatedIdentityCredentialsAudienceLength
Message: Federated identity credentials must have exactly 1 audience.
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f238c0d0540>]
az_command_data_logger: exit code: 1
cli.main: Command ran in 1.157 seconds (init: 0.343, invoke: 0.814)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4349 in cache file under /home/gary/.azure/telemetry/20250604113729971
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/opt/az/bin/python3 /opt/az/lib/python3.12/site-packages/azure/cli/telemetry/init.py /home/gary/.azure /home/gary/.azure/telemetry/20250604113729971"
telemetry.process: Return from creating process 6062
telemetry.main: Finish creating telemetry upload process.`
Expected behavior
--audience has a default of api://AzureADTokenExchange so that az identity federated-credential create does not need an --audience parameter.
Environment Summary
{
"azure-cli": "2.74.0",
"azure-cli-core": "2.74.0",
"azure-cli-telemetry": "1.1.0",
"extensions": {
"connectedk8s": "1.10.7",
"k8s-extension": "1.6.5"
}
}
Additional context
No response