[BUG] RoleAssignment not working with Java but works through AZ CLI

[nebojsa-db]

Describe the bug
I'm trying to assign role to Managed Identity with precise scope to storage account / container level and it fails that I don't have enough permission to do so, even though my principal has custom role assigned which allows granting roles to Service Principals.

Code snippet (Not working):

Az CLI (working):
az role assignment create --assignee-object-id <object_id> --assignee-principal-type ServicePrincipal --role "Storage Blob Data Contributor" --scope /subscriptions//resourceGroups/<rg_name>/providers/Microsoft.Storage/storageAccounts/nebojsaazurebucket123/blobServices/default/containers/testcontainer

My principal does not have GraphAPI permissions, thats why it is needed for AZ CLI to use --assignee-object-id and assignee-principal-type, does Java SDK require graph api permissions?

Exception or Stack Trace
Status code 403, "{"error":{"code":"AuthorizationFailed","message":"The client '90516a84-d215-479d-b7f4-0ee01b47ab84' with object id '90516a84-d215-479d-b7f4-0ee01b47ab84' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/<subsc_id>/resourceGroups/<rg_name>/providers/Microsoft.Storage/storageAccounts/nebojsaazurebucket123/providers/Microsoft.Authorization/roleAssignments/roleAssignmentName' or the scope is invalid. If access was recently granted, please refresh your credentials."}}"

[XiaofeiCao]

Azure CLI and Java SDK should be using the same API.

Did you authenticate CLI and SDK using the same identity(assigner, not assignee)?

[github-actions]

Hi @nebojsa-db. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

[nebojsa-db]

Hi @XiaofeiCao, thanks for the response!

So the scenario was next:

1. We are using SP which has custom role configured that allows granting only "Storage Blob Data Contributor" role to only "Service Principals" (so role has condition assigned to it)
2. We are granting permissions to Managed Identity created as part of "Azure Databricks Access Connector"

Granting permissions worked through AzCLI, and failed through Java SDK API. We fixed the issue by removing condition from the role assignment.
Might have something to do with condition allowing roles to be assigned only to ServicePrincipal type, and in AzCLI command you explicitly provide principalType as parameter.

Edit:
Yes, we are using same SP in both cases.

[XiaofeiCao]

@nebojsa-db That's strange... CLI and SDK should be using the same API...

Would you help append --debug to your CLI command and try if you could tell from the output what API they called?