search

Azure / azure-cli

Azure Command-Line Interface
MIT License
4.03k stars 3.01k forks source link

Creating service principal failed - When using this permission, the backing application of the service principal being created must in the local tenant #14767

Closed gischethans closed 3 years ago

gischethans commented 4 years ago

When creating a service principal in the Azure US Government Cloud (I did not face the issue with Azure Public Cloud) with Azure CLI, I see the error "When using this permission, the backing application of the service principal being created must in the local tenant". This appears intermittently and the operation succeeds in the next one or two attempts.

Command Name az ad sp create-for-rbac

Errors:

Creating service principal failed for appid 'http://chethan1-sp'. Trace followed:
{'Cache-Control': 'no-cache', 'Pragma': 'no-cache', 'Content-Type': 'application/json; odata=minimalmetadata; streaming=true; charset=utf-8', 'Expires': '-1', 'ocp-aad-diagnostics-server-name': 'AX01WP8UrUZ+t1UfXh+CNVWXjkMVa+MRGWdcQJOSriA=', 'request-id': '8aa1f2d0-6f89-4c2c-81b8-aa9549229b9d', 'client-request-id': 'ce0ca1c0-dd44-11ea-80e4-00155d105809', 'x-ms-dirapi-data-contract-version': '1.6', 'ocp-aad-session-key': 'nOb19qb35xGesfB0mYy06u-CrMjhmNw8HNHKMTHy7icX2x2Rmiba_l-1z0xhZsPFTtnlkWTMpsRKrKUB7QDvx_GPr8A2SCrchMZsAJ3x6SXu7Mv_6E37q79Tb8WMCJOeiuGDMae6XqSqalb57jtujSnuOYnfkW-t6bHQQbGmK3v0oCK3gnHf3YmAAToCQ3EqYoqDYJb2hE0SbtPUOvKog.zODOfl-Y-xOarA46pFF-7YnuA3J-dCaM3TCle03YWAE', 'DataServiceVersion': '3.0;', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains', 'Access-Control-Allow-Origin': '*', 'Duration': '1374142, 13351672', 'X-AspNet-Version': '4.0.30319', 'X-Powered-By': 'ASP.NET', 'Date': 'Thu, 13 Aug 2020 09:10:23 GMT', 'Content-Length': '284'}
When using this permission, the backing application of the service principal being created must in the local tenant

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information. Run this command - az ad sp create-for-rbac --name http://chethan1-sp --role Contributor --scopes /subscriptions/<subscription id>

The first attempt often resulted in the error shown above. The next attempt was mostly successful like below - 

az ad sp create-for-rbac --name http://chethan1-sp --role Contributor --scopes /subscriptions/<subscription id>
Found an existing application instance of "1bb1c184-b9bc-4ecf-a96c-07f1637xxxxx". We will patch it
Creating a role assignment under the scope of "/subscriptions/<subscription id>"
{
  "appId": "<value>",
  "displayName": "chethan1-sp",
  "name": "http://chethan1-sp",
  "password": "<value>",
  "tenant": "<value>"
}

Expected Behavior

The service principal is created successfully.

Environment Summary

Linux-4.4.0-18362-Microsoft-x86_64-with-debian-bullseye-sid
Python 3.6.10
Installer: DEB

azure-cli 2.10.1

Additional Context

yonzhan commented 4 years ago

add to S175

tejado commented 4 years ago

I'm facing this in Azure Public Cloud (North Europe). This appears intermittently and the operation succeeds in the next one or two attempts.

ryanhofdotgov commented 3 years ago

I've encountered the same error if I call az ad app create... and then immediately call az ad sp create... using the newly created app registration id.

I worked around it by pausing my script for 60 seconds in between the commands. It's a hack I've had to use in several other places in my infrastructure-as-code.

jiasli commented 3 years ago

@gischethans, I previously commented at https://github.com/Azure/azure-cli/issues/14086#issuecomment-671685599 for this issue. It was also discussed at https://github.com/Azure/azure-cli/issues/7375#issuecomment-423410402.

This error message:

When using this permission, the backing application of the service principal being created must in the local tenant

is not the same as the public cloud's exception:

... does not reference ... ... does not exist ...

So it bypasses the retryable check:

https://github.com/Azure/azure-cli/blob/88a6056229413f3a8326a2fe295a10d1daceb09d/src/azure-cli/azure/cli/command_modules/role/custom.py#L1455-L1456

I am considering maybe we can loose the check and also decrease

https://github.com/Azure/azure-cli/blob/88a6056229413f3a8326a2fe295a10d1daceb09d/src/azure-cli/azure/cli/command_modules/role/custom.py#L1396

So that all kinds of exceptions can be retried. Just thinking...

jiasli commented 3 years ago

@tejado, could you share the exception you are seeing? Is it the same as @gischethans's?

jiasli commented 3 years ago

@ryanhofdotgov, it is expected that calling az ad sp create immediately after az ad app create may fail. Please see https://github.com/Azure/azure-cli/issues/14086#issuecomment-671685599 for an explanation and the retry logic.

bmc-msft commented 3 years ago

Note, I'm seeing this on the public cloud.

one-ideaed commented 1 year ago

today I experienced this issue on azure-cli 2.52.0 when calling az ad sp create right after az ad app create is it realistic that _RETRY_TIMES was exceeded?

zshao9 commented 11 months ago

This error message about tenant is a red herring.

The root cause is here: https://stackoverflow.com/questions/60004010/creating-service-principal-for-azure-cdn-is-failing-with-tenant-permission-error

In short, we need AAD Administrative Roles, not RBAC roles which are used for resources).

YounesElhamssInventio commented 3 months ago

What if I'm using application permissions, how do I then fix the missing AAD administrative roles??