Az cli Command execution fails with "Insufficient privileges to complete the operation." error

vamshicholleti93 commented 11 months ago

Describe the bug

I am trying to execute some azure cli commands but it says "Insufficient privileges to complete the operation." , when I checked my permissions in the Azure portal, I found that I have sufficient privileges to perform that action and able to perform it through the portal. But not able to perform same operation through "az cli".

Here is the screenshot of list of role assigned roles for me on azure portal.

Related command

az ad app create --display-name

Errors

Insufficient privileges to complete the operation.

Issue script & Debug output

[core@bastionNode ~]$ az ad app create --display-name vcanfdiskapp --debug
cli.knack.cli: Command arguments: ['ad', 'app', 'create', '--display-name', 'vcanfdiskapp', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7f695d62cea0>, <function OutputProducer.on_global_arguments at 0x7f695d170f28>, <function CLIQuery.on_global_arguments at 0x7f695cf0b510>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'ad': ['azure.cli.command_modules.role']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: role                      0.008        17        61
cli.azure.cli.core: Total (1)                 0.008        17        61
cli.azure.cli.core: Loaded 17 groups, 61 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : ad app create
cli.azure.cli.core: Command table: ad app create
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7f695bea3510>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/core/.azure/commands/2023-10-09.19-10-34.ad_app_create.1619.log'.
az_command_data_logger: command args: ad app create --display-name {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x7f695ba261e0>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x7f695b9777b8>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x7f695b9778c8>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7f695d178048>, <function CLIQuery.handle_query_parameter at 0x7f695cf0b598>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x7f695b977840>]
cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com/
cli.azure.cli.core.auth.persistence: build_persistence: location='/home/core/.azure/service_principal_entries.json', encrypt=False
cli.azure.cli.core.auth.persistence: build_persistence: location='/home/core/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /home/core/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/11cd40ba-885a-4417-9555-204fc704fa00/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/11cd40ba-885a-4417-9555-204fc704fa00/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/11cd40ba-885a-4417-9555-204fc704fa00/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/11cd40ba-885a-4417-9555-204fc704fa00/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/11cd40ba-885a-4417-9555-204fc704fa00/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/11cd40ba-885a-4417-9555-204fc704fa00/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/11cd40ba-885a-4417-9555-204fc704fa00/kerberos', 'tenant_region_scope': 'NA', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Region to be used: None
cli.azure.cli.core.auth.msal_authentication: ServicePrincipalCredential.get_token: scopes=('https://graph.microsoft.com//.default',), kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: b31b33a6-c281-4e5d-b929-7b4173324690
cli.azure.cli.core.util: Request URL: 'https://graph.microsoft.com/v1.0/applications?$filter=startswith%28displayName%2C%27vcanfdiskapp%27%29'
cli.azure.cli.core.util: Request method: 'GET'
cli.azure.cli.core.util: Request headers:
cli.azure.cli.core.util:     'User-Agent': 'python/3.6.8 (Linux-3.10.0-1062.1.1.el7.x86_64-x86_64-with-redhat-7.7-Maipo) AZURECLI/2.38.1 (RPM)'
cli.azure.cli.core.util:     'Accept-Encoding': 'gzip, deflate'
cli.azure.cli.core.util:     'Accept': '*/*'
cli.azure.cli.core.util:     'Connection': 'keep-alive'
cli.azure.cli.core.util:     'x-ms-client-request-id': '2e65e15a-54c5-4214-9864-f9f6e5c138e6'
cli.azure.cli.core.util:     'CommandName': 'ad app create'
cli.azure.cli.core.util:     'ParameterSetName': '--display-name --debug'
cli.azure.cli.core.util:     'Authorization': 'Bearer eyJ0eXAiOiJKV...'
cli.azure.cli.core.util: Request body:
cli.azure.cli.core.util: None
urllib3.connectionpool: Starting new HTTPS connection (1): graph.microsoft.com:443
urllib3.connectionpool: https://graph.microsoft.com:443 "GET /v1.0/applications?$filter=startswith%28displayName%2C%27vcanfdiskapp%27%29 HTTP/1.1" 403 None
cli.azure.cli.core.util: Response status: 403
cli.azure.cli.core.util: Response headers:
cli.azure.cli.core.util:     'Cache-Control': 'no-cache'
cli.azure.cli.core.util:     'Transfer-Encoding': 'chunked'
cli.azure.cli.core.util:     'Content-Type': 'application/json'
cli.azure.cli.core.util:     'Content-Encoding': 'gzip'
cli.azure.cli.core.util:     'Vary': 'Accept-Encoding'
cli.azure.cli.core.util:     'Strict-Transport-Security': 'max-age=31536000'
cli.azure.cli.core.util:     'request-id': '1380e3c2-9ee9-4448-9fd2-2f92dba11242'
cli.azure.cli.core.util:     'client-request-id': '1380e3c2-9ee9-4448-9fd2-2f92dba11242'
cli.azure.cli.core.util:     'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"West US 2","Slice":"E","Ring":"1","ScaleUnit":"003","RoleInstance":"CO1PEPF00004A9A"}}'
cli.azure.cli.core.util:     'x-ms-resource-unit': '2'
cli.azure.cli.core.util:     'Date': 'Mon, 09 Oct 2023 19:10:34 GMT'
cli.azure.cli.core.util: Response content:
cli.azure.cli.core.util: {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2023-10-09T19:10:34","request-id":"1380e3c2-9ee9-4448-9fd2-2f92dba11242","client-request-id":"1380e3c2-9ee9-4448-9fd2-2f92dba11242"}}}
cli.azure.cli.core.util: azure.cli.core.util.handle_exception is called with an exception:
cli.azure.cli.core.util: Traceback (most recent call last):
  File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 53, in _send
    body=body)
  File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/util.py", line 991, in send_raw_request
    raise HTTPError(reason, r)
azure.cli.core.azclierror.HTTPError: Forbidden({"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2023-10-09T19:10:34","request-id":"1380e3c2-9ee9-4448-9fd2-2f92dba11242","client-request-id":"1380e3c2-9ee9-4448-9fd2-2f92dba11242"}}})

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 697, in _run_job
    result = cmd_copy(params)
  File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 333, in __call__
    return self.handler(*args, **kwargs)
  File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
    return op(**command_args)
  File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/command_modules/role/custom.py", line 617, in create_application
    existing_apps = list_applications(cmd, client, display_name=display_name)
  File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/command_modules/role/custom.py", line 753, in list_applications
    result = client.application_list(filter=' and '.join(sub_filters) if sub_filters else None)
  File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 86, in application_list
    result = self._send("GET", "/applications" + _filter_to_query(filter))
  File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 55, in _send
    raise GraphError(ex.response.json()['error']['message'], ex.response) from ex
azure.cli.command_modules.role._msgrpah._graph_client.GraphError: Insufficient privileges to complete the operation.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib64/az/lib/python3.6/site-packages/knack/cli.py", line 231, in invoke
    cmd_result = self.invocation.execute(args)
  File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 663, in execute
    raise ex
  File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 726, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
  File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/commands/__init__.py", line 718, in _run_job
    return cmd_copy.exception_handler(ex)
  File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/command_modules/role/commands.py", line 53, in graph_err_handler
    raise CLIError(ex)
knack.util.CLIError: Insufficient privileges to complete the operation.

cli.azure.cli.core.azclierror: Insufficient privileges to complete the operation.
az_command_data_logger: Insufficient privileges to complete the operation.
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f695bea3730>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 0.584 seconds (init: 0.181, invoke: 0.403)
cli.azure.cli.core.decorators: Suppress exception:
Traceback (most recent call last):
  File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/__main__.py", line 60, in <module>
    raise ex
  File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/__main__.py", line 53, in <module>
    sys.exit(exit_code)
SystemExit: 1

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/decorators.py", line 79, in _wrapped_func
    return func(*args, **kwargs)
  File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/telemetry.py", line 307, in set_custom_properties
    actual_value = value() if hasattr(value, '__call__') else value
  File "/usr/lib64/az/lib/python3.6/site-packages/azure/cli/core/telemetry.py", line 183, in <lambda>
    lambda: '{},{}'.format(locale.getdefaultlocale()[0], locale.getdefaultlocale()[1]))
  File "/usr/lib64/python3.6/locale.py", line 562, in getdefaultlocale
    return _parse_localename(localename)
  File "/usr/lib64/python3.6/locale.py", line 490, in _parse_localename
    raise ValueError('unknown locale: %s' % localename)
ValueError: unknown locale: UTF-8

telemetry.save: Save telemetry record of length 3058 in cache
telemetry.check: Returns Positive.
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/usr/bin/python3.6 /usr/lib64/az/lib/python3.6/site-packages/azure/cli/telemetry/__init__.py /home/core/.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

Expected behavior

On the execution of below command. it should create an app registration successfully

Environment Summary

[core@bastionNode ~]$ az --version
azure-cli                         2.38.1 *

core                              2.38.1 *
telemetry                          1.0.6 *

Dependencies:
msal                            1.18.0b1
azure-mgmt-resource             21.1.0b1

Python location '/usr/bin/python3.6'
Extensions directory '/home/core/.azure/cliextensions'

Python (Linux) 3.6.8 (default, May 30 2023, 08:41:09) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]

Legal docs and information: aka.ms/AzureCliLegal

You have 3 updates available. Consider updating your CLI installation with 'az upgrade'

Please let us know how we are doing: https://aka.ms/azureclihats
and let us know if you're interested in trying out our newest features: https://aka.ms/CLIUXstudy
[core@bastionNode ~]$

Additional context

I am also trying to refer the az cli doc to create app registration, create a custom role and assign a custom role to it . But could not find any doc related to above topics.

This link is not active https://learn.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli, It shows "404 - Page not found" error.

azure-client-tools-bot-prd[bot] commented 11 months ago

Hi @vamshicholleti93,

2.38.1 is not the latest Azure CLI(2.53.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

yonzhan commented 11 months ago

Thank you for opening this issue, we will look into it.

vamshicholleti93 commented 11 months ago

I am trying to update az clibut not able to upgrade it

[core@bastionNode ~]$ 
[core@bastionNode ~]$ az --version
azure-cli                         2.38.1 *

core                              2.38.1 *
telemetry                          1.0.6 *

Dependencies:
msal                            1.18.0b1
azure-mgmt-resource             21.1.0b1

Python location '/usr/bin/python3.6'
Extensions directory '/home/core/.azure/cliextensions'

Python (Linux) 3.6.8 (default, Jun 12 2019, 01:12:31) 
[GCC 8.2.1 20180905 (Red Hat 8.2.1-3)]

Legal docs and information: aka.ms/AzureCliLegal

You have 3 updates available. Consider updating your CLI installation with 'az upgrade'

Please let us know how we are doing: https://aka.ms/azureclihats
and let us know if you're interested in trying out our newest features: https://aka.ms/CLIUXstudy
[core@bastionNode ~]$ 
[core@bastionNode ~]$ 
[core@bastionNode ~]$ az upgrade
This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Your current Azure CLI version is 2.38.1. Latest version available is 2.53.0.
Please check the release notes first: https://docs.microsoft.com/cli/azure/release-notes-azure-cli
Do you want to continue? (Y/n): Y
Last metadata expiration check: 0:19:57 ago on Tue 10 Oct 2023 05:07:04 AM UTC.
Dependencies resolved.
Nothing to do.
Complete!
CLI upgrade failed or aborted.

bebound commented 11 months ago

Insufficient privileges to complete the operation seems more like a usage fault than a bug. You may need to check the doc.

2.38.1 is the latest version in your OS. You can try the latest version in a modern OS to see if the error persists.

vamshicholleti93 commented 11 months ago

I upgraded az version to 2.53 Even on the updated version I could see the same issue.

Could you please let me know the command to check the permission. so that I will check and update the screenshot here.

Thanks

vamshicholleti93 commented 11 months ago

By the way, I am able to create app registration using UI, By this I can say that I have sufficient privileges to perform that operation. Using az-cli I face this issue, so could you please check and help me to resolve this issue. I would need az cli commands to use it in my automation scripts

Thanks

vamshicholleti93 commented 11 months ago

Hi @yonzhan @bebound Could you please check my recent comments and let me know the reason for the issue and help me to resolve it

Thank

Azure / azure-cli