Elasticsearch deployment automation does not work anymore

thesse1 commented 11 months ago

Describe the bug

I have been using Terraform for setting up my Azure infrastructure including an instance of Managed Elasticsearch for several months, and it has always been working fine until yesterday (08.12.23) morning CET. It failed for the first time yesterday (08.12.23) afternoon, and it has failed ever since.

Please find the Terraform configuration of a repro case in the attachment.

Since yesterday afternoon, it would always complain:

│ Error: creating Monitor (Subscription: "309065ca-a060-4592-8096-b74694126b61"
│ Resource Group Name: "azure-demo-01-monitoring-rg"
│ Monitor Name: "azure-demo-01-elasticsearch"): performing MonitorsCreate: unexpected status 400 with error: BadRequest: Cannot proceed with the request as the user is not authorized
│
│   with module.monitoring.azurerm_elastic_cloud_elasticsearch.default,
│   on monitoring\monitoring-elasticsearch.tf line 1, in resource "azurerm_elastic_cloud_elasticsearch" "default":
│    1: resource "azurerm_elastic_cloud_elasticsearch" "default" {

Yes, I am the owner of the resource group, and Terraform is working fine for dozens of other resources. Yes, I can log-in to Elastic Cloud with my Microsoft account THES@softwareag.com. Yes, I can create an Elasticsearch instance in the same RG with the same resource configuration with the same user in Azure portal.

I have tried the Terraform script with location westeurope, eastus and southeastasia. Same result.

I have tried creating the resource using Azure CLI:

az elastic monitor create -n test-elasticsearch -g azure-demo-01-monitoring-rg --user-info "{firstName:Thomas,lastName:Hesse,companyName:'Software AG',emailAddress:THES@softwareag.com}" --sku "{name:ess-consumption-2024_Monthly@TIDgmz7xq9ge3py}"

Result:

(BadRequest) Cannot proceed with the request as the user is not authorized
Code: BadRequest
Message: Cannot proceed with the request as the user is not authorized

I have exported an ARM template in the Azure Portal, cf. attachment. I can create the resource using the template in the Azure Portal, but it fails when I try the following:

az deployment group create --resource-group azure-demo-01-monitoring-rg --template-file ExportedTemplate-azure-demo-01-elasticsearch.json --parameters @ExportedTemplate-azure-demo-01-elasticsearch-parameters.json

Result:

{"status":"Failed","error":{"code":"DeploymentFailed","target":"/subscriptions/309065ca-a060-4592-8096-b74694126b61/resourceGroups/azure-demo-01-monitoring-rg/providers/Microsoft.Resources/deployments/ExportedTemplate-azure-demo-01-elasticsearch","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"BadRequest","message":"Cannot proceed with the request as the user is not authorized"}]}}

I have even tried calling the Azure Management API:

PUT https://management.azure.com/subscriptions/309065ca-a060-4592-8096-b74694126b61/resourceGroups/azure-demo-01-monitoring-rg/providers/Microsoft.Elastic/monitors/test-elasticsearch?api-version=2023-02-01-preview
{"location":"westeurope","properties":{"monitoringStatus":"Enabled","userInfo":{"emailAddress":"THES@softwareag.com"}},"sku":{"name":"ess-consumption-2024_Monthly@TIDgmz7xq9ge3py"},"tags":{}}

Result:

Status 400
{
    "error": {
        "code": "BadRequest",
        "message": "Cannot proceed with the request as the user is not authorized"
    }
}

I have tried multiple versions of the API.

Yes, I am using a valid token, the API is working fine for other resource types.

Currently I see no way of setting up the resource automatically. Please help!

Best regards, Thomas

Related command

az elastic monitor create

Errors

(BadRequest) Cannot proceed with the request as the user is not authorized Code: BadRequest Message: Cannot proceed with the request as the user is not authorized

Issue script & Debug output

az elastic monitor create -n test-elasticsearch -g azure-demo-01-monitoring-rg --user-info "{firstName:Thomas,lastName:Hesse,companyName:'Software AG',emailAddress:THES@softwareag.com}" --sku "{name:ess-consumption-2024_Monthly@TIDgmz7xq9ge3py}" --debug &> debug.txt

DEBUG: cli.knack.cli: Command arguments: ['elastic', 'monitor', 'create', '-n', 'test-elasticsearch', '-g', 'azure-demo-01-monitoring-rg', '--user-info', "{firstName:Thomas,lastName:Hesse,companyName:'Software AG',emailAddress:THES@softwareag.com}", '--sku', '{name:ess-consumption-2024_Monthly@TIDgmz7xq9ge3py}', '--debug'] DEBUG: cli.knack.cli: init debug log: Cannot enable color. DEBUG: cli.knack.cli: Event: Cli.PreExecute [] DEBUG: cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x014C18E8>, <function OutputProducer.on_global_arguments at 0x017E99D8>, <function CLIQuery.on_global_arguments at 0x0180B7A8>] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate [] DEBUG: cli.azure.cli.core: Modules found from index for 'elastic': ['azext_elastic'] DEBUG: cli.azure.cli.core: Loading command modules: DEBUG: cli.azure.cli.core: Name Load Time Groups Commands DEBUG: cli.azure.cli.core: Total (0) 0.000 0 0 DEBUG: cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next'] DEBUG: cli.azure.cli.core: Loading extensions: DEBUG: cli.azure.cli.core: Name Load Time Groups Commands Directory DEBUG: cli.azure.cli.core: elastic 0.511 3 24 C:\Users\THES.azure\cliextensions\elastic DEBUG: cli.azure.cli.core: Total (1) 0.511 3 24
DEBUG: cli.azure.cli.core: Loaded 3 groups, 24 commands. DEBUG: cli.azure.cli.core: Found a match in the command table. DEBUG: cli.azure.cli.core: Raw command : elastic monitor create DEBUG: cli.azure.cli.core: Command table: elastic monitor create DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x03921028>] DEBUG: cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\THES.azure\commands\2023-12-09.11-38-18.elastic_monitor_create.24924.log'. INFO: az_command_data_logger: command args: elastic monitor create -n {} -g {} --user-info {} --sku {} --debug DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x0394E118>] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad [] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x0394E208>, <function register_cache_arguments..add_cache_arguments at 0x0395F488>] DEBUG: cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded [] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x017E9A28>, <function CLIQuery.handle_query_parameter at 0x0180B7F8>, <function register_ids_argument..parse_ids_arguments at 0x0395F438>] INFO: az_command_data_logger: extension name: elastic INFO: az_command_data_logger: extension version: 1.0.0b1 DEBUG: cli.azure.cli.core.commands.client_factory: Getting management service client client_type=ResourceManagementClient DEBUG: cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\THES\.azure\msal_token_cache.bin', encrypt=True DEBUG: cli.azure.cli.core.auth.binary_cache: load: C:\Users\THES.azure\msal_http_cache.bin DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None) DEBUG: msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/d9662eb9-ad98-4e74-a8a2-04ed5d544db6/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/d9662eb9-ad98-4e74-a8a2-04ed5d544db6/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/d9662eb9-ad98-4e74-a8a2-04ed5d544db6/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/d9662eb9-ad98-4e74-a8a2-04ed5d544db6/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/d9662eb9-ad98-4e74-a8a2-04ed5d544db6/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/d9662eb9-ad98-4e74-a8a2-04ed5d544db6/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/d9662eb9-ad98-4e74-a8a2-04ed5d544db6/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'} DEBUG: msal.application: Broker enabled? False DEBUG: cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={} DEBUG: cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://management.core.windows.net//.default',), claims=None, kwargs={} DEBUG: msal.application: Cache hit an AT DEBUG: msal.telemetry: Generate or reuse correlation_id: 196accc6-df76-4c72-b3c1-721888d10b9c DEBUG: cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/309065ca-a060-4592-8096-b74694126b61/resourcegroups/azure-demo-01-monitoring-rg?api-version=2022-09-01' DEBUG: cli.azure.cli.core.sdk.policies: Request method: 'GET' DEBUG: cli.azure.cli.core.sdk.policies: Request headers: DEBUG: cli.azure.cli.core.sdk.policies: 'Accept': 'application/json' DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '108f528f-967f-11ee-8acf-ac74b1298ffa' DEBUG: cli.azure.cli.core.sdk.policies: 'CommandName': 'elastic monitor create' DEBUG: cli.azure.cli.core.sdk.policies: 'ParameterSetName': '-n -g --user-info --sku --debug' DEBUG: cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.55.0 azsdk-python-azure-mgmt-resource/23.1.0b2 Python/3.11.5 (Windows-10-10.0.19045-SP0)' DEBUG: cli.azure.cli.core.sdk.policies: 'Authorization': '' DEBUG: cli.azure.cli.core.sdk.policies: Request body: DEBUG: cli.azure.cli.core.sdk.policies: This request has no body DEBUG: urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443 DEBUG: urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions/309065ca-a060-4592-8096-b74694126b61/resourcegroups/azure-demo-01-monitoring-rg?api-version=2022-09-01 HTTP/1.1" 200 328 DEBUG: cli.azure.cli.core.sdk.policies: Response status: 200 DEBUG: cli.azure.cli.core.sdk.policies: Response headers: DEBUG: cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache' DEBUG: cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache' DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8' DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Encoding': 'gzip' DEBUG: cli.azure.cli.core.sdk.policies: 'Expires': '-1' DEBUG: cli.azure.cli.core.sdk.policies: 'Vary': 'Accept-Encoding' DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-reads': '11996' DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-request-id': 'aaa7087b-dcd6-4548-999b-23982b90fa42' DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': 'aaa7087b-dcd6-4548-999b-23982b90fa42' DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'FRANCESOUTH:20231209T103818Z:aaa7087b-dcd6-4548-999b-23982b90fa42' DEBUG: cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains' DEBUG: cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff' DEBUG: cli.azure.cli.core.sdk.policies: 'Date': 'Sat, 09 Dec 2023 10:38:17 GMT' DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Length': '328' DEBUG: cli.azure.cli.core.sdk.policies: Response content: DEBUG: cli.azure.cli.core.sdk.policies: {"id":"/subscriptions/309065ca-a060-4592-8096-b74694126b61/resourceGroups/azure-demo-01-monitoring-rg","name":"azure-demo-01-monitoring-rg","type":"Microsoft.Resources/resourceGroups","location":"westeurope","tags":{"environment":"azure-demo-01-monitoring","project":"azure-demo-01"},"properties":{"provisioningState":"Succeeded"}} DEBUG: cli.azure.cli.core.aaz._arg_fmt: using location 'westeurope' from resource group 'azure-demo-01-monitoring-rg' DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None) DEBUG: msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/d9662eb9-ad98-4e74-a8a2-04ed5d544db6/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/d9662eb9-ad98-4e74-a8a2-04ed5d544db6/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/d9662eb9-ad98-4e74-a8a2-04ed5d544db6/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/d9662eb9-ad98-4e74-a8a2-04ed5d544db6/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/d9662eb9-ad98-4e74-a8a2-04ed5d544db6/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/d9662eb9-ad98-4e74-a8a2-04ed5d544db6/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/d9662eb9-ad98-4e74-a8a2-04ed5d544db6/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'} DEBUG: msal.application: Broker enabled? False DEBUG: cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={} DEBUG: cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://management.core.windows.net//.default',), claims=None, kwargs={} DEBUG: msal.application: Cache hit an AT DEBUG: msal.telemetry: Generate or reuse correlation_id: 4182371a-0c0e-4330-aadb-e21f5882e3d0 DEBUG: cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/309065ca-a060-4592-8096-b74694126b61/resourceGroups/azure-demo-01-monitoring-rg/providers/Microsoft.Elastic/monitors/test-elasticsearch?api-version=2023-02-01-preview' DEBUG: cli.azure.cli.core.sdk.policies: Request method: 'PUT' DEBUG: cli.azure.cli.core.sdk.policies: Request headers: DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json' DEBUG: cli.azure.cli.core.sdk.policies: 'Accept': 'application/json' DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Length': '234' DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '108f528f-967f-11ee-8acf-ac74b1298ffa' DEBUG: cli.azure.cli.core.sdk.policies: 'CommandName': 'elastic monitor create' DEBUG: cli.azure.cli.core.sdk.policies: 'ParameterSetName': '-n -g --user-info --sku --debug' DEBUG: cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.55.0 (AAZ) azsdk-python-core/1.26.0 Python/3.11.5 (Windows-10-10.0.19045-SP0)' DEBUG: cli.azure.cli.core.sdk.policies: 'Authorization': '' DEBUG: cli.azure.cli.core.sdk.policies: Request body: DEBUG: cli.azure.cli.core.sdk.policies: {"location": "westeurope", "properties": {"userInfo": {"companyName": "Software AG", "emailAddress": "THES@softwareag.com", "firstName": "Thomas", "lastName": "Hesse"}}, "sku": {"name": "ess-consumption-2024_Monthly@TIDgmz7xq9ge3py"}} DEBUG: urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443 DEBUG: urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/309065ca-a060-4592-8096-b74694126b61/resourceGroups/azure-demo-01-monitoring-rg/providers/Microsoft.Elastic/monitors/test-elasticsearch?api-version=2023-02-01-preview HTTP/1.1" 400 105 DEBUG: cli.azure.cli.core.sdk.policies: Response status: 400 DEBUG: cli.azure.cli.core.sdk.policies: Response headers: DEBUG: cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache' DEBUG: cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache' DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Length': '105' DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json' DEBUG: cli.azure.cli.core.sdk.policies: 'Expires': '-1' DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-writes': '1198' DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-providerhub-traffic': 'True' DEBUG: cli.azure.cli.core.sdk.policies: 'Request-Context': 'appId=cid-v1:13f6b276-8851-4983-9417-68bc36807add' DEBUG: cli.azure.cli.core.sdk.policies: 'mise-correlation-id': 'a763205b-bdad-4e99-8331-e21fdbedb7c7' DEBUG: cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains' DEBUG: cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff' DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-failure-cause': 'gateway' DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '85ef06d8-0449-421e-986a-74f84315a9d5' DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '8ce79a30-e150-4e93-a3c8-e95f22aa59e0' DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'FRANCESOUTH:20231209T103820Z:8ce79a30-e150-4e93-a3c8-e95f22aa59e0' DEBUG: cli.azure.cli.core.sdk.policies: 'Date': 'Sat, 09 Dec 2023 10:38:19 GMT' DEBUG: cli.azure.cli.core.sdk.policies: Response content: DEBUG: cli.azure.cli.core.sdk.policies: {"error":{"code":"BadRequest","message":"Cannot proceed with the request as the user is not authorized"}} DEBUG: cli.azure.cli.core.azclierror: Traceback (most recent call last): File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 663, in execute File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 726, in _run_jobs_serially File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 708, in _run_job File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 1013, in call File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 1000, in call File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/aaz/_poller.py", line 108, in result File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/tracing/decorator.py", line 78, in wrapper_use_tracer File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/aaz/_poller.py", line 130, in wait File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/aaz/_poller.py", line 83, in _start File "C:\Users\THES.azure\cliextensions\elastic\azext_elastic\aaz\latest\elastic\monitor_create.py", line 187, in _execute_operations yield self.MonitorsCreate(ctx=self.ctx)() ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\THES.azure\cliextensions\elastic\azext_elastic\aaz\latest\elastic\monitor_create.py", line 227, in call return self.on_error(session.http_response) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/aaz/_operation.py", line 332, in on_error azure.core.exceptions.HttpResponseError: (BadRequest) Cannot proceed with the request as the user is not authorized Code: BadRequest Message: Cannot proceed with the request as the user is not authorized

ERROR: cli.azure.cli.core.azclierror: (BadRequest) Cannot proceed with the request as the user is not authorized Code: BadRequest Message: Cannot proceed with the request as the user is not authorized ERROR: az_command_data_logger: (BadRequest) Cannot proceed with the request as the user is not authorized Code: BadRequest Message: Cannot proceed with the request as the user is not authorized DEBUG: cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x03921168>] INFO: az_command_data_logger: exit code: 1 INFO: cli.main: Command ran in 4.494 seconds (init: 0.463, invoke: 4.031) INFO: telemetry.main: Begin splitting cli events and extra events, total events: 1 INFO: telemetry.client: Accumulated 0 events. Flush the clients. INFO: telemetry.main: Finish splitting cli events and extra events, cli events: 1 INFO: telemetry.save: Save telemetry record of length 3631 in cache INFO: telemetry.main: Begin creating telemetry upload process. INFO: telemetry.process: Creating upload process: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry__init__.pyc C:\Users\THES.azure" INFO: telemetry.process: Return from creating process INFO: telemetry.main: Finish creating telemetry upload process.

Expected behavior

It should create a Managed Elasticsearch instance.

Environment Summary

azure-cli 2.55.0

core 2.55.0 telemetry 1.1.0

Extensions: aks-preview 0.5.154 amg 1.2.7 azure-devops 0.26.0 elastic 1.0.0b1

Dependencies: msal 1.24.0b2 azure-mgmt-resource 23.1.0b2

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe' Extensions directory 'C:\Users\THES.azure\cliextensions'

Python (Windows) 3.11.5 (tags/v3.11.5:cce6ba9, Aug 24 2023, 14:21:31) [MSC v.1936 32 bit (Intel)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

No response

yonzhan commented 11 months ago

Thank you for opening this issue, we will look into it.

thesse1 commented 11 months ago

Some more results of my analysis:

Terraform is working fine when I run it in an Azure DevOps pipeline. It only fails when I run it locally.
az elastic monitor list is working fine. Only az elastic monitor create fails when I run it locally.
az elastic monitor create is working fine when I run it in a Cloud Shell in Azure Portal, but not on my PC.
Creating a token in Cloud Shell with az account get-access-token and using it in Postman on my PC is working fine, but not with a token created with az account get-access-token on my PC. When I compare the tokens, I see a difference in the unique_name claim. It is THES@softwareag.com for the token created in Cloud Shell and thomas.hesse@softwareag.com for the token created locally, cf. attachments.

Maybe this is causing the issue? Please note that my Elastic Cloud username is THES@softwareag.com. Are you taking the Elastic Cloud username from the unique_name claim of the token and not from the userInfo.emailAddress of the request body? Or are you forwarding the token to Elastic Cloud? (I hope not…)

Anyhow: How can I log-in to Azure CLI in such a way that Terraform and az elastic monitor create are working locally again?

JWT_Payload_Local.json JWT_Payload_Cloud_Shell.json

microsoft-github-policy-service[bot] commented 11 months ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @josephkwchan, @jennyhunter-msft.

Azure / azure-cli