azure-client-tools-bot-prd[bot]
commented
7 months ago | Hi @hansixxxx Find similar issue https://github.com/Azure/azure-cli/issues/25421. | ||
|---|---|---|
| Issue title | azure.cli.core.azclierror.HTTPError: Forbidden({"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError" | |
| Create time | 2023-02-10 | |
| Comment number | 1 |
Possible solution: To solve the issue, you can try specifying the object id directly instead of using the user principal. You can use the following command to set the policy for the key vault:
az keyvault set-policy --name {Kevault_name} --secret-permissions get list --object-id {UserPrincipalOID}Make sure that the service principal has the required permissions to complete the operation.
Please confirm if this resolves your issue.
yonzhan
hansixxxx
Describe the bug
I want to use az rest to call graph and set a value from false to true. The related endpoint is "https://graph.microsoft.com/v1.0/policies/authorizationPolicy". From my local machine (macOS) i can run this command and the settings gets updated. The same command from azure cli in the same user account gets an error because of less permissions.
Related command
az rest --method patch --url "https://graph.microsoft.com/v1.0/policies/authorizationPolicy" --body "{"defaultUserRolePermissions":{ "allowedToCreateTenants":true }}" --headers "Content-Type=application/json"
Errors
Forbidden({"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2024-04-08T14:04:52","request-id":"6f4815be-74a3-43e5-9431-1c0261e19239","client-request-id":"6f4815be-74a3-43e5-9431-1c0261e19239"}}})
Issue script & Debug output
Request URL: 'https://graph.microsoft.com/v1.0/policies/authorizationPolicy' Request method: 'PATCH' Request headers: 'User-Agent': 'python/3.9.19 (Linux-5.10.102.2-microsoft-standard-x86_64-with-glibc2.35) AZURECLI/2.59.0 (RPM) cloud-shell/1.0' 'Accept-Encoding': 'gzip, deflate' 'Accept': '/' 'Connection': 'keep-alive' 'Content-Type': 'application/json' 'x-ms-client-request-id': 'dd1d3244-e2a1-41a3-a7fc-75c824e9fd3f' 'CommandName': 'rest' 'ParameterSetName': '--method --url --body --headers --verbose' 'Authorization': 'Bearer eyJ0eXAiOiJKV...' 'Content-Length': '60' Request body: {defaultUserRolePermissions:{ allowedToCreateTenants:true }} Response status: 403 Response headers: 'Cache-Control': 'no-cache' 'Transfer-Encoding': 'chunked' 'Content-Type': 'application/json' 'Content-Encoding': 'gzip' 'Vary': 'Accept-Encoding' 'Strict-Transport-Security': 'max-age=31536000' 'request-id': 'c5566129-a720-41d5-9dbd-9481072d1bbf' 'client-request-id': 'c5566129-a720-41d5-9dbd-9481072d1bbf' 'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"AM2PEPF0000BE27"}}' 'x-ms-resource-unit': '1' 'Date': 'Mon, 08 Apr 2024 14:09:08 GMT' Response content: {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2024-04-08T14:09:08","request-id":"c5566129-a720-41d5-9dbd-9481072d1bbf","client-request-id":"c5566129-a720-41d5-9dbd-9481072d1bbf"}}} Forbidden({"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2024-04-08T14:09:08","request-id":"c5566129-a720-41d5-9dbd-9481072d1bbf","client-request-id":"c5566129-a720-41d5-9dbd-9481072d1bbf"}}}) Command ran in 0.694 seconds (init: 0.183, invoke: 0.512) Suppress exception: Traceback (most recent call last): File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/main.py", line 62, in
raise ex
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/main.py", line 55, in
sys.exit(exit_code)
SystemExit: 1
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/decorators.py", line 79, in _wrapped_func return func(*args, **kwargs) File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/telemetry.py", line 126, in generate_payload payload = json.dumps(self.events, separators=(',', ':')) File "/usr/lib/python3.9/json/init.py", line 234, in dumps return cls( File "/usr/lib/python3.9/json/encoder.py", line 199, in encode chunks = self.iterencode(o, _one_shot=True) File "/usr/lib/python3.9/json/encoder.py", line 257, in iterencode return _iterencode(o, 0) File "/usr/lib/python3.9/json/encoder.py", line 179, in default raise TypeError(f'Object of type {o.class.name} ' TypeError: Object of type HTTPError is not JSON serializable
Expected behavior
same as in local terminal... just run and see the changes
Environment Summary
local: luca@macbookproluca ~ az --version azure-cli 2.59.0
core 2.59.0 telemetry 1.1.0
Extensions: account 0.2.5
Dependencies: msal 1.27.0 azure-mgmt-resource 23.1.0b2
Python location '/opt/homebrew/Cellar/azure-cli/2.59.0/libexec/bin/python' Extensions directory '/Users/luca/.azure/cliextensions'
Python (Darwin) 3.11.8 (main, Feb 6 2024, 21:21:21) [Clang 15.0.0 (clang-1500.1.0.2.5)]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.
Cloud Shell: luca [ ~ ]$ az --version azure-cli 2.59.0
core 2.59.0 telemetry 1.1.0
Extensions: ai-examples 0.2.5 ml 2.25.0 ssh 2.0.3
Dependencies: msal 1.27.0 azure-mgmt-resource 23.1.0b2
Python location '/usr/bin/python3.9' Extensions directory '/home/luca/.azure/cliextensions' Extensions system directory '/usr/lib/python3.9/site-packages/azure-cli-extensions'
Python (Linux) 3.9.19 (main, Mar 28 2024, 18:56:59) [GCC 11.2.0]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.
Additional context
No response