Create duplicated role for system managed identity.

[maye-msft]

Describe the bug

To assign a role of MSI to access blob storage with the CLI as below.

resgrp="testresgrp2404"
region="southeastasia"
storage_account_name="teststorage2404"
vm_name="testvm2404"
vm_usr="azureuser"
vm_pwd="pwd2404!"
subscription_id="xxxx"

az group create --name $resgrp --location $region
az storage account create -n $storage_account_name -g $resgrp -l $region --sku Standard_LRS --kind BlobStorage --access-tier Hot
az vm create --resource-group $resgrp --name $vm_name --image win2016datacenter \
    --admin-username $vm_usr --admin-password  $vm_pwd
az vm identity assign -g $resgrp -n $vm_name --identities [system]
principal_id=$(az resource list -n $vm_name -g $resgrp --query [*].identity.principalId --out tsv)
az role assignment create --assignee $principal_id --role "Storage Blob Data Owner" \
    --scope subscriptions/$subscription_id/resourceGroups/$resgrp/providers/Microsoft.Storage/storageAccounts/$storage_account_name

this script can run successfully at the 1st time, and then it failed if run it again, as the role assignment already exists with a python exception. I hope it can be some managed error message rather than a python error trace as below.

The command failed with an unexpected error. Here is the traceback:
list index out of range
Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/custom.py", line 180, in create_role_assignment
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/custom.py", line 204, in _create_role_assignment
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/_multi_api_adaptor.py", line 57, in create_role_assignment
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/tracing/decorator.py", line 76, in wrapper_use_tracer
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/mgmt/authorization/v2022_04_01/operations/_role_assignments_operations.py", line 902, in create
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/exceptions.py", line 112, in map_error
azure.core.exceptions.ResourceExistsError: (RoleAssignmentExists) The role assignment already exists.
Code: RoleAssignmentExists
Message: The role assignment already exists.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 664, in execute
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 731, in _run_jobs_serially
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 701, in _run_job
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 334, in __call__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/custom.py", line 186, in create_role_assignment
IndexError: list index out of range
To check existing issues, please visit: https://github.com/Azure/azure-cli/issues

Related command

az role assignment create

Errors

The command failed with an unexpected error. Here is the traceback: list index out of range Traceback (most recent call last): File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/custom.py", line 180, in create_role_assignment File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/custom.py", line 204, in _create_role_assignment File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/_multi_api_adaptor.py", line 57, in create_role_assignment File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/tracing/decorator.py", line 76, in wrapper_use_tracer File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/mgmt/authorization/v2022_04_01/operations/_role_assignments_operations.py", line 902, in create File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/exceptions.py", line 112, in map_error azure.core.exceptions.ResourceExistsError: (RoleAssignmentExists) The role assignment already exists. Code: RoleAssignmentExists Message: The role assignment already exists.

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 664, in execute File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 731, in _run_jobs_serially File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 701, in _run_job File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 334, in call File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/custom.py", line 186, in create_role_assignment IndexError: list index out of range

Issue script & Debug output

Traceback (most recent call last): File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 664, in execute File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 731, in _run_jobs_serially File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 701, in _run_job File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 334, in call File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/custom.py", line 186, in create_role_assignment IndexError: list index out of range

cli.azure.cli.core.azclierror: The command failed with an unexpected error. Here is the traceback: az_command_data_logger: The command failed with an unexpected error. Here is the traceback: cli.azure.cli.core.azclierror: list index out of range Traceback (most recent call last): File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/custom.py", line 180, in create_role_assignment File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/custom.py", line 204, in _create_role_assignment File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/_multi_api_adaptor.py", line 57, in create_role_assignment File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/tracing/decorator.py", line 76, in wrapper_use_tracer File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/mgmt/authorization/v2022_04_01/operations/_role_assignments_operations.py", line 902, in create File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/exceptions.py", line 112, in map_error azure.core.exceptions.ResourceExistsError: (RoleAssignmentExists) The role assignment already exists. Code: RoleAssignmentExists Message: The role assignment already exists.

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 664, in execute File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 731, in _run_jobs_serially File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 701, in _run_job File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 334, in call File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/custom.py", line 186, in create_role_assignment IndexError: list index out of range az_command_data_logger: list index out of range Traceback (most recent call last): File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/custom.py", line 180, in create_role_assignment File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/custom.py", line 204, in _create_role_assignment File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/_multi_api_adaptor.py", line 57, in create_role_assignment File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/tracing/decorator.py", line 76, in wrapper_use_tracer File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/mgmt/authorization/v2022_04_01/operations/_role_assignments_operations.py", line 902, in create File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/exceptions.py", line 112, in map_error azure.core.exceptions.ResourceExistsError: (RoleAssignmentExists) The role assignment already exists. Code: RoleAssignmentExists Message: The role assignment already exists.

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 664, in execute File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 731, in _run_jobs_serially File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 701, in _run_job File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 334, in call File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/role/custom.py", line 186, in create_role_assignment IndexError: list index out of range To check existing issues, please visit: https://github.com/Azure/azure-cli/issues

Expected behavior

it can be some managed error message rather than a python error trace.

Environment Summary

azure-cli 2.58.0 *

core 2.58.0 * telemetry 1.1.0

Extensions: account 0.2.5 bastion 0.3.0

Dependencies: msal 1.26.0 azure-mgmt-resource 23.1.0b2

Additional context

No response

[azure-client-tools-bot-prd[bot]]

Hi @maye-msft,

2.58.0 is not the latest Azure CLI(2.59.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

[yonzhan]

Thank you for opening this issue, we will look into it.

[azure-client-tools-bot-prd[bot]]

Hi @maye-msft Find similar issue https://github.com/Azure/azure-cli/issues/9868.
Issue title	az role assignment creating fails on role definitions which are valid on 1+ subscription
Create time	2019-07-05
Comment number	6

Possible solution: As per the existing issue, the error message "list index out of range" occurs when the role definition is applicable in both subscriptions. The suggested solution is to use the --role parameter with the full scope of the subscription where the role definition is applicable. For example, --role '/subscriptions/712330b2-aada-46a5-870a-070ed09927f3/providers/Microsoft.Authorization/roleDefinitions/a614ca30-22f5-5606-b5bf-9ea5669640e2'. This should enable deployment of role assignments across subscriptions.

---

Please confirm if this resolves your issue.

[fidou]

Hi , I m using the latest version of the az cli (2.59.0) and having the exact same issue while doing a role assignment on a subscription level. The first time works like a charm and the second time throws the python error mentioned above. I also tried the workaround which did not help

[fidou]

nevermind. I had a typo in mijn command. I was using --scope subscriptions/$subscritpionId instead of --scope /subscriptions/$subscriptionId