Problem Description

I created an Azure AD Application and AD Service Principal, I was then attempting to assign a role to the Service Principal using az role assignment create.

az role assignment create --assignee '<object id of the service principal' --role Owner --scope '/subscription/<subscription id>' 

However this throws the error

The request did not have a provided subscription. All requests must have an associated subscription Id.

I've received this sort of error with PowerShell (Set-AzureRmRoleDefinition) as well when attempting to assign a role to an AD user a while back so I'm not sure if I'm doing something wrong or there is a problem with the REST API for role assignment.

Excerpt from debug output

DEBUG: msrest.http_logger :     'x-ms-client-request-id': '6b54e1a8-db1a-11e6-a2cd-4c8093c986d2'
DEBUG: msrest.http_logger :     'CommandName': 'role assignment create'
DEBUG: msrest.http_logger :     'Content-Type': 'application/json; charset=utf-8'
DEBUG: msrest.http_logger :     'accept-language': 'en-US'
DEBUG: msrest.http_logger : Request body:
DEBUG: msrest.http_logger : None
DEBUG: requests.packages.urllib3.connectionpool : Starting new HTTPS connection (1): management.azure.com
DEBUG: requests.packages.urllib3.connectionpool : https://management.azure.com:443 "GET /subscription/<subscription id>/providers/Microsoft.Authorization/roleDefinitions?api-version=2015-07-01&$filter=roleName%20eq%20%27Owner%27 HTTP/1.1" 404 156
DEBUG: msrest.http_logger : Response status: 404
DEBUG: msrest.http_logger : Response headers:
DEBUG: msrest.http_logger :     'Cache-Control': 'no-cache'
DEBUG: msrest.http_logger :     'Pragma': 'no-cache'
DEBUG: msrest.http_logger :     'Content-Type': 'application/json; charset=utf-8'
DEBUG: msrest.http_logger :     'Expires': '-1'
DEBUG: msrest.http_logger :     'x-ms-failure-cause': 'gateway'
DEBUG: msrest.http_logger :     'x-ms-request-id': '3dfde3e6-0698-460d-826b-e091ca46e4ad'
DEBUG: msrest.http_logger :     'x-ms-correlation-request-id': '3dfde3e6-0698-460d-826b-e091ca46e4ad'
DEBUG: msrest.http_logger :     'x-ms-routing-request-id': 'UKWEST:20170115T120202Z:3dfde3e6-0698-460d-826b-e091ca46e4ad'
DEBUG: msrest.http_logger :     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
DEBUG: msrest.http_logger :     'Date': 'Sun, 15 Jan 2017 12:02:02 GMT'
DEBUG: msrest.http_logger :     'Content-Length': '156'
DEBUG: msrest.http_logger : Response content:
DEBUG: msrest.http_logger : {"error":{"code":"MissingSubscription","message":"The request did not have a provided subscription. All requests must have an associated subscription Id."}}
DEBUG: msrest.exceptions : The request did not have a provided subscription. All requests must have an associated subscription Id.
ERROR: The request did not have a provided subscription. All requests must have an associated subscription Id.

The body is missing for some reason.

Azure Cli & Python Version Information

(AzureDev) (trusty)vijay@localhost:~$ az --version
azure-cli (0.1.0b11)

acr (0.1.0b11)
acs (0.1.0b11)
appservice (0.1.0b11)
cloud (0.1.0b11)
component (0.1.0rc1)
configure (0.1.0b11)
container (0.1.0b11)
context (0.1.0b11)
core (0.1.0b11)
feedback (0.1.0b11)
network (0.1.0b11)
nspkg (0.1.0b11)
profile (0.1.0b11)
resource (0.1.0b11)
role (0.1.0b11)
storage (0.1.0b11)
vm (0.1.0b11)

Python (Linux) 2.7.12 |Continuum Analytics, Inc.| (default, Jul 2 2016, 17:42:40)
[GCC 4.4.7 20120313 (Red Hat 4.4.7-1)]

Let me know if the full debug output is required.

Just to add if instead I assign a role to the Service Principal at the resource group level that works e.g.:

az role assignment create --assignee <object id> --role Owner --resource-group test-rg-002