Azure-cli: Assigning a role to a service principal by name yields a HTTP 400

Created on 18 Nov 2017  路  4Comments  路  Source: Azure/azure-cli

Environment summary

Install Method: Docker
CLI version: 2.0.21
Shell Type: Bash

Bug Summary

Running az role assignment create where --assignee is a service principal name yields a HTTP 400. (Using the service principal ID works.)

Actual behavior

bash-4.3# az ad sp list | jq '.[] | select(.displayName == "Packer") | { id: .objectId, name: .displayName }'
{
  "id": "6924e191-262b-49a2-91ac-78e63c5cfa3f",
  "name": "Packer"
}
bash-4.3# az role assignment create --assignee Packer --role Owner                                                 Operation failed with status: 'Bad Request'. Details: 400 Client Error: Bad Request for url: https://graph.windows.net/83072677-0859-4f53-b309-0ec405db441d/getObjectsByObjectIds?api-version=1.6

Expected behavior

bash-4.3# az ad sp list | jq '.[] | select(.displayName == "Packer") | { id: .objectId, name: .displayName }'
{
  "id": "6924e191-262b-49a2-91ac-78e63c5cfa3f",
  "name": "Packer"
}
bash-4.3# az role assignment create --assignee "6924e191-262b-49a2-91ac-78e63c5cfa3f" --role Owner
{
  "id": "/subscriptions/SUB_ID/providers/Microsoft.Authorization/roleAssignments/7c2b7644-8002-4f9b-9c19-d37f6dc36c4f",
  "name": "7c2b7644-8002-4f9b-9c19-d37f6dc36c4f",
  "properties": {
    "principalId": "6924e191-262b-49a2-91ac-78e63c5cfa3f",
    "roleDefinitionId": "/subscriptions/8bbbc92b-6d16-4eb2-8f95-7a0769748c8d/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
    "scope": "/subscriptions/SUB_ID"
  },
  "type": "Microsoft.Authorization/roleAssignments"
}
Authorization-cli RBAC
Source
picture carlosonunez

Most helpful comment

Will do, but can we get a more friendly error message instead of a cryptic HTTP 400?

Something like:

bash-4.3# az ad sp list | jq '.[] | select(.displayName == "Packer") | { id: .objectId, name: .displayName }'
{
  "id": "6924e191-262b-49a2-91ac-78e63c5cfa3f",
  "name": "Packer"
}
bash-4.3# az role assignment create --assignee Packer --role Owner
ERROR: Please use the role's app_id instead of its displayName.
picture carlosonunez on 20 Nov 2017
👍3

All 4 comments

@carlosonunez I agree there is a bit confusion, but please do not use displayName, instead using app_id or any one from the array of servicePrincipalNames should work

yugangw-msft picture yugangw-msft on 20 Nov 2017

Will do, but can we get a more friendly error message instead of a cryptic HTTP 400?

Something like:

bash-4.3# az ad sp list | jq '.[] | select(.displayName == "Packer") | { id: .objectId, name: .displayName }'
{
  "id": "6924e191-262b-49a2-91ac-78e63c5cfa3f",
  "name": "Packer"
}
bash-4.3# az role assignment create --assignee Packer --role Owner
ERROR: Please use the role's app_id instead of its displayName.
carlosonunez picture carlosonunez on 20 Nov 2017
👍3

I came across this today, however, the workaround is not viable as I am trying to assign a role to a group which doesn't have an app_id.

In this scenario the description, displayName and mailNickname are all the same and using this value with the --assignee switch returns a 400 bad request.

Using the --assignee-id parameter with the objectId behaves as expected, but is somewhat inconvenient due to the additional call needed to retrieve the id.

JamesDawson picture JamesDawson on 28 Jan 2019

add to S165.

yonzhan picture yonzhan on 23 Dec 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

oakeyc picture oakeyc  路  3Comments
rlewkowicz picture rlewkowicz  路  3Comments
jsturtevant picture jsturtevant  路  3Comments
ambakshi picture ambakshi  路  3Comments
williexu picture williexu  路  3Comments