Related service principal error when creating AKS clusters

Repro steps:

• Delete ~/.azure/acsServicePrincipal.json
• Create an AKS cluster

az aks create -g trash1-dest-aks -n noel-dest-aks

Results:

• Service principal is created
  
  
  
  • acsServicePrincipal.json is created with the generated SP info
  
  
• Command fails, and nothing is created in the resource group
  
  
  
  • If you run az aks create a second time, the deployment succeeds, using the SP from the JSON file
  
  

output:

AAD role propagation done[############################################]  100.0000%Operation failed with status: 'Bad Request'. Details: Service principal clientID: fe8f564b-b2f9-48a4-aeac-ed707175f0f1 not found in Active Directory tenant
 72f988bf-86f1-41af-91ab-2d7cd011db47, Please see https://aka.ms/acs-sp-help for more details.

"AAD role propagation done" completes, but then I immediately get a service principal not found error

//cc: @rjtsdl @mboersma

@noelbundick, i think you are hitting the problem of slow SPN replication across Azure regions.

I want you to check, can you make another create of aks/acs in about 1 min after the failure ? And the second creation succeed ?

Yes, it works the second time, using the sp that was created in the first run

This used to work great - not sure if this is related to a recent change?

@noelbundick

I made a PR for other stuff, but it will fix the error you are seeing as well. We used to retry on those errors, looks the error message changed. Just update it.

There are some other work around to fix or workaround the replication issue.

Fixed

This error seems to be back again.

Repro Sets:

Delete existing SP credentials

rm .azure/acsServicePrincipal.json

Try to create a ACS Cluster

az group create -n wesyao-kube -l westus
az acs create --orchestrator-type kubernetes --resource-group wesyao-kube --name wesyaocluster --generate-ssh-keys

Error Message:

Deployment failed. Correlation ID: 3658af8f-5d83-4bab-a07e-4558a750a92d. {
  "error": {
    "code": "BadRequest",
    "message": "The credentials in ServicePrincipalProfile were invalid. Please see https://aka.ms/acs-sp-help for more details. (Details: AADSTS70001: Application with identifier 'd0dcd55f-3601-445e-9755-8daeef61a155' was not found in the directory 72f988bf-86f1-41af-91ab-2d7cd011db47\r\nTrace ID: 745d04a6-2263-43aa-876b-48e8784a4600\r\nCorrelation ID: 37abb4ac-cadc-4ca4-9ba0-ebe167b22235\r\nTimestamp: 2018-03-20 22:32:20Z)"
  }
}

CLI Version

➜  ~ az --version
azure-cli (2.0.29)

acr (2.0.22)
acs (2.0.28)
advisor (0.5.0)
appservice (0.1.29)
backup (1.0.7)
batch (3.1.11)
batchai (0.1.6)
billing (0.1.7)
cdn (0.0.13)
cloud (2.0.12)
cognitiveservices (0.1.11)
command-modules-nspkg (2.0.1)
configure (2.0.14)
consumption (0.2.2)
container (0.1.19)
core (2.0.29)
cosmosdb (0.1.19)
dla (0.0.18)
dls (0.0.19)
eventgrid (0.1.11)
eventhubs (0.1.0)
extension (0.0.10)
feedback (2.1.0)
find (0.2.8)
interactive (0.3.17)
iot (0.1.18)
keyvault (2.0.20)
lab (0.0.17)
monitor (0.1.3)
network (2.0.25)
nspkg (3.0.2)
profile (2.0.20)
rdbms (0.1.0)
redis (0.2.11)
reservations (0.1.1)
resource (2.0.25)
role (2.0.20)
servicebus (0.1.0)
servicefabric (0.0.11)
sql (2.0.23)
storage (2.0.27)
vm (2.0.28)

Python location '/Users/wesyao/anaconda3/bin/python3.6'
Extensions directory '/Users/wesyao/.azure/cliextensions'

Python (Darwin) 3.6.2 |Anaconda custom (x86_64)| (default, Sep 21 2017, 18:29:43)
[GCC 4.2.1 Compatible Clang 4.0.1 (tags/RELEASE_401/final)]

Legal docs and information: aka.ms/AzureCliLegal

Can we re-open this please, because it's clearly not fixed. Fails for me too with 2.2.0 version. Same issue: propagation completes, then cluster create fails straight away. The same happens if I reset password for an existing SP and try to create AKS.

AAD role propagation done[############################################]  100.0000%
Operation failed with status: 'Bad Request'. Details: The credentials in ServicePrincipalProfile were invalid. 
Please see https://aka.ms/aks-sp-help for more details. 
(Details: adal: Refresh request failed. Status Code = '400'. Response body: 
{
    "error": "unauthorized_client",
    "error_description": "AADSTS700016: Application with identifier 'REDACTED' was not found in the directory 'REDACTED'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: REDACTED\r\nCorrelation ID: REDACTED\r\nTimestamp: 2020-03-31 17:38:47Z",
    "error_codes": [
        700016
    ],
    "timestamp": "2020-03-31 17:38:47Z",
    "trace_id": "REDACTED",
    "correlation_id": "REDACTED",
    "error_uri": "https://login.microsoftonline.com/error?code=700016"
})

$ az --version
azure-cli                          2.2.0 *

command-modules-nspkg              2.0.3
core                               2.2.0 *
nspkg                              3.0.4
telemetry                          1.0.4

Python location '/usr/local/Cellar/azure-cli/2.2.0_1/libexec/bin/python'
Extensions directory '/Users/philippanyukov/.azure/cliextensions'

Python (Darwin) 3.8.2 (default, Mar 11 2020, 00:29:50)
[Clang 11.0.0 (clang-1100.0.33.17)]

Hi!

Same problem here.
Command

$az aks create \                                         
    --resource-group myResourceGroup \
    --name myAKSCluster \
    --node-vm-size Standard_NC6 \
    --node-count 1 --generate-ssh-keys

outputs:

> Finished service principal creation[##################################] 100.0000%Operation failed with status: 'Bad Request'. Details: The credentials in ServicePrincipalProfile were invalid. Please see https://aka.ms/aks-sp-help for more details. (Details: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier 'db3eceed-57c4-4e86-b898-e051d711c761' was not found in the directory '585127aa-8691-4f25-9777-8cb78ccf0d91'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: 81418b4c-ca53-4c3f-beaf-d63ab40fa600\r\nCorrelation ID: 64233089-88b9-4f45-9f31-75ea8adf06a5\r\nTimestamp: 2020-05-12 16:21:41Z","error_codes":[700016],"timestamp":"2020-05-12 16:21:41Z","trace_id":"81418b4c-ca53-4c3f-beaf-d63ab40fa600","correlation_id":"64233089-88b9-4f45-9f31-75ea8adf06a5","error_uri":"https://login.microsoftonline.com/error?code=700016"})

$ az --version
azure-cli                          2.5.1

command-modules-nspkg              2.0.3
core                               2.5.1
nspkg                              3.0.4
telemetry                          1.0.4

Python location '/usr/local/Cellar/azure-cli/2.5.1/libexec/bin/python'
Extensions directory '/Users/lebedana/.azure/cliextensions'

Python (Darwin) 3.8.2 (default, Mar 11 2020, 00:29:50) 
[Clang 11.0.0 (clang-1100.0.33.17)]