Azure-cli: 'role definition create' fails with "api-version '2015-07-01' is invalid."

What's the output of az cloud show (i.e. Are you targetting public Azure)?
What's the output of python3 -m azure.cli --version and az --version?

Also, in the environment summary you have apt-get but you're running the CLI with python3 -m azure.cli instead of the standard az. Why?

My env python defaults to 2.7. If I try to use az I get /usr/bin/python: No module named azure

python3 -m azure.cli --version

azure-cli (2.0.26)

acr (2.0.20)
acs (2.0.25)
advisor (0.1.1)
appservice (0.1.25)
backup (1.0.6)
batch (3.1.9)
batchai (0.1.5)
billing (0.1.7)
cdn (0.0.12)
cloud (2.0.12)
cognitiveservices (0.1.10)
command-modules-nspkg (2.0.1)
configure (2.0.13)
consumption (0.2.1)
container (0.1.16)
core (2.0.26)
cosmosdb (0.1.17)
dla (0.0.18)
dls (0.0.19)
eventgrid (0.1.9)
extension (0.0.8)
feedback (2.0.8)
find (0.2.8)
interactive (0.3.15)
iot (0.1.16)
keyvault (2.0.17)
lab (0.0.16)
monitor (0.1.1)
network (2.0.22)
nspkg (3.0.1)
profile (2.0.18)
rdbms (0.0.11)
redis (0.2.11)
reservations (0.1.1)
resource (2.0.22)
role (2.0.17)
servicefabric (0.0.9)
sql (2.0.20)
storage (2.0.24)
vm (2.0.25)

Python location '/usr/local/bin/python3'
Extensions directory '/home/***/.azure/cliextensions'

Python (Linux) 3.5.2 (default, Nov 23 2017, 16:37:01) 
[GCC 5.4.0 20160609]

Legal docs and information: aka.ms/AzureCliLegal

python3 -m azure.cli cloud show

{
  "endpoints": {
    "activeDirectory": "https://login.microsoftonline.com",
    "activeDirectoryDataLakeResourceId": "https://datalake.azure.net/",
    "activeDirectoryGraphResourceId": "https://graph.windows.net/",
    "activeDirectoryResourceId": "https://management.core.windows.net/",
    "batchResourceId": "https://batch.core.windows.net/",
    "gallery": "https://gallery.azure.com/",
    "management": "https://management.core.windows.net/",
    "resourceManager": "https://management.azure.com/",
    "sqlManagement": "https://management.core.windows.net:8443/",
    "vmImageAliasDoc": "https://raw.githubusercontent.com/Azure/azure-rest-api-specs/master/arm-compute/quickstart-templates/aliases.json"
  },
  "isActive": true,
  "name": "AzureCloud",
  "profile": "latest",
  "suffixes": {
    "azureDatalakeAnalyticsCatalogAndJobEndpoint": "azuredatalakeanalytics.net",
    "azureDatalakeStoreFileSystemEndpoint": "azuredatalakestore.net",
    "keyvaultDns": ".vault.azure.net",
    "sqlServerHostname": ".database.windows.net",
    "storageEndpoint": "core.windows.net"
  }
}

Adding @yugangw-msft in case he knows regarding the API version

Please upgrade to newer CLI which uses one of the supported api-versions for azure-mgmt-authorization

Just upgraded to azure-cli 2.0.31 with pip3 install azure-cli --upgrade`

But now it complains about another api-version:

The api-version '2018-01-01-preview' is invalid. The supported versions are '2018-02-01,2018-01-01,2017-12-01,2017-08-01,2017-06-01,2017-05-10,2017-05-01,2017-03-01,2016-09-01,2016-07-01,2016-06-01,2016-02-01,2015-11-01,2015-01-01,2014-04-01-preview,2014-04-01,2014-01-01,2013-03-01,2014-02-26,2014-04'.

$ python3 -m azure.cli --version

azure-cli (2.0.31)

acr (2.0.23)
acs (2.0.31)
advisor (0.5.1)
appservice (0.1.31)
backup (1.1.1)
batch (3.2.0)
batchai (0.2.0)
billing (0.1.8)
cdn (0.0.14)
cloud (2.0.13)
cognitiveservices (0.1.12)
command-modules-nspkg (2.0.1)
configure (2.0.15)
consumption (0.3.0)
container (0.1.22)
core (2.0.31)
cosmosdb (0.1.20)
dla (0.0.19)
dls (0.0.21)
eventgrid (0.1.12)
eventhubs (0.1.2)
extension (0.0.12)
feedback (2.1.1)
find (0.2.9)
interactive (0.3.19)
iot (0.1.19)
keyvault (2.0.21)
lab (0.0.21)
monitor (0.1.5)
network (2.0.28)
nspkg (3.0.2)
profile (2.0.22)
rdbms (0.2.1)
redis (0.2.12)
reservations (0.1.2)
resource (2.0.27)
role (2.0.22)
servicebus (0.1.2)
servicefabric (0.0.12)
sql (2.0.25)
storage (2.0.31)
vm (2.0.30)

I think you might have a malformed url on creating the role definition. Please run with "--debug" and share the HTTP url on creating the definition. I suspect the scope of /subscriptions/***/resourceGroups/prod/app-nsg is not working, particularly the trailing app-nsg

urllib3.connectionpool : Starting new HTTPS connection (1): management.azure.com
urllib3.connectionpool : https://management.azure.com:443 "PUT /subscriptions/***/resourceGroups/prod/app-nsg/providers/Microsoft.Authorization/roleDefinitions/***?api-version=2018-01-01-preview HTTP/1.1" 400 363

can you set the scope be subscriptions/***/resourceGroups/prod in the definition?

It worked with .../prod scope.

So you like to create a role definition scoping on a NSG resource? If yes, you need to spell out the whole resource id. The /subscriptions/***/resourceGroups/prod/app-nsg is definitely not right as it misses the resource type

I checked and re-typed several times security group part in the scope (that string after .../prod). It doesn't help. I'm confused.

@zaharcelac , let me cross check rbac team to see whether resource level of scope is ever supported. At the same time, please share out the url on the wire

OK... Found issue... My scope was really wrong...

I believed it should be like
/subscriptions/***/resourceGroups/prod/app-nsg

but in reality it should be like this:
/subscriptions/***/resourceGroups/prod/providers/Microsoft.Network/networkSecurityGroups/app-nsg

> /subscriptions/***/resourceGroups/prod/providers/Microsoft.Network/networkSecurityGroups/app-nsg

this is what I meant :)

If the input to the command is wrong, I would expect the command to tell me so, instead of giving some very obscure message about mismatching api-versions. I was witnessing the same kind of error message for the following command:

az role assignment create --role Contributor --assignee "[email protected]" --resource-group "/subscriptions/<some subscription id>/resourceGroups/<some resource group name>"

Can you please reconsider this issue, in this light?