Azure-cli: Getting token from Cloud Shell intermittently fails with 400 Client Error: Bad Request

Created on 2 Jan 2020  路  13Comments  路  Source: Azure/azure-cli

I'm getting following when I'm running following command :

ARM_CLIENT_SECRET=$(az ad sp create-for-rbac \
--name http://tf-sp-$UNIQUE_ID \
--role Contributor \
--scopes "/subscriptions/$ARM_SUBSCRIPTION_ID" \
--query password \
--output tsv)

Please note that I've stored ARM Subscription ID successfully and ran above command as part of creating Service Principal.

This is autogenerated. Please review and update as needed.

Describe the bug

Command Name
az ad sp create-for-rbac

Errors:

400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token
Traceback (most recent call last):
python3.6/site-packages/knack/cli.py, ln 206, in invoke
    cmd_result = self.invocation.execute(args)
cli/core/commands/__init__.py, ln 608, in execute
    raise ex
cli/core/commands/__init__.py, ln 666, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
...
python3.6/site-packages/msrestazure/azure_active_directory.py, ln 486, in get_msi_token
    result.raise_for_status()
python3.6/site-packages/requests/models.py, ln 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

  • _Put any pre-requisite steps here..._
  • az ad sp create-for-rbac --name {} --role {} --scopes {} --query {} --output {}

Expected Behavior

Environment Summary

Linux-4.15.0-1064-azure-x86_64-with-debian-stretch-sid
Python 3.6.5
Shell: bash

azure-cli 2.0.78

Additional Context


Cloud Shell Graph Service Attention customer-reported
Source
picture Kalyan-Alamuru

Most helpful comment

@maertendMSFT any update for this issue ? There are a bunch of customers are impacted by this.

picture yonzhan on 17 Jul 2020
👍3

All 13 comments

@jiasli Please take a look.

bim-msft picture bim-msft on 3 Jan 2020

This is Cloud Shell issue. Could you run with --debug and share the output?

To get unblocked, please run az login and retry the command.

jiasli picture jiasli on 3 Jan 2020

I reran the module again and it worked fine, Only difference this time is I ran Terraform Destroy command to delete the plan and then ran az ad sp create command and it worked fine, It doesn't really explain what happened !!!

Kalyan-Alamuru picture Kalyan-Alamuru on 3 Jan 2020

400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token is a known issue of Cloud Shell that it intermittently fails with this error.

Workarounds

There are 2 workarounds:

  1. Use Azure CLI on a local machine
  2. In Cloud Shell, run az login and retry the command
jiasli picture jiasli on 6 Jan 2020

This is Cloud Shell issue. Could you run with --debug and share the output?

To get unblocked, please run az login and retry the command.

This worked for me. Thanks.

hubert-associates picture hubert-associates on 13 Apr 2020
👍1

This should be fixed now. I cannot repro, please close.

maertendMSFT picture maertendMSFT on 8 Jul 2020

This should be fixed now. I cannot repro, please close.

Hi @maertendMSFT, this issue doesn't happen consistently, but intermittently. If there are any changes on the Cloud Shell side, could you put some more details?

jiasli picture jiasli on 8 Jul 2020

@jiasli , this appears to fundamentally be the same issue as a few of the other issues that I requested to close, all of which are solved with a az login. We have put out a fix and that should have been included in the latest release (20200702) and be available for all customers now.

maertendMSFT picture maertendMSFT on 8 Jul 2020

@maertendMSFT good news, please let us know when the latest change rolls out.

yonzhan picture yonzhan on 9 Jul 2020

The updated image should be available everywhere already :)

maertendMSFT picture maertendMSFT on 9 Jul 2020

I wouldn't close this issue until there is more confirmation. The issue still happens in cloudshell (today).

digimaun picture digimaun on 16 Jul 2020

@maertendMSFT any update for this issue ? There are a bunch of customers are impacted by this.

yonzhan picture yonzhan on 17 Jul 2020
👍3

This still appears to be an issue. Well it's an issue for me anyway. I hope these logs can help.

aaron@Azure:~$ az keyvault secret list-versions --vault-name $vault_name --name $vault_cert_name
Error occurred in request., HTTPError: 400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token

Here is the tail end of the output with the --debug flag

urllib3.connectionpool : Starting new HTTP connection (1): localhost:50342
urllib3.connectionpool : http://localhost:50342 "POST /oauth2/token HTTP/1.1" 400 121
msrestazure.azure_active_directory : MSI: Retrieving a token from http://localhost:50342/oauth2/token, with payload {'resource': 'https://vault.azure.net'}
msrestazure.azure_active_directory : MSI: Failed to retrieve a token from 'http://localhost:50342/oauth2/token' with an error of '400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token'. This could be caused by the MSI extension not yet fully provisioned.
msrest.exceptions : Error occurred in request., HTTPError: 400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token
cli.azure.cli.core.util : Error occurred in request., HTTPError: 400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token
Error occurred in request., HTTPError: 400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token
Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f8bf399ad90>]
az_command_data_logger : exit code: 1
telemetry.save : Save telemetry record of length 5447 in cache
telemetry.check : Negative: The /home/aaron/.azure/telemetry.txt was modified at 2020-08-11 21:39:07.906455, which in less than 600.000000 s
Command ran in 40.650 seconds (init: 0.041, invoke: 40.610)

aaron@Azure:~$ az --version
azure-cli                          2.9.1 *

command-modules-nspkg              2.0.3
core                               2.9.1 *
nspkg                              3.0.4
telemetry                          1.0.4

Python location '/opt/az/bin/python3'
Extensions directory '/home/aaron/.azure/cliextensions'

Python (Linux) 3.6.10 (default, Jul 16 2020, 08:13:15)
[GCC 5.4.0 20160609]

Legal docs and information: aka.ms/AzureCliLegal


You have 2 updates available. They will be updated with the next build of Cloud Shell.

Please let us know how we are doing: https://aka.ms/azureclihats
and let us know if you're interested in trying out our newest features: https://aka.ms/CLIUXstudy

Hopefully those 2 referenced updates take care of the issue 馃榿

AgSync-Aaron picture AgSync-Aaron on 11 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

derekperkins picture derekperkins  路  3Comments
Kannaj picture Kannaj  路  3Comments
ambakshi picture ambakshi  路  3Comments
derekbekoe picture derekbekoe  路  3Comments
amarzavery picture amarzavery  路  3Comments