Azure-cli: The credentials in ServicePrincipalProfile were invalid.... token contains an invalid number of segments
Describe the bug
When a service principal credential happens to contain a dash character (which it can and happens randomly) the "az aks create" command fails when it is supplied.
Error code:
Operation failed with status: 'Bad Request'. Details: The credentials in ServicePrincipalProfile were invalid. Please see https://aka.ms/aks-sp-help for more details. (Details: token contains an invalid number of segments)
To Reproduce
Reset the credential of a service principal until you get a dash (-) in the name. Use e.g.
az aks create --subscription x --name mycluster --resource-group cluster-rg --location westeurope --vm-set-type VirtualMachineScaleSets [...] --service-principal <service principal uuid> --client-secret <secret>
Expected behavior
The command succeeds and the cluster is created
Environment summary
az version
{
"azure-cli": "2.7.0",
"azure-cli-command-modules-nspkg": "2.0.3",
"azure-cli-core": "2.7.0",
"azure-cli-nspkg": "3.0.4",
"azure-cli-telemetry": "1.0.4",
"extensions": {}
}
!uname -a
Linux 089dccf9945f 4.19.76-linuxkit #1 SMP Tue May 26 11:42:35 UTC 2020 x86_64 Linux
!python --version
Python 3.8.1
Additional context
The command was invoked from a Python script specifying the arguments directly, so any kind of shell interference can be ruled out in this case.
rickardp
All 11 comments
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Azure/aks-pm.
![msftbot[bot] picture](https://avatars2.githubusercontent.com/in/26612?v=4&s=40)
msftbot[bot]
on 9 Jun 2020
aks
yonzhan
on 9 Jun 2020
seems that your service principal or the service principal secret weren't quoted properly ?
can you ensure that you pass the appID/AppSecret
djsly
on 6 Jul 2020
I verified that I pass the SP and secret correctly I, as in they are sent as distinct arguments to AZ CLI.
Am I supposed to quote the quoted secret, even if it is correctly handled as command line arguments?
My expectation was that as long as the secret was interpreted correctly as an argument, AZ CLI would do the rest for me.
rickardp
on 7 Jul 2020
seems that your issue has been seen by a few other folks
https://github.com/MicrosoftDocs/azure-docs/issues/56103
It seems that the changed they regex for accepted password at the AD SP create logic. the returned password are indeed not handled correctly by the azure CLI for AKS cluster creation, the above two issues are all using az cli, even with the latest and greatest version
djsly
on 8 Jul 2020
same issue.
did the format of secrets change? much different than what is in: https://docs.microsoft.com/en-us/azure/aks/update-credentials#update-aks-cluster-with-new-service-principal-credentials
Ran this command back in April and worked fine. Updating another cluster today is causing said problem.
dcatalano-figure
on 20 Aug 2020
for reference we are attempting to update creds
az aks update-credentials --resource-group <rg> --name <name> --reset-service-principal --service-principal $SP_ID --client-secret $SP_SECRET
was able to make this work by recreating a secret until the secret had no dashes, then ran the update-credential command
dcatalano-figure
on 26 Aug 2020
We are also seeing this issue
djj0809
on 12 Oct 2020
was able to make this work by recreating a secret until the secret had no dashes, then ran the
update-credentialcommand
Thanks! This tip fixed my issue.
ArPharazon
on 28 Oct 2020
was able to make this work by recreating a secret until the secret had no dashes, then ran the
update-credentialcommand
This works for me as well. So it seems to be a bug when there're dashes in the secret?
Soyofuki
on 21 Dec 2020
Related issues
PrHar
路
3Comments
ambakshi
路
3Comments
derekbekoe
路
3Comments
dhermans
路
3Comments
williexu
路
3Comments
Most helpful comment
was able to make this work by recreating a secret until the secret had no dashes, then ran the
update-credentialcommand