Failed to connect to MSI to create service principle #29712
Comments
sylvia-zzy
added
the
bug
|
Hi @sylvia-zzy, 2.62.0 is not the latest Azure CLI(2.63.0). If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli. |
microsoft-github-policy-service
bot
added
customer-reported
microsoft-github-policy-service
bot
added
Azure CLI Team
|
Thank you for opening this issue, we will look into it. |
yonzhan
removed
the
bug
|
The As for the |
Not sure. Better have a repro before we can investigate. |
Describe the bug
I am following a lab in MS Learn https://microsoftlearning.github.io/mslearn-ai-services/Instructions/Exercises/02-ai-services-security.html#secure-key-access-with-azure-key-vault.
The part creating service principle stopped me.
Related command
az ad sp create-for-rbac -n "api://" --role owner --scopes subscriptions//resourceGroups/
Errors
Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned: <Response [400]>
Issue script & Debug output
cli.knack.cli: Command arguments: ['ad', 'sp', 'create-for-rbac', '-n', 'api://ai-app',
'--role', 'owner', '--scopes', 'subscriptions/c46ffa71-c974-4749-a21a-f9ce60c39b67/resourceGroups/AItest', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7fbce3086160>, <function OutputProducer.on_global_arguments at 0x7fbce2fa0d30>, <function CLIQuery.on_global_arguments at 0x7fbce2f37310>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'ad': ['azure.cli.command_modules.role']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: role 0.004 17 61
cli.azure.cli.core: Total (1) 0.004 17 61
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: ai-examples 0.114 1 1 /usr/lib/python3.9/site-packages/azure-cli-extensions/ai-examples
cli.azure.cli.core: Total (1) 0.114 1 1
cli.azure.cli.core: Loaded 18 groups, 62 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : ad sp create-for-rbac
cli.azure.cli.core: Command table: ad sp create
cli.azure.cli.core: remaining : for-rbac
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7fbce23e7820>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/sylvia/.azure/commands/2024-08-13.15-48-37.ad_sp_create-for-rbac.6754.log'.
az_command_data_logger: command args: ad sp create-for-rbac -n {} --role {} --scopes {}
--debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x7fbce238f430>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x7fbce23b5430>, <function register_cache_arguments..add_cache_arguments at 0x7fbce235b310>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7fbce2fa0dc0>, <function CLIQuery.handle_query_parameter at 0x7fbce2f373a0>, <function register_ids_argument..parse_ids_arguments at 0x7fbce235b280>]cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com/
urllib3.connectionpool: Starting new HTTP connection (1): localhost:50342
urllib3.connectionpool: http://localhost:50342 "POST /oauth2/token HTTP/1.1" 400 126
msrestazure.azure_active_directory: MSI: Retrieving a token from http://localhost:50342/oauth2/token, with payload {'resource': 'https://graph.microsoft.com/'}
msrestazure.azure_active_directory: MSI: Failed to retrieve a token from 'http://localhost:50342/oauth2/token' with an error of '400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token'. This could be caused by the MSI extension not yet fully provisioned.
cli.azure.cli.core.auth.adal_authentication: throw requests.exceptions.HTTPError when doing MSIAuthentication:
Traceback (most recent call last):
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/auth/adal_authentication.py", line 75, in set_token
super().set_token()
File "/usr/lib64/az/lib/python3.9/site-packages/msrestazure/azure_active_directory.py", line 598, in set_token
self.scheme, _, self.token = get_msi_token(self.resource, self.port, self.msi_conf)
File "/usr/lib64/az/lib/python3.9/site-packages/msrestazure/azure_active_directory.py", line 486, in get_msi_token
result.raise_for_status()
File "/usr/lib64/az/lib/python3.9/site-packages/requests/models.py", line 1024, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/auth/adal_authentication.py", line 75, in set_token
super().set_token()
File "/usr/lib64/az/lib/python3.9/site-packages/msrestazure/azure_active_directory.py", line 598, in set_token
self.scheme, _, self.token = get_msi_token(self.resource, self.port, self.msi_conf)
File "/usr/lib64/az/lib/python3.9/site-packages/msrestazure/azure_active_directory.py", line 486, in get_msi_token
result.raise_for_status()
File "/usr/lib64/az/lib/python3.9/site-packages/requests/models.py", line 1024, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/auth/adal_authentication.py", line 87, in set_token
.format(err.response.status, err.response.reason))
AttributeError: 'Response' object has no attribute 'status'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib64/az/lib/python3.9/site-packages/knack/cli.py", line 233, in invoke
cmd_result = self.invocation.execute(args)
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/init.py",
line 664, in execute
raise ex
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/init.py",
line 731, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/init.py",
line 723, in _run_job
return cmd_copy.exception_handler(ex)
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/role/commands.py", line 51, in graph_err_handler
raise ex
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/init.py",
line 701, in _run_job
result = cmd_copy(params)
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/init.py",
line 334, in call
return self.handler(*args, **kwargs)
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
return op(**command_args)
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/role/custom.py", line 1174, in create_service_principal_for_rbac
existing_sps = list(graph_client.service_principal_list(filter=query_exp))
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 179, in service_principal_list
result = self._send("GET", "/servicePrincipals" + _filter_to_query(filter))
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/command_modules/role/_msgrpah/_graph_client.py", line 52, in _send
r = send_raw_request(self._cli_ctx, method, url, resource=self._resource, uri_parameters=param,
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/util.py", line 983, in
send_raw_request
token_info, _, _ = profile.get_raw_token(resource)
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/_profile.py", line 401, in get_raw_token
msi_creds = MsiAccountTypes.msi_auth_factory(MsiAccountTypes.system_assigned, identity_id,
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/_profile.py", line 734, in msi_auth_factory
return MSIAuthenticationWrapper(resource=resource)
File "/usr/lib64/az/lib/python3.9/site-packages/msrestazure/azure_active_directory.py", line 592, in init
self.set_token()
File "/usr/lib64/az/lib/python3.9/site-packages/azure/cli/core/auth/adal_authentication.py", line 89, in set_token
raise AzureResponseError('Failed to connect to MSI. Please make sure MSI is configured correctly.\n'
azure.cli.core.azclierror.AzureResponseError: Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned: <Response [400]>
cli.azure.cli.core.azclierror: Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned: <Response [400]>
az_command_data_logger: Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned: <Response [400]>
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7fbce23e7a60>]
az_command_data_logger: exit code: 1
cli.main: Command ran in 40.375 seconds (init: 0.104, invoke: 40.271)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4045 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/usr/bin/python3.9 /usr/lib/az/lib/python3.9/site-packages/azure/cli/telemetry/init.py /home/sylvia/.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.
Expected behavior
Output of the code should be something like
Environment Summary
{
"azure-cli": "2.62.0",
"azure-cli-core": "2.62.0",
"azure-cli-telemetry": "1.1.0",
"extensions": {
"ai-examples": "0.2.5",
"ml": "2.28.0",
"ssh": "2.0.5"
}
}
Additional context
Previous issues suggested I might use az login. but I had login by browser when opening Azure Cloud Powershell. The following command and return indicated the successful login.
az account show
{
"environmentName": "AzureCloud",
"homeTenantId": "5b973f99-77df-4beb-b27d-aa0c70b8482c",
"id": "c46ffa71-c974-4749-a21a-f9ce60c39b67",
"isDefault": true,
"managedByTenants": [],
"name": "Visual Studio Professional Subscription - Tim",
"state": "Enabled",
"tenantId": "5b973f99-77df-4beb-b27d-aa0c70b8482c",
"user": {
"cloudShellID": true,
"name": "Sylvia.ZY.Zhu@hk.ey.com",
"type": "user"
}
}
The following command and return not able to let me re-login because company's policy not allow that.
az login
Cloud Shell is automatically authenticated under the initial account signed-in with. Run 'az login' only if you need to use a different account
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code S76HWXNWM to authenticate.
Additionally, even in the lab in MS Learn, I am not able to login Azure. It direct me to the following page with url "
Login failed"
The text was updated successfully, but these errors were encountered: