"(MissingSubscription) The request did not have a subscription or a valid tenant level resource provider." in DevOps pipeline #28372
Comments
nelson-w
added
the
bug
|
Thank you for opening this issue, we will look into it. |
microsoft-github-policy-service
bot
added
customer-reported
microsoft-github-policy-service
bot
added
Azure CLI Team
yonzhan
added
Service Attention
|
From the debug log, it seems the double quotes ( This results in a wrong URL: As this command works in a local shell, I guess some changes have been made on the Azure DevOps YML pipeline. For example, are you passing |
|
Thanks for picking that up. We were using this command to get the scope, which worked in previous runs: I've now updated it so that the SP id and the scope has a The error is now different, here is another run: az role assignment create --assignee-object-id 523cafde-9001-4d5f-b1f8-0e82d325a459 --assignee-principal-type ServicePrincipal --role Contributor --scope /subscriptions/8d4f0f59-30a1-4912-86f4-28b59b7dbf13/resourceGroups/mcaps/providers/Microsoft.SignalRService/SignalR/mcaps-prod-east-us-signalr --only-show-errors During handling of the above exception, another exception occurred: Traceback (most recent call last): INFO: telemetry.main: Begin splitting cli events and extra events, total events: 1 |
I don't think it works previously. By default, the output is in JSON format, where the value is quoted. For example
Using
The command actually succeeded and returned the created role assignment as expected. The error in the |
|
You need to delete the preceding "/" under --scope to leave --scope "subscriptions/<subscription_id>/resourceGroups |
Describe the bug
I'm trying to run the following command in AzureCLI@2 task within an Azure DevOps yml pipeline:
az role assignment create --assignee-object-id "523cafde-9001-4d5f-b1f8-0e82d325a459" --assignee-principal-type ServicePrincipal --role Contributor --scope "/subscriptions/8d4f0f59-30a1-4912-86f4-28b59b7dbf13/resourceGroups/mcaps/providers/Microsoft.SignalRService/SignalR/mcaps-prod-west-us-signalr" --only-show-errorsBut I get this following error:
ERROR: (MissingSubscription) The request did not have a subscription or a valid tenant level resource provider.
Code: MissingSubscription
Message: The request did not have a subscription or a valid tenant level resource provider.
I threw in an
az account showjust before the assignment command is run and I get this:{
"environmentName": "AzureCloud",
"homeTenantId": "",
"id": "8d4f0f59-30a1-4912-86f4-28b59b7dbf13",
"isDefault": true,
"managedByTenants": [],
"name": "Our Websites",
"state": "Enabled",
"tenantId": "",
"user": {
"name": "***",
"type": "servicePrincipal"
}
}
So it looks like there is a subscription in this context.
I've also added
--subscription 8d4f0f59-30a1-4912-86f4-28b59b7dbf13to the command as well, explicitly setting the subscription - No luck there too, exact same error.The last time I saw this step succeed was January 29th 2024, however we have been unable to get this step to succeed ever since.
I checked our service principal's rbac roles and we have "Contributor" assigned.
Any ideas on what else to check?
Related command
az role assignment create --assignee-object-id "523cafde-9001-4d5f-b1f8-0e82d325a459" --assignee-principal-type ServicePrincipal --role Contributor --scope "/subscriptions/8d4f0f59-30a1-4912-86f4-28b59b7dbf13/resourceGroups/mcaps/providers/Microsoft.SignalRService/SignalR/mcaps-prod-west-us-signalr" --only-show-errors
Errors
ERROR: (MissingSubscription) The request did not have a subscription or a valid tenant level resource provider.
Code: MissingSubscription
Message: The request did not have a subscription or a valid tenant level resource provider.
Issue script & Debug output
024-02-15T04:52:03.0346875Z DEBUG: cli.knack.cli: Command arguments: ['role', 'assignment', 'create', '--assignee-object-id', '"523cafde-9001-4d5f-b1f8-0e82d325a459"', '--assignee-principal-type', 'ServicePrincipal', '--role', 'Contributor', '--scope', '"/subscriptions/8d4f0f59-30a1-4912-86f4-28b59b7dbf13/resourceGroups/mcaps/providers/Microsoft.SignalRService/SignalR/mcaps-prod-east-us-signalr"', '--debug']
DEBUG: cli.knack.cli: init debug log:
Cannot enable color.
DEBUG: cli.knack.cli: Event: Cli.PreExecute []
DEBUG: cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7fb6dbdc8180>, <function OutputProducer.on_global_arguments at 0x7fb6dbd762a0>, <function CLIQuery.on_global_arguments at 0x7fb6dbda7d80>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
DEBUG: cli.azure.cli.core: Modules found from index for 'role': ['azure.cli.command_modules.role']
DEBUG: cli.azure.cli.core: Loading command modules:
DEBUG: cli.azure.cli.core: Name Load Time Groups Commands
DEBUG: cli.azure.cli.core: role 0.006 17 61
DEBUG: cli.azure.cli.core: Total (1) 0.006 17 61
DEBUG: cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
DEBUG: cli.azure.cli.core: Loading extensions:
DEBUG: cli.azure.cli.core: Name Load Time Groups Commands Directory
DEBUG: cli.azure.cli.core: Total (0) 0.000 0 0
DEBUG: cli.azure.cli.core: Loaded 17 groups, 61 commands.
DEBUG: cli.azure.cli.core: Found a match in the command table.
DEBUG: cli.azure.cli.core: Raw command : role assignment create
DEBUG: cli.azure.cli.core: Command table: role assignment create
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7fb6daca19e0>]
DEBUG: cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/vsts/work/_temp/.azclitask/commands/.2167.log'.
INFO: az_command_data_logger: command args: role assignment create --assignee-object-id {} --assignee-principal-type {} --role {} --scope {} --debug
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x7fb6dacaff60>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x7fb6dad15d00>, <function register_cache_arguments..add_cache_arguments at 0x7fb6dad15e40>]
DEBUG: cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7fb6dbd76340>, <function CLIQuery.handle_query_parameter at 0x7fb6dbda7e20>, <function register_ids_argument..parse_ids_arguments at 0x7fb6dad15da0>]
DEBUG: cli.azure.cli.core.commands.client_factory: Getting management service client client_type=AuthorizationManagementClient
DEBUG: cli.azure.cli.core.auth.persistence: build_persistence: location='/home/vsts/work/_temp/.azclitask/service_principal_entries.json', encrypt=False
DEBUG: cli.azure.cli.core.auth.persistence: build_persistence: location='/home/vsts/work/_temp/.azclitask/msal_token_cache.json', encrypt=False
DEBUG: cli.azure.cli.core.auth.binary_cache: load: /home/vsts/work/_temp/.azclitask/msal_http_cache.bin
DEBUG: urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
DEBUG: msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/***/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/***/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/***/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/***/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/***/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/***/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/***/kerberos', 'tenant_region_scope': 'WW', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
DEBUG: msal.application: Broker enabled? None
DEBUG: cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
DEBUG: cli.azure.cli.core.auth.msal_authentication: ServicePrincipalCredential.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
DEBUG: msal.application: Cache hit an AT
DEBUG: msal.telemetry: Generate or reuse correlation_id: b12ab079-9cbe-4821-925d-b6d1eff9160c
DEBUG: cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/"/subscriptions/8d4f0f59-30a1-4912-86f4-28b59b7dbf13/resourceGroups/mcaps/providers/Microsoft.SignalRService/SignalR/mcaps-prod-east-us-signalr"/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName%20eq%20%27Contributor%27&api-version=2022-05-01-preview'
DEBUG: cli.azure.cli.core.sdk.policies: Request method: 'GET'
DEBUG: cli.azure.cli.core.sdk.policies: Request headers:
DEBUG: cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': 'f5dc55d7-cbbd-11ee-9516-d916d797ed31'
DEBUG: cli.azure.cli.core.sdk.policies: 'CommandName': 'role assignment create'
DEBUG: cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--assignee-object-id --assignee-principal-type --role --scope --debug'
DEBUG: cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.57.0 (DEB) azsdk-python-azure-mgmt-authorization/4.0.0 Python/3.11.7 (Linux-6.2.0-1019-azure-x86_64-with-glibc2.35) VSTS_e6777b3d-58c5-4171-a55a-094b536129d0_build_513_0'
DEBUG: cli.azure.cli.core.sdk.policies: 'Authorization': '*****'
DEBUG: cli.azure.cli.core.sdk.policies: Request body:
DEBUG: cli.azure.cli.core.sdk.policies: This request has no body
DEBUG: urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
DEBUG: urllib3.connectionpool: https://management.azure.com:443 "GET /%22/subscriptions/8d4f0f59-30a1-4912-86f4-28b59b7dbf13/resourceGroups/mcaps/providers/Microsoft.SignalRService/SignalR/mcaps-prod-east-us-signalr%22/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName%20eq%20%27Contributor%27&api-version=2022-05-01-preview HTTP/1.1" 404 135
DEBUG: cli.azure.cli.core.sdk.policies: Response status: 404
DEBUG: cli.azure.cli.core.sdk.policies: Response headers:
DEBUG: cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
DEBUG: cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Length': '135'
DEBUG: cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
DEBUG: cli.azure.cli.core.sdk.policies: 'Expires': '-1'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-failure-cause': 'gateway'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '7ddefb44-3e87-42e4-9cd1-1c4d9d3665bc'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '7ddefb44-3e87-42e4-9cd1-1c4d9d3665bc'
DEBUG: cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'WESTUS:20240215T045203Z:7ddefb44-3e87-42e4-9cd1-1c4d9d3665bc'
DEBUG: cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
DEBUG: cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
DEBUG: cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE'
DEBUG: cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: 3C8272BFADB444209886766BD997C77B Ref B: SJC211051204009 Ref C:
DEBUG: cli.azure.cli.core.sdk.policies: 'Date': 'Thu, 15 Feb 2024 04:52:03 GMT'
DEBUG: cli.azure.cli.core.sdk.policies: Response content:
DEBUG: cli.azure.cli.core.sdk.policies: {"error":{"code":"MissingSubscription","message":"The request did not have a subscription or a valid tenant level resource provider."}}
DEBUG: cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "/opt/az/lib/python3.11/site-packages/knack/cli.py", line 233, in invoke
cmd_result = self.invocation.execute(args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 664, in execute
raise ex
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 729, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 698, in _run_job
result = cmd_copy(params)
^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/init.py", line 334, in call
return self.handler(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
return op(**command_args)
^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/custom.py", line 180, in create_role_assignment
return _create_role_assignment(cmd.cli_ctx, role, object_id, scope=scope, resolve_assignee=False,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/custom.py", line 201, in _create_role_assignment
role_id = _resolve_role_id(role, scope, definitions_client)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/command_modules/role/custom.py", line 610, in _resolve_role_id
role_defs = list(definitions_client.list(scope, "roleName eq '{}'".format(role)))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/core/paging.py", line 123, in next
return next(self._page_iterator)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/core/paging.py", line 75, in next
self._response = self._get_next(self.continuation_token)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/mgmt/authorization/v2022_05_01_preview/operations/_role_definitions_operations.py", line 552, in get_next
map_error(status_code=response.status_code, response=response, error_map=error_map)
File "/opt/az/lib/python3.11/site-packages/azure/core/exceptions.py", line 112, in map_error
raise error
azure.core.exceptions.ResourceNotFoundError: (MissingSubscription) The request did not have a subscription or a valid tenant level resource provider.
Code: MissingSubscription
Message: The request did not have a subscription or a valid tenant level resource provider.
ERROR: cli.azure.cli.core.azclierror: (MissingSubscription) The request did not have a subscription or a valid tenant level resource provider.
Code: MissingSubscription
Message: The request did not have a subscription or a valid tenant level resource provider.
ERROR: az_command_data_logger: (MissingSubscription) The request did not have a subscription or a valid tenant level resource provider.
Code: MissingSubscription
Message: The request did not have a subscription or a valid tenant level resource provider.
DEBUG: cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7fb6daca1c60>]
INFO: az_command_data_logger: exit code: 3
INFO: cli.main: Command ran in 0.816 seconds (init: 0.266, invoke: 0.550)
INFO: cli.azure.cli.core.decorators: Suppress exception:
Traceback (most recent call last):
File "/opt/az/lib/python3.11/site-packages/azure/cli/main.py", line 62, in
raise ex
File "/opt/az/lib/python3.11/site-packages/azure/cli/main.py", line 55, in
sys.exit(exit_code)
SystemExit: 3
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/decorators.py", line 79, in _wrapped_func
return func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/azure/cli/core/telemetry.py", line 532, in _get_secrets_warning_config
show_secrets_warning = _get_config().getboolean('clients', 'show_secrets_warning', fallback=None)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/az/lib/python3.11/site-packages/knack/config.py", line 147, in getboolean
raise ValueError('Not a boolean: {}'.format(val))
ValueError: Not a boolean: None
Expected behavior
The command should run without errors.
Environment Summary
azure-cli 2.57.0
core 2.57.0
telemetry 1.1.0
Extensions:
azure-devops 0.26.0
Dependencies:
msal 1.26.0
azure-mgmt-resource 23.1.0b2
Python location '/opt/az/bin/python3'
Extensions directory '/opt/az/azcliextensions'
Python (Linux) 3.11.7 (main, Jan 31 2024, 05:29:49) [GCC 11.4.0]
Additional context
No response
The text was updated successfully, but these errors were encountered: