Describe the bug
According to documentation, the /keys scope can be passed to the role assignment. As expected, it works fine when the hsm-name is passed such as with the following command: az keyvault role assignment create --hsm-name ContosoMHSM --role "Managed HSM Crypto User" --assignee user2@contoso.com --scope /keys
However, when a customer uses the --id parameter instead of hsm-name, such as with the following command: az keyvault role assignment create --id [URL] --role "Managed HSM Crypto User" --assignee [assignee alias] --scope /keys
the role assignment creation fails with the following error: (Invalidkeyidentifier) Invalid key identifier (Activity ID: 2edc462e-8a55-11ef-ae95-002248f44f2f) Code: Invalidkeyidentifier Message: Invalid key identifier.
The expectation is that the behavior should be same in both the cases when the --hsm-name or --id parameter is passed.
Related command
az keyvault role assignment create --id [id] --role [role name] --assignee [assignee] --scope [keyname]
Errors
(Invalidkeyidentifier) Invalid key identifier (Activity ID: 2edc462e-8a55-11ef-ae95-002248f44f2f)
Code: Invalidkeyidentifier
Message: Invalid key identifier (Activity ID: 2edc462e-8a55-11ef-ae95-002248f44f2f)
Issue script & Debug output
cli.knack.cli: Command arguments: ['keyvault', 'role', 'assignment', 'create', '--id', '[id url]', '--role', 'Managed HSM Crypto User', '--assignee', '[assignee alias]', '--scope', '/keys', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x022DF938>, <function OutputProducer.on_global_arguments at 0x02407A28>, <function CLIQuery.on_global_arguments at 0x024287F8>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'keyvault': ['azure.cli.command_modules.keyvault']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: keyvault 0.026 20 113
cli.azure.cli.core: Total (1) 0.026 20 113
cli.azure.cli.core: Loaded 20 groups, 113 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : keyvault role assignment create
cli.azure.cli.core: Command table: keyvault role assignment create
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x046E05C8>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\mariammuchai.azure\commands\2024-10-14.13-55-40.keyvault_role_assignment_create.31916.log'.
az_command_data_logger: command args: keyvault role assignment create --id {} --role {} --assignee {} --scope {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x0470E708>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x0470E7F8>, <function register_cache_arguments..add_cache_arguments at 0x047319D8>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x02407A78>, <function CLIQuery.handle_query_parameter at 0x02428848>, <function register_ids_argument..parse_ids_arguments at 0x04731988>]
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\mariammuchai\.azure\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\mariammuchai.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/kerberos', 'tenant_region_scope': 'WW', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com/
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/kerberos', 'tenant_region_scope': 'WW', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://graph.microsoft.com//.default',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 7b0003e6-a97d-4dba-831d-68e3714e92c0
cli.azure.cli.core.util: Request URL: 'https://graph.microsoft.com/v1.0/users?$filter=userPrincipalName%20eq%20%27mariammuchai%40microsoft.com%27'
cli.azure.cli.core.util: Request method: 'GET'
cli.azure.cli.core.util: Request headers:
cli.azure.cli.core.util: 'User-Agent': 'python/3.11.7 (Windows-10-10.0.22631-SP0) AZURECLI/2.57.0 (MSI)'
cli.azure.cli.core.util: 'Accept-Encoding': 'gzip, deflate'
cli.azure.cli.core.util: 'Accept': '/'
cli.azure.cli.core.util: 'Connection': 'keep-alive'
cli.azure.cli.core.util: 'x-ms-client-request-id': 'a977d1cc-21de-4e3e-b1a6-a6e71d5afb37'
cli.azure.cli.core.util: 'CommandName': 'keyvault role assignment create'
cli.azure.cli.core.util: 'ParameterSetName': '--id --role --assignee --scope --debug'
cli.azure.cli.core.util: 'Authorization': 'Bearer eyJ0eXAiOiJKV...'
cli.azure.cli.core.util: Request body:
cli.azure.cli.core.util: None
urllib3.connectionpool: Starting new HTTPS connection (1): graph.microsoft.com:443
urllib3.connectionpool: https://graph.microsoft.com:443 "GET /v1.0/users?$filter=userPrincipalName%20eq%20%27mariammuchai%40microsoft.com%27 HTTP/1.1" 200 None
cli.azure.cli.core.util: Response status: 200
cli.azure.cli.core.util: Response headers:
cli.azure.cli.core.util: 'Cache-Control': 'no-cache'
cli.azure.cli.core.util: 'Transfer-Encoding': 'chunked'
cli.azure.cli.core.util: 'Content-Type': 'application/json; odata.metadata=minimal; odata.streaming=true; IEEE754Compatible=false; charset=utf-8'
cli.azure.cli.core.util: 'Content-Encoding': 'gzip'
cli.azure.cli.core.util: 'Vary': 'Accept-Encoding'
cli.azure.cli.core.util: 'Strict-Transport-Security': 'max-age=31536000'
cli.azure.cli.core.util: 'request-id': 'f37df802-be42-4f59-b5f9-59534ff9fba1'
cli.azure.cli.core.util: 'client-request-id': 'f37df802-be42-4f59-b5f9-59534ff9fba1'
cli.azure.cli.core.util: 'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"West US 2","Slice":"E","Ring":"4","ScaleUnit":"002","RoleInstance":"MWH0EPF0005A6B0"}}'
cli.azure.cli.core.util: 'x-ms-resource-unit': '2'
cli.azure.cli.core.util: 'OData-Version': '4.0'
cli.azure.cli.core.util: 'Date': 'Mon, 14 Oct 2024 20:55:42 GMT'
cli.azure.cli.core.util: Response content:
cli.azure.cli.core.util: {"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#users","value":[{"businessPhones":[],"displayName":"Mariam Muchai","givenName":"Mariam","jobTitle":"SOFTWARE ENGINEER","mail":"mariammuchai@microsoft.com","mobilePhone":null,"officeLocation":"STUDIO B/3618","preferredLanguage":null,"surname":"Muchai","userPrincipalName":"mariammuchai@microsoft.com","id":"9933f8d7-05a3-4a4f-abba-73625c5f23e3"}]}
urllib3.connectionpool: Starting new HTTPS connection (1): australiacentral.attest-d3.managedhsm-int.azure-int.net:443
urllib3.connectionpool: https://australiacentral.attest-d3.managedhsm-int.azure-int.net:443 "GET /keys/providers/Microsoft.Authorization/roleDefinitions?api-version=7.4 HTTP/1.1" 401 2
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://managedhsm.azure.net/.default',), kwargs={'tenant_id': '72f988bf-86f1-41af-91ab-2d7cd011db47'}
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://managedhsm.azure.net/.default',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 17dd4112-fd15-4bff-9c8d-a28e3d483547
urllib3.connectionpool: https://australiacentral.attest-d3.managedhsm-int.azure-int.net:443 "GET /keys/providers/Microsoft.Authorization/roleDefinitions?api-version=7.4 HTTP/1.1" 400 128
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_command_type.py", line 112, in keyvault_command_handler
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/custom.py", line 1952, in create_role_assignment
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/custom.py", line 1865, in _resolve_role_id
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/paging.py", line 123, in next
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/paging.py", line 75, in next
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/keyvault/administration/_generated/operations/_role_definitions_operations.py", line 539, in get_next
azure.core.exceptions.HttpResponseError: (Invalidkeyidentifier) Invalid key identifier (Activity ID: ae76f42e-8a6e-11ef-9252-002248f44f2f)
Code: Invalidkeyidentifier
Message: Invalid key identifier (Activity ID: ae76f42e-8a6e-11ef-9252-002248f44f2f)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 664, in execute
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 729, in _run_jobs_serially
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 698, in _run_job
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 334, in call
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_command_type.py", line 138, in keyvault_command_handler
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_command_type.py", line 51, in keyvault_exception_handler
knack.util.CLIError: (Invalidkeyidentifier) Invalid key identifier (Activity ID: ae76f42e-8a6e-11ef-9252-002248f44f2f)
Code: Invalidkeyidentifier
Message: Invalid key identifier (Activity ID: ae76f42e-8a6e-11ef-9252-002248f44f2f)
cli.azure.cli.core.azclierror: (Invalidkeyidentifier) Invalid key identifier (Activity ID: ae76f42e-8a6e-11ef-9252-002248f44f2f)
Code: Invalidkeyidentifier
Message: Invalid key identifier (Activity ID: ae76f42e-8a6e-11ef-9252-002248f44f2f)
az_command_data_logger: (Invalidkeyidentifier) Invalid key identifier (Activity ID: ae76f42e-8a6e-11ef-9252-002248f44f2f)
Code: Invalidkeyidentifier
Message: Invalid key identifier (Activity ID: ae76f42e-8a6e-11ef-9252-002248f44f2f)
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x046E0708>]
az_command_data_logger: exit code: 1
cli.main: Command ran in 10.303 seconds (init: 1.061, invoke: 9.242)
cli.azure.cli.core.decorators: Suppress exception:
Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/main.py", line 62, in
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/main.py", line 55, in
SystemExit: 1
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/decorators.py", line 79, in _wrapped_func
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/telemetry.py", line 532, in _get_secrets_warning_config
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/config.py", line 147, in getboolean
ValueError: Not a boolean: None
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3662 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry_init_.pyc C:\Users[user redacted].azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.
Expected behavior
Role assignment should succeed with output of id, name, principalId, principalName, principalType, roleDefinitionId, roleName, scope, and type.
Environment Summary
azure-cli 2.57.0 *
core 2.57.0 *
telemetry 1.1.0
Dependencies:
msal 1.26.0
azure-mgmt-resource 23.1.0b2
Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\mariammuchai.azure\cliextensions'
Python (Windows) 3.11.7 (tags/v3.11.7:fa7a6f2, Dec 4 2023, 19:13:08) [MSC v.1937 32 bit (Intel)]
Legal docs and information: aka.ms/AzureCliLegal
You have 2 update(s) available. Consider updating your CLI installation with 'az upgrade'
Additional context
No response
Describe the bug
According to documentation, the
/keysscope can be passed to the role assignment. As expected, it works fine when thehsm-nameis passed such as with the following command: az keyvault role assignment create --hsm-name ContosoMHSM --role "Managed HSM Crypto User" --assignee user2@contoso.com --scope /keysHowever, when a customer uses the --id parameter instead of
hsm-name, such as with the following command: az keyvault role assignment create --id [URL] --role "Managed HSM Crypto User" --assignee [assignee alias] --scope /keysthe role assignment creation fails with the following error: (Invalidkeyidentifier) Invalid key identifier (Activity ID: 2edc462e-8a55-11ef-ae95-002248f44f2f) Code: Invalidkeyidentifier Message: Invalid key identifier.
The expectation is that the behavior should be same in both the cases when the --hsm-name or --id parameter is passed.
Related command
az keyvault role assignment create --id [id] --role [role name] --assignee [assignee] --scope [keyname]
Errors
(Invalidkeyidentifier) Invalid key identifier (Activity ID: 2edc462e-8a55-11ef-ae95-002248f44f2f)
Code: Invalidkeyidentifier
Message: Invalid key identifier (Activity ID: 2edc462e-8a55-11ef-ae95-002248f44f2f)
Issue script & Debug output
cli.knack.cli: Command arguments: ['keyvault', 'role', 'assignment', 'create', '--id', '[id url]', '--role', 'Managed HSM Crypto User', '--assignee', '[assignee alias]', '--scope', '/keys', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x022DF938>, <function OutputProducer.on_global_arguments at 0x02407A28>, <function CLIQuery.on_global_arguments at 0x024287F8>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'keyvault': ['azure.cli.command_modules.keyvault']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: keyvault 0.026 20 113
cli.azure.cli.core: Total (1) 0.026 20 113
cli.azure.cli.core: Loaded 20 groups, 113 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : keyvault role assignment create
cli.azure.cli.core: Command table: keyvault role assignment create
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x046E05C8>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\mariammuchai.azure\commands\2024-10-14.13-55-40.keyvault_role_assignment_create.31916.log'.
az_command_data_logger: command args: keyvault role assignment create --id {} --role {} --assignee {} --scope {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x0470E708>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x0470E7F8>, <function register_cache_arguments..add_cache_arguments at 0x047319D8>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x02407A78>, <function CLIQuery.handle_query_parameter at 0x02428848>, <function register_ids_argument..parse_ids_arguments at 0x04731988>]
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\mariammuchai\.azure\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\mariammuchai.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/kerberos', 'tenant_region_scope': 'WW', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
cli.azure.cli.core.util: Retrieving token for resource https://graph.microsoft.com/
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/kerberos', 'tenant_region_scope': 'WW', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? False
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://graph.microsoft.com//.default',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 7b0003e6-a97d-4dba-831d-68e3714e92c0
cli.azure.cli.core.util: Request URL: 'https://graph.microsoft.com/v1.0/users?$filter=userPrincipalName%20eq%20%27mariammuchai%40microsoft.com%27'
cli.azure.cli.core.util: Request method: 'GET'
cli.azure.cli.core.util: Request headers:
cli.azure.cli.core.util: 'User-Agent': 'python/3.11.7 (Windows-10-10.0.22631-SP0) AZURECLI/2.57.0 (MSI)'
cli.azure.cli.core.util: 'Accept-Encoding': 'gzip, deflate'
cli.azure.cli.core.util: 'Accept': '/'
cli.azure.cli.core.util: 'Connection': 'keep-alive'
cli.azure.cli.core.util: 'x-ms-client-request-id': 'a977d1cc-21de-4e3e-b1a6-a6e71d5afb37'
cli.azure.cli.core.util: 'CommandName': 'keyvault role assignment create'
cli.azure.cli.core.util: 'ParameterSetName': '--id --role --assignee --scope --debug'
cli.azure.cli.core.util: 'Authorization': 'Bearer eyJ0eXAiOiJKV...'
cli.azure.cli.core.util: Request body:
cli.azure.cli.core.util: None
urllib3.connectionpool: Starting new HTTPS connection (1): graph.microsoft.com:443
urllib3.connectionpool: https://graph.microsoft.com:443 "GET /v1.0/users?$filter=userPrincipalName%20eq%20%27mariammuchai%40microsoft.com%27 HTTP/1.1" 200 None
cli.azure.cli.core.util: Response status: 200
cli.azure.cli.core.util: Response headers:
cli.azure.cli.core.util: 'Cache-Control': 'no-cache'
cli.azure.cli.core.util: 'Transfer-Encoding': 'chunked'
cli.azure.cli.core.util: 'Content-Type': 'application/json; odata.metadata=minimal; odata.streaming=true; IEEE754Compatible=false; charset=utf-8'
cli.azure.cli.core.util: 'Content-Encoding': 'gzip'
cli.azure.cli.core.util: 'Vary': 'Accept-Encoding'
cli.azure.cli.core.util: 'Strict-Transport-Security': 'max-age=31536000'
cli.azure.cli.core.util: 'request-id': 'f37df802-be42-4f59-b5f9-59534ff9fba1'
cli.azure.cli.core.util: 'client-request-id': 'f37df802-be42-4f59-b5f9-59534ff9fba1'
cli.azure.cli.core.util: 'x-ms-ags-diagnostic': '{"ServerInfo":{"DataCenter":"West US 2","Slice":"E","Ring":"4","ScaleUnit":"002","RoleInstance":"MWH0EPF0005A6B0"}}'
cli.azure.cli.core.util: 'x-ms-resource-unit': '2'
cli.azure.cli.core.util: 'OData-Version': '4.0'
cli.azure.cli.core.util: 'Date': 'Mon, 14 Oct 2024 20:55:42 GMT'
cli.azure.cli.core.util: Response content:
cli.azure.cli.core.util: {"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#users","value":[{"businessPhones":[],"displayName":"Mariam Muchai","givenName":"Mariam","jobTitle":"SOFTWARE ENGINEER","mail":"mariammuchai@microsoft.com","mobilePhone":null,"officeLocation":"STUDIO B/3618","preferredLanguage":null,"surname":"Muchai","userPrincipalName":"mariammuchai@microsoft.com","id":"9933f8d7-05a3-4a4f-abba-73625c5f23e3"}]}
urllib3.connectionpool: Starting new HTTPS connection (1): australiacentral.attest-d3.managedhsm-int.azure-int.net:443
urllib3.connectionpool: https://australiacentral.attest-d3.managedhsm-int.azure-int.net:443 "GET /keys/providers/Microsoft.Authorization/roleDefinitions?api-version=7.4 HTTP/1.1" 401 2
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://managedhsm.azure.net/.default',), kwargs={'tenant_id': '72f988bf-86f1-41af-91ab-2d7cd011db47'}
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://managedhsm.azure.net/.default',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 17dd4112-fd15-4bff-9c8d-a28e3d483547
urllib3.connectionpool: https://australiacentral.attest-d3.managedhsm-int.azure-int.net:443 "GET /keys/providers/Microsoft.Authorization/roleDefinitions?api-version=7.4 HTTP/1.1" 400 128
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_command_type.py", line 112, in keyvault_command_handler
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/custom.py", line 1952, in create_role_assignment
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/custom.py", line 1865, in _resolve_role_id
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/paging.py", line 123, in next
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/paging.py", line 75, in next
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/keyvault/administration/_generated/operations/_role_definitions_operations.py", line 539, in get_next
azure.core.exceptions.HttpResponseError: (Invalidkeyidentifier) Invalid key identifier (Activity ID: ae76f42e-8a6e-11ef-9252-002248f44f2f)
Code: Invalidkeyidentifier
Message: Invalid key identifier (Activity ID: ae76f42e-8a6e-11ef-9252-002248f44f2f)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 664, in execute
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 729, in _run_jobs_serially
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 698, in _run_job
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 334, in call
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_command_type.py", line 138, in keyvault_command_handler
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_command_type.py", line 51, in keyvault_exception_handler
knack.util.CLIError: (Invalidkeyidentifier) Invalid key identifier (Activity ID: ae76f42e-8a6e-11ef-9252-002248f44f2f)
Code: Invalidkeyidentifier
Message: Invalid key identifier (Activity ID: ae76f42e-8a6e-11ef-9252-002248f44f2f)
cli.azure.cli.core.azclierror: (Invalidkeyidentifier) Invalid key identifier (Activity ID: ae76f42e-8a6e-11ef-9252-002248f44f2f)
Code: Invalidkeyidentifier
Message: Invalid key identifier (Activity ID: ae76f42e-8a6e-11ef-9252-002248f44f2f)
az_command_data_logger: (Invalidkeyidentifier) Invalid key identifier (Activity ID: ae76f42e-8a6e-11ef-9252-002248f44f2f)
Code: Invalidkeyidentifier
Message: Invalid key identifier (Activity ID: ae76f42e-8a6e-11ef-9252-002248f44f2f)
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x046E0708>]
az_command_data_logger: exit code: 1
cli.main: Command ran in 10.303 seconds (init: 1.061, invoke: 9.242)
cli.azure.cli.core.decorators: Suppress exception:
Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/main.py", line 62, in
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/main.py", line 55, in
SystemExit: 1
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/decorators.py", line 79, in _wrapped_func
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/telemetry.py", line 532, in _get_secrets_warning_config
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/config.py", line 147, in getboolean
ValueError: Not a boolean: None
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3662 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry_init_.pyc C:\Users[user redacted].azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.
Expected behavior
Role assignment should succeed with output of id, name, principalId, principalName, principalType, roleDefinitionId, roleName, scope, and type.
Environment Summary
azure-cli 2.57.0 *
core 2.57.0 *
telemetry 1.1.0
Dependencies:
msal 1.26.0
azure-mgmt-resource 23.1.0b2
Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\mariammuchai.azure\cliextensions'
Python (Windows) 3.11.7 (tags/v3.11.7:fa7a6f2, Dec 4 2023, 19:13:08) [MSC v.1937 32 bit (Intel)]
Legal docs and information: aka.ms/AzureCliLegal
You have 2 update(s) available. Consider updating your CLI installation with 'az upgrade'
Additional context
No response