Skip to content

az aro create - Insufficient privileges to complete the operation. #27352

Open
Open
az aro create - Insufficient privileges to complete the operation.#27352
Labels
AROaz aro (Azure Redhat OpenShift)Auto-AssignAuto assign by botAuto-ResolveAuto resolve by botService AttentionThis issue is responsible by Azure service team.act-codegen-extensibility-squadbugThis issue requires a change to an existing behavior in the product in order to be resolved.customer-reportedIssues that are reported by GitHub users external to the Azure organization.
@stormshaun

Description

@stormshaun
stormshaun
opened on Sep 9, 2023

Describe the bug

az aro create results in Insufficient privileges to complete the operation.

Have already confirmed the following:

Registered providers:
Microsoft.Authorization
Microsoft.Storage
Microsoft.Compute
Microsoft.RedHatOpenShift

Service Principal already granted Directory.Read.All permissions

Executing command
az aro create with --client-id ${var.CLIENTID} --client-secret ${var.CLIENTSECRET} in the command

Related command

az aro create --resource-group ${azurerm_resource_group.aro.name} --cluster-resource-group ${local.rg-clustername} --name ${local.aro-name} --vnet ${local.vnet-name} --vnet-resource-group ${local.vnet-rg-name} --master-subnet ${local.subnet-name-master} --worker-subnet ${local.subnet-name-worker} --master-vm-size ${var.master-node-size} --worker-vm-size ${var.worker-node-size} --worker-vm-size ${var.worker-node-size} --subscription ${var.subscription-guid} --pull-secret @pull-secret.txt --client-id ${var.clientid} --client-secret ${var.clientsecret} --debug

Errors

`null_resource.aro (local-exec): DEBUG: urllib3.connectionpool: https://graph.windows.net:443 "GET /<tenant IDxxxxxxxxxxxxxxxxxxxx/servicePrincipals?$filter=appId%20eq%20%27f1dd0a37-89c6-4e07-bcd1-ffd3d43d8875%27&api-version=1.6 HTTP/1.1" 403 219
null_resource.aro (local-exec): DEBUG: msrest.http_logger: Response status: 403

null_resource.aro (local-exec): DEBUG: msrest.http_logger: Response content:
null_resource.aro (local-exec): DEBUG: msrest.http_logger: {"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"
null_resource.aro (local-exec): DEBUG: msrest.exceptions: Insufficient privileges to complete the operation.`

Issue script & Debug output

2023-09-09T03:13:42.2741965Z �[31m╷�[0m�[0m
2023-09-09T03:13:42.2742645Z �[31m│�[0m �[0m�[1m�[31mError: �[0m�[0m�[1mlocal-exec provisioner error�[0m
2023-09-09T03:13:42.2742921Z �[31m│�[0m �[0m
2023-09-09T03:13:42.2743196Z �[31m│�[0m �[0m�[0m with null_resource.aro,
2023-09-09T03:13:42.2743547Z �[31m│�[0m �[0m on azure-aro.tf line 2, in resource "null_resource" "aro":
2023-09-09T03:13:42.2743903Z �[31m│�[0m �[0m 2: provisioner "local-exec" �[4m{�[0m�[0m
.......
.......
2023-09-09T03:13:42.2761675Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: Request URL:
2023-09-09T03:13:42.2762202Z �[31m│�[0m �[0m'https://graph.windows.net/TENANT-ID-REDACTED/servicePrincipals?$filter=appId%20eq%20%27f1dd0a37-89c6-4e07-bcd1-ffd3d43d8875%27&api-version=1.6'
2023-09-09T03:13:42.2762615Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: Request method: 'GET'
2023-09-09T03:13:42.2762915Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: Request headers:
2023-09-09T03:13:42.2763237Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: 'Accept': 'application/json'
2023-09-09T03:13:42.2763570Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: 'accept-language': 'en-US'
2023-09-09T03:13:42.2763900Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: 'User-Agent': 'python/3.6.10
2023-09-09T03:13:42.2764345Z �[31m│�[0m �[0m(Linux-5.15.0-1041-azure-x86_64-with-debian-buster-sid) msrest/0.6.21
2023-09-09T03:13:42.2764729Z �[31m│�[0m �[0mVSTS_2ebe675c-78bb-4da1-a40b-506b46ac1a8f_build_3455_0 msrest_azure/0.6.4
2023-09-09T03:13:42.2765091Z �[31m│�[0m �[0mazure-graphrbac/0.60.0 Azure-SDK-For-Python AZURECLI/2.33.1 (DEB)'
2023-09-09T03:13:42.2765401Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: Request body:
2023-09-09T03:13:42.2765674Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: None
2023-09-09T03:13:42.2765995Z �[31m│�[0m �[0mDEBUG: msrest.universal_http: Configuring redirects: allow=True, max=30
2023-09-09T03:13:42.2766345Z �[31m│�[0m �[0mDEBUG: msrest.universal_http: Configuring request: timeout=100,
2023-09-09T03:13:42.2766626Z �[31m│�[0m �[0mverify=True, cert=None
2023-09-09T03:13:42.2766927Z �[31m│�[0m �[0mDEBUG: msrest.universal_http: Configuring proxies: ''
2023-09-09T03:13:42.2767277Z �[31m│�[0m �[0mDEBUG: msrest.universal_http: Evaluate proxies against ENV settings: True
2023-09-09T03:13:42.2767651Z �[31m│�[0m �[0mDEBUG: urllib3.connectionpool: Starting new HTTPS connection (1):
2023-09-09T03:13:42.2767944Z �[31m│�[0m �[0mgraph.windows.net:443
2023-09-09T03:13:42.2768325Z �[31m│�[0m �[0mDEBUG: urllib3.connectionpool: https://graph.windows.net:443 "GET
2023-09-09T03:13:42.2768831Z �[31m│�[0m �[0m/TENANT-ID-REDACTED/servicePrincipals?$filter=appId%20eq%20%27f1dd0a37-89c6-4e07-bcd1-ffd3d43d8875%27&api-version=1.6
2023-09-09T03:13:42.2769166Z �[31m│�[0m �[0mHTTP/1.1" 403 219
2023-09-09T03:13:42.2769453Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: Response status: 403
2023-09-09T03:13:42.2769754Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: Response headers:
2023-09-09T03:13:42.2770073Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: 'Cache-Control': 'no-cache'
2023-09-09T03:13:42.2770390Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: 'Pragma': 'no-cache'
2023-09-09T03:13:42.2770733Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: 'Content-Type': 'application/json;
2023-09-09T03:13:42.2771141Z �[31m│�[0m �[0modata=minimalmetadata; streaming=true; charset=utf-8'
2023-09-09T03:13:42.2771453Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: 'Expires': '-1'
2023-09-09T03:13:42.2771773Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: 'ocp-aad-diagnostics-server-name':
2023-09-09T03:13:42.2772099Z �[31m│�[0m �[0m'rHCqsk1QDWiEF588KPt5NxQV/+xUHCPn+1VhU5BiDOA='
2023-09-09T03:13:42.2772399Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: 'request-id':
2023-09-09T03:13:42.2772697Z �[31m│�[0m �[0m'46650a6e-da34-48ff-9b1f-7b46bb935ea5'
2023-09-09T03:13:42.2773003Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: 'client-request-id':
2023-09-09T03:13:42.2773307Z �[31m│�[0m �[0m'e0201a4c-4ebe-11ee-99c6-0242ac120002'
2023-09-09T03:13:42.2773651Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: 'x-ms-dirapi-data-contract-version': '1.6'
2023-09-09T03:13:42.2773990Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: 'Duration': '1047011'
2023-09-09T03:13:42.2774314Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: 'x-ms-resource-unit': '1'
2023-09-09T03:13:42.2774651Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: 'ocp-aad-session-key':
2023-09-09T03:13:42.2775192Z �[31m│�[0m �[0m'KM1SD2FYr-9EsfNZrRHqLRxI06ZEwLbgGV1zdjcLCA4jCu4G_zVP5DAiQ-4Fn-ilPiOqqUZ4nJlg8GrSdXq0H-pW2D4TAbYySwx7GKy94VHg90DEeYNlYto2NBh2fhBC.JfKyTuifsb4VeFoZLoV4bcqLhmdRf5LLBb85p8buWPE'
2023-09-09T03:13:42.2775625Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: 'DataServiceVersion': '3.0;'
2023-09-09T03:13:42.2775966Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: 'X-AspNet-Version': '4.0.30319'
2023-09-09T03:13:42.2776297Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: 'X-Powered-By': 'ASP.NET'
2023-09-09T03:13:42.2776628Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: 'Strict-Transport-Security':
2023-09-09T03:13:42.2776930Z �[31m│�[0m �[0m'max-age=31536000; includeSubDomains'
2023-09-09T03:13:42.2777261Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: 'Access-Control-Allow-Origin': '*'
2023-09-09T03:13:42.2777632Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: 'Date': 'Sat, 09 Sep 2023 03:13:41 GMT'
2023-09-09T03:13:42.2778055Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: 'Content-Length': '219'
2023-09-09T03:13:42.2778347Z �[31m│�[0m �[0mDEBUG: msrest.http_logger: Response content:
2023-09-09T03:13:42.2778613Z �[31m│�[0m �[0mDEBUG: msrest.http_logger:
2023-09-09T03:13:42.2778992Z �[31m│�[0m �[0m{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient
2023-09-09T03:13:42.2779305Z �[31m│�[0m �[0mprivileges to complete the
2023-09-09T03:13:42.2779698Z �[31m│�[0m �[0moperation."},"requestId":"46650a6e-da34-48ff-9b1f-7b46bb935ea5","date":"2023-09-09T03:13:42"}}
2023-09-09T03:13:42.2780077Z �[31m│�[0m �[0mDEBUG: msrest.exceptions: Insufficient privileges to complete the
2023-09-09T03:13:42.2780332Z �[31m│�[0m �[0moperation.
2023-09-09T03:13:42.2780655Z �[31m│�[0m �[0mDEBUG: cli.azure.cli.core.util: azure.cli.core.util.handle_exception is
2023-09-09T03:13:42.2780942Z �[31m│�[0m �[0mcalled with an exception:
2023-09-09T03:13:42.2781274Z �[31m│�[0m �[0mDEBUG: cli.azure.cli.core.util: Traceback (most recent call last):
2023-09-09T03:13:42.2781650Z �[31m│�[0m �[0m File "/opt/az/lib/python3.6/site-packages/knack/cli.py", line 231, in invoke
2023-09-09T03:13:42.2781976Z �[31m│�[0m �[0m cmd_result = self.invocation.execute(args)
2023-09-09T03:13:42.2782367Z �[31m│�[0m �[0m File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 658, in execute
2023-09-09T03:13:42.2782646Z �[31m│�[0m �[0m raise ex
2023-09-09T03:13:42.2783030Z �[31m│�[0m �[0m File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 721, in _run_jobs_serially
2023-09-09T03:13:42.2783397Z �[31m│�[0m �[0m results.append(self._run_job(expanded_arg, cmd_copy))
2023-09-09T03:13:42.2783801Z �[31m│�[0m �[0m File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 692, in _run_job
2023-09-09T03:13:42.2784117Z �[31m│�[0m �[0m result = cmd_copy(params)
2023-09-09T03:13:42.2784500Z �[31m│�[0m �[0m File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 328, in call
2023-09-09T03:13:42.2784908Z �[31m│�[0m �[0m return self.handler(*args, **kwargs)
2023-09-09T03:13:42.2785301Z �[31m│�[0m �[0m File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
2023-09-09T03:13:42.2785622Z �[31m│�[0m �[0m return op(**command_args)
2023-09-09T03:13:42.2786008Z �[31m│�[0m �[0m File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/aro/custom.py", line 80, in aro_create
2023-09-09T03:13:42.2786391Z �[31m│�[0m �[0m rp_client_sp = aad.get_service_principal(resolve_rp_client_id())
2023-09-09T03:13:42.2786828Z �[31m│�[0m �[0m File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/aro/_aad.py", line 54, in get_service_principal
2023-09-09T03:13:42.2787171Z �[31m│�[0m �[0m filter="appId eq '%s'" % app_id))
2023-09-09T03:13:42.2787529Z �[31m│�[0m �[0m File "/opt/az/lib/python3.6/site-packages/msrest/paging.py", line 143, in next
2023-09-09T03:13:42.2787831Z �[31m│�[0m �[0m self.advance_page()
2023-09-09T03:13:42.2788189Z �[31m│�[0m �[0m File "/opt/az/lib/python3.6/site-packages/msrest/paging.py", line 129, in advance_page
2023-09-09T03:13:42.2788528Z �[31m│�[0m �[0m self._response = self._get_next(self.next_link)
2023-09-09T03:13:42.2788983Z �[31m│�[0m �[0m File "/opt/az/lib/python3.6/site-packages/azure/graphrbac/operations/service_principals_operations.py", line 159, in internal_paging
2023-09-09T03:13:42.2789386Z �[31m│�[0m �[0m raise models.GraphErrorException(self._deserialize, response)
2023-09-09T03:13:42.2789753Z �[31m│�[0m �[0mazure.graphrbac.models.graph_error_py3.GraphErrorException: Insufficient
2023-09-09T03:13:42.2790109Z �[31m│�[0m �[0mprivileges to complete the operation.
2023-09-09T03:13:42.2790327Z �[31m│�[0m �[0m
2023-09-09T03:13:42.2790635Z �[31m│�[0m �[0mERROR: cli.azure.cli.core.azclierror: Insufficient privileges to complete
2023-09-09T03:13:42.2790903Z �[31m│�[0m �[0mthe operation.
2023-09-09T03:13:42.2791299Z �[31m│�[0m �[0mERROR: az_command_data_logger: Insufficient privileges to complete the
2023-09-09T03:13:42.2791560Z �[31m│�[0m �[0moperation.
2023-09-09T03:13:42.2791849Z �[31m│�[0m �[0mDEBUG: cli.knack.cli: Event: Cli.PostExecute [<function
2023-09-09T03:13:42.2792178Z �[31m│�[0m �[0mAzCliLogging.deinit_cmd_metadata_logging at 0x7f909f522840>]
2023-09-09T03:13:42.2792487Z �[31m│�[0m �[0mINFO: az_command_data_logger: exit code: 1
2023-09-09T03:13:42.2792832Z �[31m│�[0m �[0mINFO: cli.main: Command ran in 1.638 seconds (init: 0.144, invoke:
2023-09-09T03:13:42.2793085Z �[31m│�[0m �[0m1.494)
2023-09-09T03:13:42.2793393Z �[31m│�[0m �[0mINFO: telemetry.save: Save telemetry record of length 3248 in cache
2023-09-09T03:13:42.2793700Z �[31m│�[0m �[0mWARNING: telemetry.check: Negative: The
2023-09-09T03:13:42.2794173Z �[31m│�[0m �[0m/home/vsts_azpcontainer/.azure/telemetry.txt was modified at 2023-09-09
2023-09-09T03:13:42.2794530Z �[31m│�[0m �[0m03:13:16.896036, which in less than 600.000000 s
2023-09-09T03:13:42.2794888Z �[31m│�[0m �[0mDEBUG: cli.azure.cli.core.auth.identity: _dump_msal_http_cache:
2023-09-09T03:13:42.2795214Z �[31m│�[0m �[0m/home/vsts_azpcontainer/.azure/msal_http_cache.bin
2023-09-09T03:13:42.2795444Z �[31m│�[0m �[0m
2023-09-09T03:13:42.2795637Z �[31m╵�[0m�[0m
2023-09-09T03:13:42.3653051Z time=2023-09-09T03:13:42Z level=error msg=1 error occurred:
2023-09-09T03:13:42.3653350Z * exit status 1

Expected behavior

ARO cluster created via az aro create

Environment Summary

azure-cli 2.33.1 *

core 2.33.1 *
telemetry 1.0.6 *

Extensions:
azure-devops 0.23.0

Dependencies:
msal 1.16.0
azure-mgmt-resource 20.0.0

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    AROaz aro (Azure Redhat OpenShift)Auto-AssignAuto assign by botAuto-ResolveAuto resolve by botService AttentionThis issue is responsible by Azure service team.act-codegen-extensibility-squadbugThis issue requires a change to an existing behavior in the product in order to be resolved.customer-reportedIssues that are reported by GitHub users external to the Azure organization.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions