az cosmosdb sql role assignment create duplicates scope

[chappleg]

Describe the bug

When I run az cosmosdb sql role assignment create I get the following error:

az cosmosdb sql role assignment create -g rg -a databaseaccount --role-definition-id 00000000-0000-0000-0000-000000000002 --principal-id [redacted] --scope '/subscriptions/subId/resourcegroups/rg/providers/Microsoft.DocumentDB/databaseAccounts/databaseaccount'

Code: BadRequest
Message: Failed to parse the incoming request payload. Exception: System.FormatException: Could not parse property [properties] as [Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties] due to exception: System.FormatException: Could not parse property [scope] with value [/subscriptions/subId/resourceGroups/rg/providers/Microsoft.DocumentDB/databaseAccounts/databaseaccount/subscriptions/subId/resourcegroups/rg/providers/Microsoft.DocumentDB/databaseAccounts/databaseaccount] ...

For some reason, it is duplicating the scope, or it is appending the scope I provided to a scope that was derived from the resource group and account provided. I attempted to remedy this by providing no scope and I got this error:

az cosmosdb sql role assignment create -g rg -a databaseaccount --role-definition-id 00000000-0000-0000-0000-000000000002 --principal-id [redacted]

the following arguments are required: --scope/-s

So, a scope is required. Finally made it work by including an empty scope:

az cosmosdb sql role assignment create -g rg -a databaseaccount --role-definition-id 00000000-0000-0000-0000-000000000002 --principal-id [redacted] --scope ''

I followed these docs to create the role assignment: https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/how-to-grant-data-plane-access?tabs=built-in-definition%2Ccsharp&pivots=azure-interface-cli#assign-role-to-identity

The scope should either not be required, or should not be appended to anything.

Related command

az cosmosdb sql role assignment create

Errors

(BadRequest) Failed to parse the incoming request payload. Exception: System.FormatException: Could not parse property [properties] as [Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties] due to exception: System.FormatException: Could not parse property [scope] with value [/subscriptions/subId/resourceGroups/rg/providers/Microsoft.DocumentDB/databaseAccounts/databaseaccount/subscriptions/subId/resourcegroups/rg/providers/Microsoft.DocumentDB/databaseAccounts/databaseaccount] as [Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.FullyQualifiedResourcePath] due to exception: System.FormatException: Expected path segment [dbs] at position [0] but found [subscriptions].
   at Microsoft.Azure.Documents.Common.RoleBasedAccessControl.ResourcePath.ParseResourceNameFromSegments(String[] segments, Int32 index, String resourceTypePathSegment, String& resourceNamePathSegment)
   at Microsoft.Azure.Documents.Common.RoleBasedAccessControl.DataPlaneResourcePath..ctor(String[] segments, Boolean ignoreExtraSegments)
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.FullyQualifiedResourcePath..ctor(String[] segments, Boolean ignoreExtraSegments)
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties.get_Scope()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties.get_Scope()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties.Validate()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentRequest.get_Properties()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentRequest.get_Properties()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.RequestHandlers.SqlRoleAssignmentRequestHandler.<HandlePutAsync>d__4.MoveNext()
ActivityId: dcd25b1e-2b82-11f0-ba2d-00155d4536a7, Microsoft.Azure.Documents.Common/2.14.0
Code: BadRequest
Message: Failed to parse the incoming request payload. Exception: System.FormatException: Could not parse property [properties] as [Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties] due to exception: System.FormatException: Could not parse property [scope] with value [/subscriptions/subId/resourceGroups/rg/providers/Microsoft.DocumentDB/databaseAccounts/databaseaccount/subscriptions/subId/resourcegroups/rg/providers/Microsoft.DocumentDB/databaseAccounts/databaseaccount] as [Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.FullyQualifiedResourcePath] due to exception: System.FormatException: Expected path segment [dbs] at position [0] but found [subscriptions].
   at Microsoft.Azure.Documents.Common.RoleBasedAccessControl.ResourcePath.ParseResourceNameFromSegments(String[] segments, Int32 index, String resourceTypePathSegment, String& resourceNamePathSegment)
   at Microsoft.Azure.Documents.Common.RoleBasedAccessControl.DataPlaneResourcePath..ctor(String[] segments, Boolean ignoreExtraSegments)
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.FullyQualifiedResourcePath..ctor(String[] segments, Boolean ignoreExtraSegments)
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties.get_Scope()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties.get_Scope()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties.Validate()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentRequest.get_Properties()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentRequest.get_Properties()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.RequestHandlers.SqlRoleAssignmentRequestHandler.<HandlePutAsync>d__4.MoveNext()
ActivityId: dcd25b1e-2b82-11f0-ba2d-00155d4536a7, Microsoft.Azure.Documents.Common/2.14.0

Issue script & Debug output

cli.knack.cli: Command arguments: ['cosmosdb', 'sql', 'role', 'assignment', 'create', '-g', 'cosmos', '-a', 'databaseaccount', '--role-definition-id', '00000000-0000-0000-0000-000000000002', '--principal-id', 'principalId', '--scope', '/subscriptions/subId/resourcegroups/rg/providers/Microsoft.DocumentDB/databaseAccounts/databaseaccount', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7f9fe4057880>, <function OutputProducer.on_global_arguments at 0x7f9fe3da2840>, <function CLIQuery.on_global_arguments at 0x7f9fe3de7d80>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'cosmosdb': ['azure.cli.command_modules.cosmosdb']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: cosmosdb                  0.153        58       200
cli.azure.cli.core: Total (1)                 0.153        58       200
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name                  Load Time    Groups  Commands  Directory
cli.azure.cli.core: Total (0)                 0.000         0         0
cli.azure.cli.core: Loaded 58 groups, 200 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : cosmosdb sql role assignment create
cli.azure.cli.core: Command table: cosmosdb sql role assignment create
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7f9fe2f4c400>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/user/.azure/commands/2025-05-07.20-38-19.cosmosdb_sql_role_assignment_create.2201317.log'.
az_command_data_logger: command args: cosmosdb sql role assignment create -g {} -a {} --role-definition-id {} --principal-id {} --scope {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x7f9fe2fa4900>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x7f9fe2fa7100>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x7f9fe2fa7240>, <function register_upcoming_breaking_change_info.<locals>.update_breaking_change_info at 0x7f9fe2fa72e0>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [<function _documentdb_deprecate at 0x7f9fe2e1a700>]
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7f9fe3da28e0>, <function CLIQuery.handle_query_parameter at 0x7f9fe3de7e20>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x7f9fe2fa71a0>]
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=CosmosDBManagementClient
cli.azure.cli.core.auth.persistence: build_persistence: location='/home/user/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /home/user/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47
msal.authority: openid_config("https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/kerberos', 'tenant_region_scope': 'WW', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token_info: scopes=('https://management.core.windows.net//.default',), options={}
cli.azure.cli.core.auth.msal_credentials: UserCredential.acquire_token: scopes=['https://management.core.windows.net//.default'], claims_challenge=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 6e07e9fb-1cb4-42fc-86eb-f7513633be53
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/subId/resourceGroups/rg/providers/Microsoft.DocumentDB/databaseAccounts/databaseaccount/sqlRoleAssignments/df3d6955-096c-4dcf-9f9c-153224a6a5b6?api-version=2024-11-15'
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies:     'Content-Length': '548'
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': '36180f2a-2b83-11f0-ba2d-00155d4536a7'
cli.azure.cli.core.sdk.policies:     'CommandName': 'cosmosdb sql role assignment create'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '-g -a --role-definition-id --principal-id --scope --debug'
cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.72.0 (DEB) azsdk-python-core/1.31.0 Python/3.12.8 (Linux-5.15.167.4-microsoft-standard-WSL2-x86_64-with-glibc2.39)'
cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: {"properties": {"roleDefinitionId": "/subscriptions/subId/resourceGroups/rg/providers/Microsoft.DocumentDB/databaseAccounts/databaseaccount/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002", "scope": "/subscriptions/subId/resourceGroups/rg/providers/Microsoft.DocumentDB/databaseAccounts/databaseaccount/subscriptions/subId/resourcegroups/rg/providers/Microsoft.DocumentDB/databaseAccounts/databaseaccount", "principalId": "principalId"}}
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/subId/resourceGroups/rg/providers/Microsoft.DocumentDB/databaseAccounts/databaseaccount/sqlRoleAssignments/df3d6955-096c-4dcf-9f9c-153224a6a5b6?api-version=2024-11-15 HTTP/1.1" 400 2372
cli.azure.cli.core.sdk.policies: Response status: 400
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-store, no-cache'
cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Content-Length': '2372'
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies:     'x-ms-gatewayversion': 'version=2.14.0'
cli.azure.cli.core.sdk.policies:     'x-ms-operation-identifier': 'tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47,objectId=principalId/westus2/c7e78253-253c-46a2-b72e-9fdde0c1efb5'
cli.azure.cli.core.sdk.policies:     'x-ms-ratelimit-remaining-subscription-writes': '799'
cli.azure.cli.core.sdk.policies:     'x-ms-ratelimit-remaining-subscription-global-writes': '11999'
cli.azure.cli.core.sdk.policies:     'x-ms-request-id': 'd56f6181-9ba9-4f1a-9a08-2fce840eecbc'
cli.azure.cli.core.sdk.policies:     'x-ms-correlation-request-id': 'd56f6181-9ba9-4f1a-9a08-2fce840eecbc'
cli.azure.cli.core.sdk.policies:     'x-ms-routing-request-id': 'WESTUS2:20250507T203820Z:d56f6181-9ba9-4f1a-9a08-2fce840eecbc'
cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies:     'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies:     'X-MSEdge-Ref': 'Ref A: B4B780557E294745B9798BD9E43892A4 Ref B: MWH011020806034 Ref C: 2025-05-07T20:38:19Z'
cli.azure.cli.core.sdk.policies:     'Date': 'Wed, 07 May 2025 20:38:19 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: Body is streamable
cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "/opt/az/lib/python3.12/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 666, in execute
    raise ex
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 734, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 703, in _run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 336, in __call__
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/commands/command_operation.py", line 120, in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/command_modules/cosmosdb/custom.py", line 2442, in cli_cosmosdb_sql_role_assignment_create
    return sdk_no_wait(no_wait, client.begin_create_update_sql_role_assignment, role_assignment_id, resource_group_name, account_name, sql_role_assignment_create_update_parameters)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/cli/core/util.py", line 744, in sdk_no_wait
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/core/tracing/decorator.py", line 94, in wrapper_use_tracer
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/mgmt/cosmosdb/operations/_sql_resources_operations.py", line 6411, in begin_create_update_sql_role_assignment
    raw_result = self._create_update_sql_role_assignment_initial(
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/az/lib/python3.12/site-packages/azure/mgmt/cosmosdb/operations/_sql_resources_operations.py", line 6299, in _create_update_sql_role_assignment_initial
    raise HttpResponseError(response=response, error_format=ARMErrorFormat)
azure.core.exceptions.HttpResponseError: (BadRequest) Failed to parse the incoming request payload. Exception: System.FormatException: Could not parse property [properties] as [Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties] due to exception: System.FormatException: Could not parse property [scope] with value [/subscriptions/subId/resourceGroups/rg/providers/Microsoft.DocumentDB/databaseAccounts/databaseaccount/subscriptions/subId/resourcegroups/rg/providers/Microsoft.DocumentDB/databaseAccounts/databaseaccount] as [Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.FullyQualifiedResourcePath] due to exception: System.FormatException: Expected path segment [dbs] at position [0] but found [subscriptions].
   at Microsoft.Azure.Documents.Common.RoleBasedAccessControl.ResourcePath.ParseResourceNameFromSegments(String[] segments, Int32 index, String resourceTypePathSegment, String& resourceNamePathSegment)
   at Microsoft.Azure.Documents.Common.RoleBasedAccessControl.DataPlaneResourcePath..ctor(String[] segments, Boolean ignoreExtraSegments)
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.FullyQualifiedResourcePath..ctor(String[] segments, Boolean ignoreExtraSegments)
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties.get_Scope()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties.get_Scope()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties.Validate()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentRequest.get_Properties()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentRequest.get_Properties()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.RequestHandlers.SqlRoleAssignmentRequestHandler.<HandlePutAsync>d__4.MoveNext()
ActivityId: 36180f2a-2b83-11f0-ba2d-00155d4536a7, Microsoft.Azure.Documents.Common/2.14.0
Code: BadRequest
Message: Failed to parse the incoming request payload. Exception: System.FormatException: Could not parse property [properties] as [Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties] due to exception: System.FormatException: Could not parse property [scope] with value [/subscriptions/subId/resourceGroups/rg/providers/Microsoft.DocumentDB/databaseAccounts/databaseaccount/subscriptions/subId/resourcegroups/rg/providers/Microsoft.DocumentDB/databaseAccounts/databaseaccount] as [Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.FullyQualifiedResourcePath] due to exception: System.FormatException: Expected path segment [dbs] at position [0] but found [subscriptions].
   at Microsoft.Azure.Documents.Common.RoleBasedAccessControl.ResourcePath.ParseResourceNameFromSegments(String[] segments, Int32 index, String resourceTypePathSegment, String& resourceNamePathSegment)
   at Microsoft.Azure.Documents.Common.RoleBasedAccessControl.DataPlaneResourcePath..ctor(String[] segments, Boolean ignoreExtraSegments)
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.FullyQualifiedResourcePath..ctor(String[] segments, Boolean ignoreExtraSegments)
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties.get_Scope()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties.get_Scope()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties.Validate()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentRequest.get_Properties()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentRequest.get_Properties()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.RequestHandlers.SqlRoleAssignmentRequestHandler.<HandlePutAsync>d__4.MoveNext()
ActivityId: 36180f2a-2b83-11f0-ba2d-00155d4536a7, Microsoft.Azure.Documents.Common/2.14.0

cli.azure.cli.core.azclierror: (BadRequest) Failed to parse the incoming request payload. Exception: System.FormatException: Could not parse property [properties] as [Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties] due to exception: System.FormatException: Could not parse property [scope] with value [/subscriptions/subId/resourceGroups/rg/providers/Microsoft.DocumentDB/databaseAccounts/databaseaccount/subscriptions/subId/resourcegroups/rg/providers/Microsoft.DocumentDB/databaseAccounts/databaseaccount] as [Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.FullyQualifiedResourcePath] due to exception: System.FormatException: Expected path segment [dbs] at position [0] but found [subscriptions].
   at Microsoft.Azure.Documents.Common.RoleBasedAccessControl.ResourcePath.ParseResourceNameFromSegments(String[] segments, Int32 index, String resourceTypePathSegment, String& resourceNamePathSegment)
   at Microsoft.Azure.Documents.Common.RoleBasedAccessControl.DataPlaneResourcePath..ctor(String[] segments, Boolean ignoreExtraSegments)
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.FullyQualifiedResourcePath..ctor(String[] segments, Boolean ignoreExtraSegments)
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties.get_Scope()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties.get_Scope()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties.Validate()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentRequest.get_Properties()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentRequest.get_Properties()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.RequestHandlers.SqlRoleAssignmentRequestHandler.<HandlePutAsync>d__4.MoveNext()
ActivityId: 36180f2a-2b83-11f0-ba2d-00155d4536a7, Microsoft.Azure.Documents.Common/2.14.0
Code: BadRequest
Message: Failed to parse the incoming request payload. Exception: System.FormatException: Could not parse property [properties] as [Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties] due to exception: System.FormatException: Could not parse property [scope] with value [/subscriptions/subId/resourceGroups/rg/providers/Microsoft.DocumentDB/databaseAccounts/databaseaccount/subscriptions/subId/resourcegroups/rg/providers/Microsoft.DocumentDB/databaseAccounts/databaseaccount] as [Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.FullyQualifiedResourcePath] due to exception: System.FormatException: Expected path segment [dbs] at position [0] but found [subscriptions].
   at Microsoft.Azure.Documents.Common.RoleBasedAccessControl.ResourcePath.ParseResourceNameFromSegments(String[] segments, Int32 index, String resourceTypePathSegment, String& resourceNamePathSegment)
   at Microsoft.Azure.Documents.Common.RoleBasedAccessControl.DataPlaneResourcePath..ctor(String[] segments, Boolean ignoreExtraSegments)
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.FullyQualifiedResourcePath..ctor(String[] segments, Boolean ignoreExtraSegments)
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties.get_Scope()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties.get_Scope()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties.Validate()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentRequest.get_Properties()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentRequest.get_Properties()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.RequestHandlers.SqlRoleAssignmentRequestHandler.<HandlePutAsync>d__4.MoveNext()
ActivityId: 36180f2a-2b83-11f0-ba2d-00155d4536a7, Microsoft.Azure.Documents.Common/2.14.0
az_command_data_logger: (BadRequest) Failed to parse the incoming request payload. Exception: System.FormatException: Could not parse property [properties] as [Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties] due to exception: System.FormatException: Could not parse property [scope] with value [/subscriptions/subId/resourceGroups/rg/providers/Microsoft.DocumentDB/databaseAccounts/databaseaccount/subscriptions/subId/resourcegroups/rg/providers/Microsoft.DocumentDB/databaseAccounts/databaseaccount] as [Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.FullyQualifiedResourcePath] due to exception: System.FormatException: Expected path segment [dbs] at position [0] but found [subscriptions].
   at Microsoft.Azure.Documents.Common.RoleBasedAccessControl.ResourcePath.ParseResourceNameFromSegments(String[] segments, Int32 index, String resourceTypePathSegment, String& resourceNamePathSegment)
   at Microsoft.Azure.Documents.Common.RoleBasedAccessControl.DataPlaneResourcePath..ctor(String[] segments, Boolean ignoreExtraSegments)
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.FullyQualifiedResourcePath..ctor(String[] segments, Boolean ignoreExtraSegments)
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties.get_Scope()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties.get_Scope()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties.Validate()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentRequest.get_Properties()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentRequest.get_Properties()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.RequestHandlers.SqlRoleAssignmentRequestHandler.<HandlePutAsync>d__4.MoveNext()
ActivityId: 36180f2a-2b83-11f0-ba2d-00155d4536a7, Microsoft.Azure.Documents.Common/2.14.0
Code: BadRequest
Message: Failed to parse the incoming request payload. Exception: System.FormatException: Could not parse property [properties] as [Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties] due to exception: System.FormatException: Could not parse property [scope] with value [/subscriptions/subId/resourceGroups/rg/providers/Microsoft.DocumentDB/databaseAccounts/databaseaccount/subscriptions/subId/resourcegroups/rg/providers/Microsoft.DocumentDB/databaseAccounts/databaseaccount] as [Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.FullyQualifiedResourcePath] due to exception: System.FormatException: Expected path segment [dbs] at position [0] but found [subscriptions].
   at Microsoft.Azure.Documents.Common.RoleBasedAccessControl.ResourcePath.ParseResourceNameFromSegments(String[] segments, Int32 index, String resourceTypePathSegment, String& resourceNamePathSegment)
   at Microsoft.Azure.Documents.Common.RoleBasedAccessControl.DataPlaneResourcePath..ctor(String[] segments, Boolean ignoreExtraSegments)
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.FullyQualifiedResourcePath..ctor(String[] segments, Boolean ignoreExtraSegments)
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties.get_Scope()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties.get_Scope()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentProperties.Validate()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentRequest.get_Properties()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.DataModel.RoleBasedAccessControl.SqlRoleAssignmentRequest.get_Properties()
   at Microsoft.Azure.Documents.Management.Services.ResourceProvider.RequestHandlers.SqlRoleAssignmentRequestHandler.<HandlePutAsync>d__4.MoveNext()
ActivityId: 36180f2a-2b83-11f0-ba2d-00155d4536a7, Microsoft.Azure.Documents.Common/2.14.0
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f9fe2f4c680>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 0.736 seconds (init: 0.128, invoke: 0.608)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 8752 in cache file under /home/user/.azure/telemetry/20250507203820323
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/opt/az/bin/python3 /opt/az/lib/python3.12/site-packages/azure/cli/telemetry/__init__.py /home/user/.azure /home/user/.azure/telemetry/20250507203820323"
telemetry.process: Return from creating process 2201338
telemetry.main: Finish creating telemetry upload process.

Expected behavior

Create the role assignment when the command shown in the documentation is used. Or don't require a scope.

Environment Summary

azure-cli                         2.72.0

core                              2.72.0
telemetry                          1.1.0

Extensions:
acrtransfer                        1.1.0
ssh                                2.0.5

Dependencies:
msal                              1.32.3
azure-mgmt-resource               23.1.1

Python location '/opt/az/bin/python3'
Config directory '/home/chappleg/.azure'
Extensions directory '/home/chappleg/.azure/cliextensions'

Python (Linux) 3.12.8 (main, Apr 28 2025, 09:24:33) [GCC 13.3.0]

Legal docs and information: aka.ms/AzureCliLegal


Your CLI is up-to-date.

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @pjohari-ms, @kushagraThapar, @simplynaveen20.

[bburgy]

So weird, we have this error on 1 subscription but exactly the same command (with different ids) works well, we are able on 1 subscription to set a scope without the /dbs prefix and we can't on another subscription.

I think is better to not use the /dbs prefix because we are able to set the permission on the CosmosDB component instead of on the container level.

Any idea why we have a different behavior between 2 subscriptions?

[stevenhvtran]

I was able to recreate this issue when specifying the scope with Microsoft.DocumentDb in the path instead of Microsoft.DocumentDB.
When doing --scope '/subscriptions/subId/resourcegroups/rg/providers/Microsoft.DocumentDb/databaseAccounts/databaseaccount', the CLI doubles up the scope parameter to be '/subscriptions/subId/resourcegroups/rg/providers/Microsoft.DocumentDB/databaseAccounts/databaseaccount/subscriptions/subId/resourcegroups/rg/providers/Microsoft.DocumentDb/databaseAccounts/databaseaccount' resulting in the confusing error message System.FormatException: Expected path segment [dbs] at position [0] but found [subscriptions].