azure-cli: az identity create returns for created in AD

Describe the bug az identity create returns before the identity has been fully created, if you try do a role assignment straight after it will fail with:

No matches in graph database for '138d8747-9262-4a78-8842-4ae3e1682bbc'

I’m currently working around it with a sleep 10, tried 3 and 5 before but not long enough

To Reproduce az group create -n rg -l uksouth

export IDENTITY_CLIENT_ID=$(az identity create -g ${NODE_RESOURCE_GROUP} -n ${BASE_NAME} --query clientId -o tsv)

export SUBSCRIPTION_ID=$(az account show --query id -o tsv) az role assignment create --role Reader --assignee ${IDENTITY_CLIENT_ID} --scope /subscriptions/${SUBSCRIPTION_ID}/resourcegroups/rg

Expected behavior Some sort of check should be done to make sure it is fully created before exiting the command

Environment summary Install Method (e.g. pip, interactive script, apt-get, Docker, MSI, edge build) / CLI version (az --version) / OS version / Shell Type (e.g. bash, cmd.exe, Bash on Windows)

brew mac

$ az --version
azure-cli (2.0.54)

Additional context Add any other context about the problem here.

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 2
  • Comments: 17 (6 by maintainers)

Most upvoted comments

@navba-MSFT could you please re-open

+1
timja on May 16, 2022

@Jtango18 At present, we have determined that this problem is caused by propagation delay of managed identity on the server side, and we are discussing the solution with the service team through email

+1
zhoxing-ms on Mar 15, 2022
Read more comments on GitHub
← azure-cli: az functionapp deployment source config-zip keeps retrying even though deployment failed with 503 Service Unavailable
azure-cli: az keyvault list does not show newly created key vault →