azure-cli: Getting token from Cloud Shell intermittently fails with 400 Client Error: Bad Request

I’m getting following when I’m running following command :

ARM_CLIENT_SECRET=$(az ad sp create-for-rbac
–name http://tf-sp-$UNIQUE_ID
–role Contributor
–scopes “/subscriptions/$ARM_SUBSCRIPTION_ID”
–query password
–output tsv)

Please note that I’ve stored ARM Subscription ID successfully and ran above command as part of creating Service Principal.

This is autogenerated. Please review and update as needed.

Describe the bug

Command Name az ad sp create-for-rbac

Errors:

400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token
Traceback (most recent call last):
python3.6/site-packages/knack/cli.py, ln 206, in invoke
    cmd_result = self.invocation.execute(args)
cli/core/commands/__init__.py, ln 608, in execute
    raise ex
cli/core/commands/__init__.py, ln 666, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
...
python3.6/site-packages/msrestazure/azure_active_directory.py, ln 486, in get_msi_token
    result.raise_for_status()
python3.6/site-packages/requests/models.py, ln 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

Put any pre-requisite steps here…
az ad sp create-for-rbac --name {} --role {} --scopes {} --query {} --output {}

Expected Behavior

Environment Summary

Linux-4.15.0-1064-azure-x86_64-with-debian-stretch-sid
Python 3.6.5
Shell: bash

azure-cli 2.0.78

Additional Context

About this issue

Original URL
State: open
Created 4 years ago
Reactions: 1
Comments: 24 (10 by maintainers)

Commits related to this issue

Adding retries to az login commands Per https://github.com/Azure/azure-cli/issues/11749 it appears this is a known issue and the only workaround is to attempt to login again. — committed to malscent/marketplace by malscent 2 years ago

Most upvoted comments

400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token is a known issue of Cloud Shell that it intermittently fails with this error.

Workarounds

There are 2 workarounds:

Use Azure CLI on a local machine
In Cloud Shell, run az login and retry the command

+26

jiasli on Apr 16, 2020

@maertendMSFT any update for this issue ? There are a bunch of customers are impacted by this.

yonzhan on Jul 17, 2020

Running az login isn’t an acceptable workaround. MSI login allows for elevated commands like “az ad app” which will be blocked otherwise.

sabbour on Oct 14, 2022

@jiasli this is still happening and hurt AKS user experience, please prioritize and fix this issue.

haitch on Jun 17, 2021

This is Cloud Shell issue. Could you run with --debug and share the output?

To get unblocked, please run az login and retry the command.

This worked for me. Thanks.

hubert-associates on Apr 13, 2020

@sherdana, your message is corrupted. Also, you are not on Cloud Shell, but Windows machine. Please create a new issue with detailed information and error message.

jiasli on Feb 8, 2022

I get the same error using Windows 11 - Windows Terminal, click on the drop-down to get to an Azure Cli instance. Following the device login page I’m able to work other commands but not the below:

az ad user create --display-name "..." --password "..." --user-principal-name "..."

Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned: <Response [400]>

oguzhanf on Dec 8, 2021