azure-cli: Getting token from Cloud Shell intermittently fails with 400 Client Error: Bad Request

I’m getting following when I’m running following command :

ARM_CLIENT_SECRET=$(az ad sp create-for-rbac
–name http://tf-sp-$UNIQUE_ID
–role Contributor
–scopes “/subscriptions/$ARM_SUBSCRIPTION_ID”
–query password
–output tsv)

Please note that I’ve stored ARM Subscription ID successfully and ran above command as part of creating Service Principal.

This is autogenerated. Please review and update as needed.

Describe the bug

Command Name az ad sp create-for-rbac

Errors:

400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token
Traceback (most recent call last):
python3.6/site-packages/knack/cli.py, ln 206, in invoke
    cmd_result = self.invocation.execute(args)
cli/core/commands/__init__.py, ln 608, in execute
    raise ex
cli/core/commands/__init__.py, ln 666, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
...
python3.6/site-packages/msrestazure/azure_active_directory.py, ln 486, in get_msi_token
    result.raise_for_status()
python3.6/site-packages/requests/models.py, ln 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

  • Put any pre-requisite steps here…
  • az ad sp create-for-rbac --name {} --role {} --scopes {} --query {} --output {}

Expected Behavior

Environment Summary

Linux-4.15.0-1064-azure-x86_64-with-debian-stretch-sid
Python 3.6.5
Shell: bash

azure-cli 2.0.78

Additional Context

About this issue

  • Original URL
  • State: open
  • Created 4 years ago
  • Reactions: 1
  • Comments: 24 (10 by maintainers)

Commits related to this issue

Most upvoted comments

400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token is a known issue of Cloud Shell that it intermittently fails with this error.

Workarounds

There are 2 workarounds:

  1. Use Azure CLI on a local machine
  2. In Cloud Shell, run az login and retry the command

@maertendMSFT any update for this issue ? There are a bunch of customers are impacted by this.

Running az login isn’t an acceptable workaround. MSI login allows for elevated commands like “az ad app” which will be blocked otherwise.

@jiasli this is still happening and hurt AKS user experience, please prioritize and fix this issue.

This is Cloud Shell issue. Could you run with --debug and share the output?

To get unblocked, please run az login and retry the command.

This worked for me. Thanks.

@sherdana, your message is corrupted. Also, you are not on Cloud Shell, but Windows machine. Please create a new issue with detailed information and error message.

I get the same error using Windows 11 - Windows Terminal, click on the drop-down to get to an Azure Cli instance. Following the device login page I’m able to work other commands but not the below:

az ad user create --display-name "..." --password "..." --user-principal-name "..."

Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned: <Response [400]>