Azure create servicePrincipal results in One or more properties contains invalid values

458 views Asked by At

I was getting token (I need it for my Gitlab for environmental variable for my runner) like this through Azure cli on my computer:

C:\Users\myuser>az ad sp create-for-rbac --name http://gitlab-runner-acr-service-principal --scopes /subscriptions/xxxxxxx-xxxxx-xxxx-xxxx-xxxxxx/resourceGroups/MyRegistryResourceGroup/providers/Microsoft.ContainerRegistry/registries/MyDockerImageRegistry --role acrpush --query password --output tsv

Everything worked perfectly all this time (for more than a year). Produced output would be something like this:

"Found an existing application instance of "xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx". We will patch it Creating a role assignment under the scope of "/subscriptions/xxxxxxx-xxxxx-xxxx-xxxx-xxxxxx/resourceGroups/MyRegistryResourceGroup/providers/Microsoft.ContainerRegistry/registries/MyDockerImageRegistry"

Role assignment already exists.

b3253fac-267e-284f-9642-d4267a2620f8 "

I need such token from output. But, few weeks ago this command stopped from getting tokens. Now I get following message: "One or more properties contains invalid values." Command is exactly the same (like all this time). I don't understand why this is happening, and why I cannot get tokens any more.

I haven't changed anything in azure-cli (I use the same version), and I haven't do anything through Azure Portal so I don't understand why it stopped working.. I've Googled, and saw some examples and advices how to solve similar problems (not quite like this) through Microsoft Graph API. But I am not familiar directly with Microsoft Graph API, so can you please help me how to get it work through Azure CLI.

My question is how to make azure-cli to get tokens with same command? What must I do to make it work again?

Edit: I've added --debug flag, and last part is this:

...
adal-python : 91386626-a42a-4d22-ba63-d22961220cec - CacheDriver:Returning token from cache lookup, AccessTokenId: b'OKDsXwBiy7YUjkUuLqUbDVL+mTGi19P9914i8J3knnQ=', RefreshTokenId: b'PSu7XWGVFXFQLMQ3GBtTxj5DsNQt8ZhkjjFKegqQXZQ='
msrest.http_logger : Request URL: 'https://graph.windows.net/478d151e-37db-4a62-833b-4b989ce41c1c/applications?api-version=1.6'
msrest.http_logger : Request method: 'POST'
msrest.http_logger : Request headers:
msrest.http_logger :     'Accept': 'application/json'
msrest.http_logger :     'Content-Type': 'application/json; charset=utf-8'
msrest.http_logger :     'accept-language': 'en-US'
msrest.http_logger :     'Content-Length': '461'
msrest.http_logger :     'User-Agent': 'python/3.6.6 (Windows-10-10.0.19041-SP0) msrest/0.6.11 msrest_azure/0.6.3 azure-graphrbac/0.60.0 Azure-SDK-For-Python AZURECLI/2.3.1 (MSI)'
msrest.http_logger : Request body:
msrest.http_logger : {"availableToOtherTenants": false, "homepage": "https://gitlab-runner-acr-service-principal", "passwordCredentials": [{"startDate": "2020-09-28T12:15:30.026043Z", "endDate": "2021-09-28T12:15:30.026043Z", "keyId": "yyyyyyyy-yyyyyy-yyyyy-yyyyyyyyyyyyy", "value": "a9827bf6-a5a9-4922-bcbb-a28b2da7e04a", "customKeyIdentifier": "//5yAGIAYQBjAA=="}], "displayName": "gitlab-runner-acr-service-principal", "identifierUris": ["0884ae2d-515f-4efd-a069-595a63f1efee"]}
msrest.universal_http : Configuring redirects: allow=True, max=30
msrest.universal_http : Configuring request: timeout=100, verify=True, cert=None
msrest.universal_http : Configuring proxies: ''
msrest.universal_http : Evaluate proxies against ENV settings: True
urllib3.connectionpool : Starting new HTTPS connection (1): graph.windows.net:443
urllib3.connectionpool : Starting new HTTPS connection (1): graph.windows.net:443
urllib3.connectionpool : https://graph.windows.net:443 "POST /478d151e-37db-4a62-833b-4b989ce41c1c/applications?api-version=1.6 HTTP/1.1" 400 207
msrest.http_logger : Response status: 400
msrest.http_logger : Response headers:
msrest.http_logger :     'Cache-Control': 'no-cache'
msrest.http_logger :     'Pragma': 'no-cache'
msrest.http_logger :     'Content-Type': 'application/json; odata=minimalmetadata; streaming=true; charset=utf-8'
msrest.http_logger :     'Expires': '-1'
msrest.http_logger :     'ocp-aad-diagnostics-server-name': '9G9RnY9XiO+FpbH/eqhH2G8NOqXAfe/lEzfJH1kKGEc='
msrest.http_logger :     'request-id': '52133c1e-9e42-469b-8c84-4515b617e940'
msrest.http_logger :     'client-request-id': '4c129b1e-0184-11eb-afc2-6c0b84e25a98'
msrest.http_logger :     'x-ms-dirapi-data-contract-version': '1.6'
msrest.http_logger :     'ocp-aad-session-key': 'jR7Y9XU-WaZ2W5zpUmKDjXHgDJVYFGevEDu2emGYhyAezbIgh6y-7mPn_sxsfC5cymSICphmRbGOSdfu8X6gkKEXEFWdmBJeEoF6K0Pg4jaueLN1YMv9vIp1bRpIZOBbYVZOY-WKV-iebCkrTkC9xHYpXpZFML197SdsPJezGAWKEeFcwiwm4eESzkYPSjhLR1pmKMIme0EfM0CaVC58PA.IbhRdEvnM_6KoyQFkZu5OKeMILXYKaK6j7XdpDbfKlE'
msrest.http_logger :     'Duration': '3577050'
msrest.http_logger :     'x-ms-resource-unit': '1'
msrest.http_logger :     'DataServiceVersion': '3.0;'
msrest.http_logger :     'X-AspNet-Version': '4.0.30319'
msrest.http_logger :     'X-Powered-By': 'ASP.NET'
msrest.http_logger :     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
msrest.http_logger :     'Access-Control-Allow-Origin': '*'
msrest.http_logger :     'Date': 'Mon, 28 Sep 2020 12:15:30 GMT'
msrest.http_logger :     'Content-Length': '207'
msrest.http_logger : Response content:
msrest.http_logger : {"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"One or more properties contains invalid values."},"requestId":"52133c1e-9e42-469b-8c84-4515b617e940","date":"2020-09-28T12:15:30"}}
msrest.exceptions : One or more properties contains invalid values.
cli.azure.cli.core.util : One or more properties contains invalid values.
One or more properties contains invalid values.
1

There are 1 answers

0
samneric On

For me it was because the name already exists. In your case --name http://gitlab-runner-acr-service-principal.

Maybe the CLI used to return the existing one if it already existed and now it throws an error.

Anyway, I fixed the error by checking if the SP already exists before creating it.

EDIT

After deleting the existing one and then re-creating it, the CLI started returning the existing one instead of throwing the error. I recommend deleting the existing one to fix the issue.

Steve