Azure CLI command to create Service Principal with contributor role is failing to generate the JSON file

argi 25 Reputation points
2024-10-17T04:06:08.27+00:00

I'm using this command:

az ad sp create-for-rbac --name "devopsfoundationslabsp" --role contributor --scopes /subscriptions/$SUBCRIPTION_ID --json-auth from https://microsoftlearning.github.io/AZ-2008_DevOps_Foundations_Core_Principles_Practices/Instructions/Labs/03-implement-ci-cd-with-github-actions-and-iac-with-bicep.html to generate the JSON file for GitHub/Actions/Secret, but it's failing with this error:

Option '--sdk-auth' has been deprecated and will be removed in a future release. Found an existing application instance: (id) [...]. We will patch it. Creating 'contributor' role assignment under scope '/subscriptions/' Role assignment creation failed. Invalid scope. Please use --help to view the valid format.

Using the Cloud Shell to run the command.

I'm the Owner to the scoped subscription.

Any help or can point me to the solution will be well appreciated.

GitHub Training
GitHub Training
GitHub: A web-based hosting service for software development and version control using Git. Acquired by Microsoft in 2018.Training: Instruction to develop new skills.
44 questions
0 comments No comments
{count} votes

Accepted answer
  1. SiddeshTN 5,180 Reputation points Microsoft Vendor
    2024-10-18T15:05:05.7566667+00:00

    Hi

    Thank you for reaching out to us on the Microsoft Q&A forum.

    We tried from our end and faced no issues while completing the exercise as per the instructions mentioned in the Implementing CI/CD with GitHub Actions and IaC using Bicep module.

    Below are some key points:
    1.A service principal was created, and the 'Contributor' role was successfully assigned at the subscription level, allowing GitHub Actions to access and interact with Azure resources without any permission issues.
    2. The az ad sp create-for-rbac command gave the necessary credentials like clientId, clientSecret, and tenantId, which were safely added to GitHub as secrets for the CI/CD workflow.

    For your reference, a screenshot has also been attached
    final imp

    a fin pic If challenges persist, please attach relevant screenshots for further assistance, ensuring all privacy details are concealed before posting.

    Thank you.

    Should you find this information helpful, kindly express your acknowledgment by clicking the "Upvote" and "Accept Answer" buttons on the post.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Sam Cogan 10,762 Reputation points MVP
    2024-10-17T07:56:31.1366667+00:00

    The error message is showing you that your $SUBCRIPTION_ID variable is empty, so the scope is invalid.

    1 person found this answer helpful.

  2. Iheanacho Chukwu 1,020 Reputation points
    2024-10-18T13:27:18.5566667+00:00

    Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions.

    Hello argi

    Thank you for posting in Microsoft Q&A Forum.

    It seems the value of $SUBSCRIPTION_ID wasn't correctly passed from the command executed in the lab.

    SUBSCRIPTION_ID=$(az account show --query id --output tsv)
    echo $SUBSCRIPTION_ID
    

    Ensure you haven't skipped this and verify there are no errors from the above. Usually, you will see ‘Please run 'az login' to set up the account.’ if you are not authenticated to an Azure account, and you will need to do so using ‘az login’ to get set up. Refer to 'Authenticate to Azure using Azure CLI' article for more details.

    Note: The lab used Cloud Shell (Azure Portal), which is pre-authenticated to an Azure environment. If you are not running the commands from the Portal, ensure you have authenticated and set your subscription context properly.

    Thanks,

    Iheanacho

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.