Open
Description
Description
New-AzADServicePrincipal is able to create a new SP even when user has no write permissions (i.e.: Reader role)
This bug doesn't seem to be directly reproduceable from portal.azure.com nor through AzureCLI in bash/cmd
Steps to reproduce
$sp = New-AzADServicePrincipal -DisplayName fooPS1 -Role Contributor -Scope /subscriptions/<GUID>/resourceGroups/<RG>it is not subscription or resource group specific
Environment data
Local Terminal:
Name Value
---- -----
PSVersion 6.2.3
PSEdition Core
GitCommitId 6.2.3
OS Microsoft Windows 10.0.18363
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
this is also not OS nor Platform specific, it's also reproduced in the azure portal cloudshell.
Module versions
ModuleType Version Name PSEdition ExportedCommands
---------- ------- ---- --------- ----------------
Script 3.3.0 Az Core,Desk
Script 1.7.0 Az.Accounts Core,Desk {Disable-AzDataCollection, Disable-AzContextAutosave, Enable-AzDataCollection, Enable-AzContextAutosave…}
Script 1.1.1 Az.Advisor Core,Desk {Get-AzAdvisorRecommendation, Enable-AzAdvisorRecommendation, Disable-AzAdvisorRecommendation, Get-AzAdvisorConfiguration…}
Script 1.0.3 Az.Aks Core,Desk {Get-AzAks, New-AzAks, Remove-AzAks, Import-AzAksCredential…}
Script 1.1.2 Az.AnalysisServices Core,Desk {Resume-AzAnalysisServicesServer, Suspend-AzAnalysisServicesServer, Get-AzAnalysisServicesServer, Remove-AzAnalysisServicesServer…}
Script 1.3.3 Az.ApiManagement Core,Desk {Add-AzApiManagementApiToProduct, Add-AzApiManagementProductToGroup, Add-AzApiManagementRegion, Add-AzApiManagementUserToGroup…}
Script 1.0.3 Az.ApplicationInsights Core,Desk {Get-AzApplicationInsights, New-AzApplicationInsights, Remove-AzApplicationInsights, Set-AzApplicationInsightsPricingPlan…}
Script 1.3.5 Az.Automation Core,Desk {Get-AzAutomationHybridWorkerGroup, Remove-AzAutomationHybridWorkerGroup, Get-AzAutomationJobOutputRecord, Import-AzAutomationDscNodeConfig… Script 2.0.2 Az.Batch Core,Desk {Remove-AzBatchAccount, Get-AzBatchAccount, Get-AzBatchAccountKey, New-AzBatchAccount…}
Script 1.0.2 Az.Billing Core,Desk {Get-AzBillingInvoice, Get-AzBillingPeriod, Get-AzEnrollmentAccount, Get-AzConsumptionBudget…}
Script 1.4.2 Az.Cdn Core,Desk {Get-AzCdnProfile, Get-AzCdnProfileSsoUrl, New-AzCdnProfile, Remove-AzCdnProfile…}
Script 1.2.2 Az.CognitiveServices Core,Desk {Get-AzCognitiveServicesAccount, Get-AzCognitiveServicesAccountKey, Get-AzCognitiveServicesAccountSku, Get-AzCognitiveServicesAccountType…} Script 3.3.0 Az.Compute Core,Desk {Remove-AzAvailabilitySet, Get-AzAvailabilitySet, New-AzAvailabilitySet, Update-AzAvailabilitySet…}
Script 1.0.3 Az.ContainerInstance Core,Desk {New-AzContainerGroup, Get-AzContainerGroup, Remove-AzContainerGroup, Get-AzContainerInstanceLog}
Script 1.1.1 Az.ContainerRegistry Core,Desk {New-AzContainerRegistry, Get-AzContainerRegistry, Update-AzContainerRegistry, Remove-AzContainerRegistry…}
Script 1.1.0 Az.DataBoxEdge Core,Desk {Get-AzDataBoxEdgeJob, Get-AzDataBoxEdgeDevice, Invoke-AzDataBoxEdgeDevice, New-AzDataBoxEdgeDevice…}
Script 1.6.0 Az.DataFactory Core,Desk {Set-AzDataFactoryV2, Update-AzDataFactoryV2, Get-AzDataFactoryV2, Remove-AzDataFactoryV2…}
Script 1.0.2 Az.DataLakeAnalytics Core,Desk {Get-AzDataLakeAnalyticsDataSource, New-AzDataLakeAnalyticsCatalogCredential, Remove-AzDataLakeAnalyticsCatalogCredential, Set-AzDataLakeAn… Script 1.2.6 Az.DataLakeStore Core,Desk {Get-AzDataLakeStoreTrustedIdProvider, Remove-AzDataLakeStoreTrustedIdProvider, Remove-AzDataLakeStoreFirewallRule, Set-AzDataLakeStoreTrus… Script 1.0.2 Az.DeploymentManager Core,Desk {Get-AzDeploymentManagerArtifactSource, New-AzDeploymentManagerArtifactSource, Set-AzDeploymentManagerArtifactSource, Remove-AzDeploymentMa…
Script 1.0.2 Az.DevTestLabs Core,Desk {Get-AzDtlAllowedVMSizesPolicy, Get-AzDtlAutoShutdownPolicy, Get-AzDtlAutoStartPolicy, Get-AzDtlVMsPerLabPolicy…}
Script 1.1.2 Az.Dns Core,Desk {Get-AzDnsRecordSet, New-AzDnsRecordConfig, Remove-AzDnsRecordSet, Set-AzDnsRecordSet…}
Script 1.2.3 Az.EventGrid Core,Desk {New-AzEventGridTopic, Get-AzEventGridTopic, Set-AzEventGridTopic, New-AzEventGridTopicKey…}
Script 1.4.3 Az.EventHub Core,Desk {New-AzEventHubNamespace, Get-AzEventHubNamespace, Set-AzEventHubNamespace, Remove-AzEventHubNamespace…}
Script 1.3.0 Az.FrontDoor Core,Desk {New-AzFrontDoor, Get-AzFrontDoor, Set-AzFrontDoor, Remove-AzFrontDoor…}
Script 3.0.2 Az.HDInsight Core,Desk {Get-AzHDInsightJob, New-AzHDInsightSqoopJobDefinition, Wait-AzHDInsightJob, New-AzHDInsightStreamingMapReduceJobDefinition…}
Script 1.0.1 Az.HealthcareApis Core,Desk {New-AzHealthcareApisService, Remove-AzHealthcareApisService, Set-AzHealthcareApisService, Get-AzHealthcareApisService}
Script 2.0.1 Az.IotHub Core,Desk {Add-AzIotHubKey, Get-AzIotHubEventHubConsumerGroup, Get-AzIotHubConnectionString, Get-AzIotHubJob…}
Script 1.4.0 Az.KeyVault Core,Desk {Add-AzKeyVaultCertificate, Update-AzKeyVaultCertificate, Stop-AzKeyVaultCertificateOperation, Get-AzKeyVaultCertificateOperation…}
Script 1.3.2 Az.LogicApp Core,Desk {Get-AzIntegrationAccountAgreement, Get-AzIntegrationAccountAssembly, Get-AzIntegrationAccountBatchConfiguration, Get-AzIntegrationAccountC… Script 1.1.3 Az.MachineLearning Core,Desk {Move-AzMlCommitmentAssociation, Get-AzMlCommitmentAssociation, Get-AzMlCommitmentPlanUsageHistory, Remove-AzMlCommitmentPlan…}
Script 1.0.2 Az.ManagedServices Core,Desk {Get-AzManagedServicesAssignment, New-AzManagedServicesAssignment, Remove-AzManagedServicesAssignment, Get-AzManagedServicesDefinition…}
Script 1.0.2 Az.MarketplaceOrdering Core,Desk {Get-AzMarketplaceTerms, Set-AzMarketplaceTerms}
Script 1.1.1 Az.Media Core,Desk {Sync-AzMediaServiceStorageKey, Set-AzMediaServiceKey, Get-AzMediaServiceKey, Get-AzMediaServiceNameAvailability…}
Script 1.5.0 Az.Monitor Core,Desk {Get-AzMetricDefinition, Get-AzMetric, Remove-AzLogProfile, Get-AzLogProfile…}
Script 2.2.1 Az.Network Core,Desk {Add-AzApplicationGatewayAuthenticationCertificate, Get-AzApplicationGatewayAuthenticationCertificate, New-AzApplicationGatewayAuthenticati…
Script 1.1.1 Az.NotificationHubs Core,Desk {Get-AzNotificationHub, Get-AzNotificationHubAuthorizationRule, Get-AzNotificationHubListKey, Get-AzNotificationHubPNSCredential…}
Script 1.3.4 Az.OperationalInsights Core,Desk {New-AzOperationalInsightsAzureActivityLogDataSource, New-AzOperationalInsightsCustomLogDataSource, Disable-AzOperationalInsightsLinuxCusto… Script 1.1.4 Az.PolicyInsights Core,Desk {Get-AzPolicyEvent, Get-AzPolicyState, Get-AzPolicyStateSummary, Get-AzPolicyRemediation…}
Script 1.1.1 Az.PowerBIEmbedded Core,Desk {Remove-AzPowerBIWorkspaceCollection, Get-AzPowerBIWorkspaceCollection, Get-AzPowerBIWorkspaceCollectionAccessKey, Get-AzPowerBIWorkspace…} Script 1.0.2 Az.PrivateDns Core,Desk {Get-AzPrivateDnsZone, Remove-AzPrivateDnsZone, Set-AzPrivateDnsZone, New-AzPrivateDnsZone…}
Script 2.4.0 Az.RecoveryServices Core,Desk {Get-AzRecoveryServicesBackupProperty, Get-AzRecoveryServicesVault, Get-AzRecoveryServicesVaultSettingsFile, New-AzRecoveryServicesVault…} Script 1.2.1 Az.RedisCache Core,Desk {Remove-AzRedisCachePatchSchedule, New-AzRedisCacheScheduleEntry, Get-AzRedisCachePatchSchedule, New-AzRedisCachePatchSchedule…}
Script 1.0.3 Az.Relay Core,Desk {New-AzRelayNamespace, Get-AzRelayNamespace, Set-AzRelayNamespace, Remove-AzRelayNamespace…}
Script 1.9.1 Az.Resources Core,Desk {Get-AzProviderOperation, Remove-AzRoleAssignment, Get-AzRoleAssignment, New-AzRoleAssignment…}
Script 1.4.1 Az.ServiceBus Core,Desk {New-AzServiceBusNamespace, Get-AzServiceBusNamespace, Set-AzServiceBusNamespace, Remove-AzServiceBusNamespace…}
Script 2.0.1 Az.ServiceFabric Core,Desk {Add-AzServiceFabricClientCertificate, Add-AzServiceFabricClusterCertificate, Add-AzServiceFabricNode, Add-AzServiceFabricNodeType…}
Script 1.1.1 Az.SignalR Core,Desk {New-AzSignalR, Get-AzSignalR, Get-AzSignalRKey, New-AzSignalRKey…}
Script 2.1.2 Az.Sql Core,Desk {Get-AzSqlDatabaseTransparentDataEncryption, Get-AzSqlDatabaseTransparentDataEncryptionActivity, Set-AzSqlDatabaseTransparentDataEncryption… Script 1.0.2 Az.SqlVirtualMachine Core,Desk {New-AzSqlVM, Get-AzSqlVM, Update-AzSqlVM, Remove-AzSqlVM…}
Script 1.11.0 Az.Storage Core,Desk {Get-AzStorageAccount, Get-AzStorageAccountKey, New-AzStorageAccount, New-AzStorageAccountKey…}
Script 1.2.2 Az.StorageSync Core,Desk {Invoke-AzStorageSyncCompatibilityCheck, New-AzStorageSyncService, Get-AzStorageSyncService, Remove-AzStorageSyncService…}
Script 1.0.1 Az.StreamAnalytics Core,Desk {Get-AzStreamAnalyticsFunction, Get-AzStreamAnalyticsDefaultFunctionDefinition, New-AzStreamAnalyticsFunction, Remove-AzStreamAnalyticsFunc… Script 1.0.3 Az.TrafficManager Core,Desk {Add-AzTrafficManagerCustomHeaderToEndpoint, Remove-AzTrafficManagerCustomHeaderFromEndpoint, Add-AzTrafficManagerCustomHeaderToProfile, Re… Script 1.5.1 Az.Websites Core,Desk {Get-AzAppServicePlan, Set-AzAppServicePlan, New-AzAppServicePlan, Remove-AzAppServicePlan…}Debug output
DEBUG: 3:06:27 PM - NewAzureADServicePrincipalCommand begin processing with ParameterSet 'SimpleParameterSet'.
DEBUG: 3:06:27 PM - using account id 'daorozco_testuser@rbacclitest.onmicrosoft.com'...
DEBUG: [Common.Authentication]: Authenticating using Account: 'daorozco_testuser@rbacclitest.onmicrosoft.com', environment: 'AzureCloud', tenant: '1273adef-00a3-4086-a51a-dbcce1857d36'
DEBUG: [Common.Authentication]: Authenticating using configuration values: Domain: '1273adef-00a3-4086-a51a-dbcce1857d36', Endpoint: 'https://login.microsoftonline.com/', ClientId: '1950a258-227b-4e31-a9cf-717495945fc2', ClientRedirect: 'urn:ietf:wg:oauth:2.0:oob', ResourceClientUri: 'https://graph.windows.net/', ValidateAuthority: 'True'
DEBUG: [Common.Authentication]: Acquiring token using context with Authority 'https://login.microsoftonline.com/1273adef-00a3-4086-a51a-dbcce1857d36/', CorrelationId: '00000000-0000-0000-0000-000000000000', ValidateAuthority: 'True'
DEBUG: [Common.Authentication]: Acquiring token using AdalConfiguration with Domain: '1273adef-00a3-4086-a51a-dbcce1857d36', AdEndpoint: 'https://login.microsoftonline.com/', ClientId: '1950a258-227b-4e31-a9cf-717495945fc2', ClientRedirectUri: urn:ietf:wg:oauth:2.0:oob
DEBUG: [ADAL]: Information: 2020-01-16T23:06:27.4572984Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: ADAL PCL.CoreCLR with assembly version '3.19.2.6005', file version '3.19.50302.0130' and informational version '2a8bec6c4c76d0c1ef819b55bdc3cda2d2605056' is running...
DEBUG: [ADAL]: Information: 2020-01-16T23:06:27.4574082Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: ADAL PCL.CoreCLR with assembly version '3.19.2.6005', file version '3.19.50302.0130' and informational version '2a8bec6c4c76d0c1ef819b55bdc3cda2d2605056' is running...
DEBUG: [ADAL]: Information: 2020-01-16T23:06:27.4574750Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: === Token Acquisition started:
CacheType: null
Authentication Target: User
, Authority Host: login.microsoftonline.com
DEBUG: [ADAL]: Information: 2020-01-16T23:06:27.4575222Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: === Token Acquisition started:
Authority: https://login.microsoftonline.com/1273adef-00a3-4086-a51a-dbcce1857d36/
Resource: https://graph.windows.net/
ClientId: 1950a258-227b-4e31-a9cf-717495945fc2
CacheType: null
Authentication Target: User
DEBUG: [ADAL]: Verbose: 2020-01-16T23:06:27.4576866Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: Loading from cache.
DEBUG: [ADAL]: Verbose: 2020-01-16T23:06:27.4577642Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: Loading from cache.
DEBUG: [ADAL]: Information: 2020-01-16T23:06:27.4642048Z: 00000000-0000-0000-0000-000000000000 - LoggerBase.cs: Deserialized 2 items to token cache.
DEBUG: [ADAL]: Verbose: 2020-01-16T23:06:27.4643919Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: Looking up cache for a token...
DEBUG: [ADAL]: Verbose: 2020-01-16T23:06:27.4644671Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: Looking up cache for a token...
DEBUG: [ADAL]: Information: 2020-01-16T23:06:27.4646004Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: An item matching the requested resource was found in the cache
DEBUG: [ADAL]: Information: 2020-01-16T23:06:27.4646526Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: An item matching the requested resource was found in the cache
DEBUG: [ADAL]: Information: 2020-01-16T23:06:27.4647611Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: 37.9850207433333 minutes left until token in cache expires
DEBUG: [ADAL]: Information: 2020-01-16T23:06:27.4648198Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: 37.9850207433333 minutes left until token in cache expires
DEBUG: [ADAL]: Information: 2020-01-16T23:06:27.4648698Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: A matching item (access token or refresh token or both) was found in the cache
DEBUG: [ADAL]: Information: 2020-01-16T23:06:27.4649173Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: A matching item (access token or refresh token or both) was found in the cache
DEBUG: [ADAL]: Information: 2020-01-16T23:06:27.4650195Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 1/16/2020 11:44:26 PM +00:00
DEBUG: [ADAL]: Information: 2020-01-16T23:06:27.4650750Z: 532ec06c-0fdb-46b1-9707-e10b8bb5abea - LoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 1/16/2020 11:44:26 PM +00:00Access Token Hash: YxX7q+O+G4zf6tvSXCdduNzGh4xmGyFxuBJr9HLanms=
User id: 11b1042e-d5b6-4f65-b308-d69565f16f1e
DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '01/16/2020 23:44:26 +00:00', MultipleResource? 'True', Tenant: '1273adef-00a3-4086-a51a-dbcce1857d36', UserId: 'daorozco_testuser@rbacclitest.onmicrosoft.com'
DEBUG: [Common.Authentication]: User info for token DisplayId: 'daorozco_testuser@rbacclitest.onmicrosoft.com', Name: , IdProvider: 'https://sts.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/', Uid: '11b1042e-d5b6-4f65-b308-d69565f16f1e'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '01/16/2020 23:44:26 +00:00' Comparing to '01/16/2020 23:06:27 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:37:59.0880548'
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
POST
Absolute Uri:
https://graph.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/applications?api-version=1.6
Headers:
x-ms-client-request-id : 9111a435-a5ea-44eb-afcf-62fd4f5d04f9
Accept-Language : en-US
Body:
{
"availableToOtherTenants": false,
"displayName": "daorozco_DebugRequest_1",
"homepage": "http://daorozco_DebugRequest_1",
"identifierUris": [
"http://daorozco_DebugRequest_1"
],
"passwordCredentials": [
{
"startDate": "2020-01-16T23:06:27.4566428Z",
"endDate": "2021-01-16T23:06:27.4566428Z",
"keyId": "e6086993-1af9-4465-99fd-fe3cc36aa622",
"value": "601cc09d-fbba-4a00-bf37-2977e810b67b"
}
]
}
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Created
Headers:
Cache-Control : no-cache
Pragma : no-cache
Location : https://graph.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/directoryObjects/b6242fd6-4a54-4540-978d-1a080cb41b35/Microsoft.DirectoryServices.Application
ocp-aad-diagnostics-server-name: f7NL0FmTJ8JNWIfqHCIrTaLlqNjkXErDM8C/2jqzM2c=
request-id : 5de09276-b3d9-413d-a23d-f010d5bcb73d
client-request-id : d02c054b-364a-4b15-b528-69c78509cfbc
x-ms-dirapi-data-contract-version: 1.6
ocp-aad-session-key : tmlbypx9gZ3R5DUcZf4auoQmEPen3nj_SUUJ_qhCHqGXOIsGZ31dcbTP6Jz5sjIKG2TzpW5jmRf5CBzsUtB93Y961tDJ0GmYc2orIbVkAVGDIC9YfMy5J6rUJj7wANnQkCbT4laKH2P6FZEiNkygcw.JVslBlqR5ME7OesxbGQeb6yinbOIrevr0Ez13f-8EX4
DataServiceVersion : 3.0;
Strict-Transport-Security : max-age=31536000; includeSubDomains
Access-Control-Allow-Origin : *
X-AspNet-Version : 4.0.30319
X-Powered-By : ASP.NET
Duration : 4666376
Date : Thu, 16 Jan 2020 23:06:27 GMT
Body:
{
"odata.metadata": "https://graph.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/$metadata#directoryObjects/@Element",
"odata.type": "Microsoft.DirectoryServices.Application",
"objectType": "Application",
"objectId": "b6242fd6-4a54-4540-978d-1a080cb41b35",
"deletionTimestamp": null,
"acceptMappedClaims": null,
"addIns": [],
"appId": "ae172156-5e7d-45e2-95de-68182d05431c",
"applicationTemplateId": null,
"appRoles": [],
"availableToOtherTenants": false,
"displayName": "daorozco_DebugRequest_1",
"errorUrl": null,
"groupMembershipClaims": null,
"homepage": "http://daorozco_DebugRequest_1",
"identifierUris": [
"http://daorozco_DebugRequest_1"
],
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"isDeviceOnlyAuthSupported": null,
"keyCredentials": [],
"knownClientApplications": [],
"logoutUrl": null,
"logo@odata.mediaEditLink": "directoryObjects/b6242fd6-4a54-4540-978d-1a080cb41b35/Microsoft.DirectoryServices.Application/logo",
"logo@odata.mediaContentType": "application/json;odata=minimalmetadata; charset=utf-8",
"logoUrl": null,
"oauth2AllowIdTokenImplicitFlow": true,
"oauth2AllowImplicitFlow": false,
"oauth2AllowUrlPathMatching": false,
"oauth2Permissions": [
{
"adminConsentDescription": "Allow the application to access daorozco_DebugRequest_1 on behalf of the signed-in user.",
"adminConsentDisplayName": "Access daorozco_DebugRequest_1",
"id": "5eed8957-949d-4516-a053-aeed0f138e7d",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the application to access daorozco_DebugRequest_1 on your behalf.",
"userConsentDisplayName": "Access daorozco_DebugRequest_1",
"value": "user_impersonation"
}
],
"oauth2RequirePostResponse": false,
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [
{
"customKeyIdentifier": null,
"endDate": "2021-01-16T23:06:27.4566428Z",
"keyId": "e6086993-1af9-4465-99fd-fe3cc36aa622",
"startDate": "2020-01-16T23:06:27.4566428Z",
"value": null
}
],
"publicClient": null,
"publisherDomain": "rbacCliTest.onmicrosoft.com",
"recordConsentConditions": null,
"replyUrls": [],
"requiredResourceAccess": [],
"samlMetadataUrl": null,
"signInAudience": "AzureADMyOrg",
"tokenEncryptionKeyId": null
}
DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '01/16/2020 23:44:26 +00:00', MultipleResource? 'True', Tenant: '1273adef-00a3-4086-a51a-dbcce1857d36', UserId: 'daorozco_testuser@rbacclitest.onmicrosoft.com'
DEBUG: [Common.Authentication]: User info for token DisplayId: 'daorozco_testuser@rbacclitest.onmicrosoft.com', Name: , IdProvider: 'https://sts.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/', Uid: '11b1042e-d5b6-4f65-b308-d69565f16f1e'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '01/16/2020 23:44:26 +00:00' Comparing to '01/16/2020 23:06:28 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:37:58.3161756'
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
POST
Absolute Uri:
https://graph.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/servicePrincipals?api-version=1.6
Headers:
x-ms-client-request-id : bf3de6fa-04ff-4456-bea0-e4ef1606a96c
Accept-Language : en-US
Body:
{
"appId": "ae172156-5e7d-45e2-95de-68182d05431c",
"accountEnabled": true
}
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Created
Headers:
Cache-Control : no-cache
Pragma : no-cache
Location : https://graph.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/directoryObjects/b5bf9607-fd63-4148-b4e9-808772b88cf5/Microsoft.DirectoryServices.ServicePrincipal
ocp-aad-diagnostics-server-name: v9yI3GNQqNXz0aoNCJywTDYIqIKG+Dlb/txFx1mcpdc=
request-id : 66c8f749-31ac-4c93-bf03-24c18e142e9f
client-request-id : d02c054b-364a-4b15-b528-69c78509cfbc
x-ms-dirapi-data-contract-version: 1.6
ocp-aad-session-key : FmNtc3lCpnS9SRT5ImkEtkwKSFxKUpVtwiUK7QYgNu6kTCnsaNW2BiwOIO-2T6J5ndVsMOEcE-5y9e2-RqfRRG4OVHLMc1eWzrk3_73wjUIPfwtPGexcZaXV2SCJJrDTJEnBNXdnDMZdcZ7aumjliQ.9nmM5MArHMOtqNiZsXLUN091IotQOkLqwdTrUXGW3ao
DataServiceVersion : 3.0;
Strict-Transport-Security : max-age=31536000; includeSubDomains
Access-Control-Allow-Origin : *
X-AspNet-Version : 4.0.30319
X-Powered-By : ASP.NET
Duration : 2776265
Date : Thu, 16 Jan 2020 23:06:27 GMT
Body:
{
"odata.metadata": "https://graph.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/$metadata#directoryObjects/@Element",
"odata.type": "Microsoft.DirectoryServices.ServicePrincipal",
"objectType": "ServicePrincipal",
"objectId": "b5bf9607-fd63-4148-b4e9-808772b88cf5",
"deletionTimestamp": null,
"accountEnabled": true,
"addIns": [],
"alternativeNames": [],
"appDisplayName": "daorozco_DebugRequest_1",
"appId": "ae172156-5e7d-45e2-95de-68182d05431c",
"applicationTemplateId": null,
"appOwnerTenantId": "1273adef-00a3-4086-a51a-dbcce1857d36",
"appRoleAssignmentRequired": false,
"appRoles": [],
"displayName": "daorozco_DebugRequest_1",
"errorUrl": null,
"homepage": "http://daorozco_DebugRequest_1",
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"keyCredentials": [],
"logoutUrl": null,
"notificationEmailAddresses": [],
"oauth2Permissions": [
{
"adminConsentDescription": "Allow the application to access daorozco_DebugRequest_1 on behalf of the signed-in user.",
"adminConsentDisplayName": "Access daorozco_DebugRequest_1",
"id": "5eed8957-949d-4516-a053-aeed0f138e7d",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the application to access daorozco_DebugRequest_1 on your behalf.",
"userConsentDisplayName": "Access daorozco_DebugRequest_1",
"value": "user_impersonation"
}
],
"passwordCredentials": [],
"preferredSingleSignOnMode": null,
"preferredTokenSigningKeyEndDateTime": null,
"preferredTokenSigningKeyThumbprint": null,
"publisherName": "rbacCliTestDirectory",
"replyUrls": [],
"samlMetadataUrl": null,
"samlSingleSignOnSettings": null,
"servicePrincipalNames": [
"ae172156-5e7d-45e2-95de-68182d05431c",
"http://daorozco_DebugRequest_1"
],
"servicePrincipalType": "Application",
"signInAudience": "AzureADMyOrg",
"tags": [],
"tokenEncryptionKeyId": null
}
WARNING: Assigning role 'Contributor' over scope '/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro' to the new service principal.
DEBUG: [Common.Authentication]: Authenticating using Account: 'daorozco_testuser@rbacclitest.onmicrosoft.com', environment: 'AzureCloud', tenant: '1273adef-00a3-4086-a51a-dbcce1857d36'
DEBUG: [Common.Authentication]: Authenticating using configuration values: Domain: '1273adef-00a3-4086-a51a-dbcce1857d36', Endpoint: 'https://login.microsoftonline.com/', ClientId: '1950a258-227b-4e31-a9cf-717495945fc2', ClientRedirect: 'urn:ietf:wg:oauth:2.0:oob', ResourceClientUri: 'https://graph.windows.net/', ValidateAuthority: 'True'
DEBUG: [Common.Authentication]: Acquiring token using context with Authority 'https://login.microsoftonline.com/1273adef-00a3-4086-a51a-dbcce1857d36/', CorrelationId: '00000000-0000-0000-0000-000000000000', ValidateAuthority: 'True'
DEBUG: [Common.Authentication]: Acquiring token using AdalConfiguration with Domain: '1273adef-00a3-4086-a51a-dbcce1857d36', AdEndpoint: 'https://login.microsoftonline.com/', ClientId: '1950a258-227b-4e31-a9cf-717495945fc2', ClientRedirectUri: urn:ietf:wg:oauth:2.0:oob
DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6204421Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: ADAL PCL.CoreCLR with assembly version '3.19.2.6005', file version '3.19.50302.0130' and informational version '2a8bec6c4c76d0c1ef819b55bdc3cda2d2605056' is running...
DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6207027Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: ADAL PCL.CoreCLR with assembly version '3.19.2.6005', file version '3.19.50302.0130' and informational version '2a8bec6c4c76d0c1ef819b55bdc3cda2d2605056' is running...
DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6208728Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: === Token Acquisition started:
CacheType: null
Authentication Target: User
, Authority Host: login.microsoftonline.com
DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6210039Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: === Token Acquisition started:
Authority: https://login.microsoftonline.com/1273adef-00a3-4086-a51a-dbcce1857d36/
Resource: https://graph.windows.net/
ClientId: 1950a258-227b-4e31-a9cf-717495945fc2
CacheType: null
Authentication Target: User
DEBUG: [ADAL]: Verbose: 2020-01-16T23:06:33.6213253Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: Loading from cache.
DEBUG: [ADAL]: Verbose: 2020-01-16T23:06:33.6214884Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: Loading from cache.
DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6231298Z: 00000000-0000-0000-0000-000000000000 - LoggerBase.cs: Deserialized 2 items to token cache.
DEBUG: [ADAL]: Verbose: 2020-01-16T23:06:33.6234219Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: Looking up cache for a token...
DEBUG: [ADAL]: Verbose: 2020-01-16T23:06:33.6235833Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: Looking up cache for a token...
DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6238295Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: An item matching the requested resource was found in the cache
DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6239536Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: An item matching the requested resource was found in the cache
DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6241818Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: 37.8823637966667 minutes left until token in cache expires
DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6243825Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: 37.8823637966667 minutes left until token in cache expires
DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6245146Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: A matching item (access token or refresh token or both) was found in the cache
DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6246345Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: A matching item (access token or refresh token or both) was found in the cache
DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6248511Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 1/16/2020 11:44:26 PM +00:00
DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6249912Z: 55ca183b-31b1-4334-a7fc-6fdf01df8df1 - LoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 1/16/2020 11:44:26 PM +00:00Access Token Hash: YxX7q+O+G4zf6tvSXCdduNzGh4xmGyFxuBJr9HLanms=
User id: 11b1042e-d5b6-4f65-b308-d69565f16f1e
DEBUG: [Common.Authentication]: Authenticating using Account: 'daorozco_testuser@rbacclitest.onmicrosoft.com', environment: 'AzureCloud', tenant: '1273adef-00a3-4086-a51a-dbcce1857d36'
DEBUG: [Common.Authentication]: Authenticating using configuration values: Domain: '1273adef-00a3-4086-a51a-dbcce1857d36', Endpoint: 'https://login.microsoftonline.com/', ClientId: '1950a258-227b-4e31-a9cf-717495945fc2', ClientRedirect: 'urn:ietf:wg:oauth:2.0:oob', ResourceClientUri: 'https://management.core.windows.net/', ValidateAuthority: 'True'
DEBUG: [Common.Authentication]: Acquiring token using context with Authority 'https://login.microsoftonline.com/1273adef-00a3-4086-a51a-dbcce1857d36/', CorrelationId: '00000000-0000-0000-0000-000000000000', ValidateAuthority: 'True'
DEBUG: [Common.Authentication]: Acquiring token using AdalConfiguration with Domain: '1273adef-00a3-4086-a51a-dbcce1857d36', AdEndpoint: 'https://login.microsoftonline.com/', ClientId: '1950a258-227b-4e31-a9cf-717495945fc2', ClientRedirectUri: urn:ietf:wg:oauth:2.0:oob
DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6267855Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: ADAL PCL.CoreCLR with assembly version '3.19.2.6005', file version '3.19.50302.0130' and informational version '2a8bec6c4c76d0c1ef819b55bdc3cda2d2605056' is running...
DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6270257Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: ADAL PCL.CoreCLR with assembly version '3.19.2.6005', file version '3.19.50302.0130' and informational version '2a8bec6c4c76d0c1ef819b55bdc3cda2d2605056' is running...
DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6272203Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: === Token Acquisition started:
CacheType: null
Authentication Target: User
, Authority Host: login.microsoftonline.com
DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6273619Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: === Token Acquisition started:
Authority: https://login.microsoftonline.com/1273adef-00a3-4086-a51a-dbcce1857d36/
Resource: https://management.core.windows.net/
ClientId: 1950a258-227b-4e31-a9cf-717495945fc2
CacheType: null
Authentication Target: User
DEBUG: [ADAL]: Verbose: 2020-01-16T23:06:33.6276443Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: Loading from cache.
DEBUG: [ADAL]: Verbose: 2020-01-16T23:06:33.6277899Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: Loading from cache.
DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6290672Z: 00000000-0000-0000-0000-000000000000 - LoggerBase.cs: Deserialized 2 items to token cache.
DEBUG: [ADAL]: Verbose: 2020-01-16T23:06:33.6293280Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: Looking up cache for a token...
DEBUG: [ADAL]: Verbose: 2020-01-16T23:06:33.6294964Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: Looking up cache for a token...
DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6296852Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: An item matching the requested resource was found in the cache
DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6298088Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: An item matching the requested resource was found in the cache
DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6300200Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: 37.37816648 minutes left until token in cache expires
DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6301382Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: 37.37816648 minutes left until token in cache expires
DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6302553Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: A matching item (access token or refresh token or both) was found in the cache
DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6303744Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: A matching item (access token or refresh token or both) was found in the cache
DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6305833Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 1/16/2020 11:43:56 PM +00:00
DEBUG: [ADAL]: Information: 2020-01-16T23:06:33.6307084Z: eb335f0f-3cd1-42d4-8af8-bfd55b64ed1e - LoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 1/16/2020 11:43:56 PM +00:00Access Token Hash: PqP0MBhH7rka8gRXCdFd+aklyGe1p2nmr++GYUsjY44=
User id: 11b1042e-d5b6-4f65-b308-d69565f16f1e
DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '01/16/2020 23:43:56 +00:00', MultipleResource? 'True', Tenant: '1273adef-00a3-4086-a51a-dbcce1857d36', UserId: 'daorozco_testuser@rbacclitest.onmicrosoft.com'
DEBUG: [Common.Authentication]: User info for token DisplayId: 'daorozco_testuser@rbacclitest.onmicrosoft.com', Name: , IdProvider: 'https://sts.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/', Uid: '11b1042e-d5b6-4f65-b308-d69565f16f1e'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '01/16/2020 23:43:56 +00:00' Comparing to '01/16/2020 23:06:33 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:37:22.6864781'
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://management.azure.com//subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName eq 'Contributor'&api-version=2018-01-01-preview
Headers:
x-ms-client-request-id : 6f956002-1048-4847-9fa6-c61f5f5b79af
Accept-Language : en-US
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
OK
Headers:
Cache-Control : no-cache
Pragma : no-cache
x-ms-request-charge : 1
x-ms-request-id : cd853fcd-3eee-447b-8484-75d8486eae34
X-Content-Type-Options : nosniff
Strict-Transport-Security : max-age=31536000; includeSubDomains
Set-Cookie : x-ms-gateway-slice=Production; path=/; SameSite=None; secure; HttpOnly
x-ms-ratelimit-remaining-subscription-reads: 11997
x-ms-correlation-request-id : 071ce73a-52de-4f73-a289-aabf0c663a1e
x-ms-routing-request-id : WESTUS:20200116T230633Z:071ce73a-52de-4f73-a289-aabf0c663a1e
Date : Thu, 16 Jan 2020 23:06:33 GMT
Body:
{
"value": [
{
"properties": {
"roleName": "Contributor",
"type": "BuiltInRole",
"description": "Lets you manage everything except access to resources.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete"
],
"dataActions": [],
"notDataActions": []
}
],
"createdOn": "2015-02-02T21:55:09.8806423Z",
"updatedOn": "2019-02-05T21:24:38.458061Z",
"createdBy": null,
"updatedBy": null
},
"id": "/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "b24988ac-6180-42a0-ab88-20f7382dd24c"
}
]
}
DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '01/16/2020 23:43:56 +00:00', MultipleResource? 'True', Tenant: '1273adef-00a3-4086-a51a-dbcce1857d36', UserId: 'daorozco_testuser@rbacclitest.onmicrosoft.com'
DEBUG: [Common.Authentication]: User info for token DisplayId: 'daorozco_testuser@rbacclitest.onmicrosoft.com', Name: , IdProvider: 'https://sts.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/', Uid: '11b1042e-d5b6-4f65-b308-d69565f16f1e'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '01/16/2020 23:43:56 +00:00' Comparing to '01/16/2020 23:06:33 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:37:22.3464934'
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
PUT
Absolute Uri:
https://management.azure.com//subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleAssignments/b5f70368-b0ee-402f-b7a2-d6a9bc3f4d52?api-version=2018-09-01-preview
Headers:
x-ms-client-request-id : b52ca97b-dfb7-499e-ad30-fad9419cfdae
Accept-Language : en-US
Body:
{
"properties": {
"roleDefinitionId": "/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "b5bf9607-fd63-4148-b4e9-808772b88cf5",
"canDelegate": false
}
}
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Forbidden
Headers:
Cache-Control : no-cache
Pragma : no-cache
x-ms-failure-cause : gateway
x-ms-request-id : 5f965048-c768-4263-b42b-84ca8f373bac
x-ms-correlation-request-id : 5f965048-c768-4263-b42b-84ca8f373bac
x-ms-routing-request-id : WESTUS:20200116T230633Z:5f965048-c768-4263-b42b-84ca8f373bac
Strict-Transport-Security : max-age=31536000; includeSubDomains
X-Content-Type-Options : nosniff
Date : Thu, 16 Jan 2020 23:06:33 GMT
Connection : close
Body:
{
"error": {
"code": "AuthorizationFailed",
"message": "The client 'daorozco_testuser@rbacclitest.onmicrosoft.com' with object id '11b1042e-d5b6-4f65-b308-d69565f16f1e' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleAssignments/b5f70368-b0ee-402f-b7a2-d6a9bc3f4d52' or the scope is invalid. If access was recently granted, please refresh your credentials."
}
}
DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '01/16/2020 23:43:56 +00:00', MultipleResource? 'True', Tenant: '1273adef-00a3-4086-a51a-dbcce1857d36', UserId: 'daorozco_testuser@rbacclitest.onmicrosoft.com'
DEBUG: [Common.Authentication]: User info for token DisplayId: 'daorozco_testuser@rbacclitest.onmicrosoft.com', Name: , IdProvider: 'https://sts.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/', Uid: '11b1042e-d5b6-4f65-b308-d69565f16f1e'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '01/16/2020 23:43:56 +00:00' Comparing to '01/16/2020 23:06:39 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:37:17.2925970'
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://management.azure.com//subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName eq 'Contributor'&api-version=2018-01-01-preview
Headers:
x-ms-client-request-id : ac902528-108a-4029-9835-42de6862b895
Accept-Language : en-US
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
OK
Headers:
Cache-Control : no-cache
Pragma : no-cache
x-ms-request-charge : 1
x-ms-request-id : 598093e4-c6c3-4733-943b-2536fd95369e
X-Content-Type-Options : nosniff
Strict-Transport-Security : max-age=31536000; includeSubDomains
Set-Cookie : x-ms-gateway-slice=Production; path=/; secure; HttpOnly; SameSite=None
x-ms-ratelimit-remaining-subscription-reads: 11999
x-ms-correlation-request-id : 02d1b06b-094d-4475-a4a7-d6430ead6629
x-ms-routing-request-id : WESTUS:20200116T230639Z:02d1b06b-094d-4475-a4a7-d6430ead6629
Date : Thu, 16 Jan 2020 23:06:38 GMT
Body:
{
"value": [
{
"properties": {
"roleName": "Contributor",
"type": "BuiltInRole",
"description": "Lets you manage everything except access to resources.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete"
],
"dataActions": [],
"notDataActions": []
}
],
"createdOn": "2015-02-02T21:55:09.8806423Z",
"updatedOn": "2019-02-05T21:24:38.458061Z",
"createdBy": null,
"updatedBy": null
},
"id": "/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "b24988ac-6180-42a0-ab88-20f7382dd24c"
}
]
}
DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '01/16/2020 23:43:56 +00:00', MultipleResource? 'True', Tenant: '1273adef-00a3-4086-a51a-dbcce1857d36', UserId: 'daorozco_testuser@rbacclitest.onmicrosoft.com'
DEBUG: [Common.Authentication]: User info for token DisplayId: 'daorozco_testuser@rbacclitest.onmicrosoft.com', Name: , IdProvider: 'https://sts.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/', Uid: '11b1042e-d5b6-4f65-b308-d69565f16f1e'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '01/16/2020 23:43:56 +00:00' Comparing to '01/16/2020 23:06:39 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:37:16.9981383'
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
PUT
Absolute Uri:
https://management.azure.com//subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleAssignments/2917f392-0822-40ba-ab8e-42439a56d321?api-version=2018-09-01-preview
Headers:
x-ms-client-request-id : 5770efc1-2544-455a-a34e-90c7dcc3871a
Accept-Language : en-US
Body:
{
"properties": {
"roleDefinitionId": "/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "b5bf9607-fd63-4148-b4e9-808772b88cf5",
"canDelegate": false
}
}
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Forbidden
Headers:
Cache-Control : no-cache
Pragma : no-cache
x-ms-failure-cause : gateway
x-ms-request-id : e3f16a29-3c7b-4f57-9a98-9148ecca787f
x-ms-correlation-request-id : e3f16a29-3c7b-4f57-9a98-9148ecca787f
x-ms-routing-request-id : WESTUS:20200116T230639Z:e3f16a29-3c7b-4f57-9a98-9148ecca787f
Strict-Transport-Security : max-age=31536000; includeSubDomains
X-Content-Type-Options : nosniff
Date : Thu, 16 Jan 2020 23:06:38 GMT
Connection : close
Body:
{
"error": {
"code": "AuthorizationFailed",
"message": "The client 'daorozco_testuser@rbacclitest.onmicrosoft.com' with object id '11b1042e-d5b6-4f65-b308-d69565f16f1e' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleAssignments/2917f392-0822-40ba-ab8e-42439a56d321' or the scope is invalid. If access was recently granted, please refresh your credentials."
}
}
DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '01/16/2020 23:43:56 +00:00', MultipleResource? 'True', Tenant: '1273adef-00a3-4086-a51a-dbcce1857d36', UserId: 'daorozco_testuser@rbacclitest.onmicrosoft.com'
DEBUG: [Common.Authentication]: User info for token DisplayId: 'daorozco_testuser@rbacclitest.onmicrosoft.com', Name: , IdProvider: 'https://sts.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/', Uid: '11b1042e-d5b6-4f65-b308-d69565f16f1e'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '01/16/2020 23:43:56 +00:00' Comparing to '01/16/2020 23:06:44 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:37:11.9522994'
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://management.azure.com//subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName eq 'Contributor'&api-version=2018-01-01-preview
Headers:
x-ms-client-request-id : 37509754-67c2-41db-81ba-7f891be86bd0
Accept-Language : en-US
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
OK
Headers:
Cache-Control : no-cache
Pragma : no-cache
x-ms-request-charge : 1
x-ms-request-id : 12240c1b-0a6b-43f7-bbaa-cd5125a58371
X-Content-Type-Options : nosniff
Strict-Transport-Security : max-age=31536000; includeSubDomains
Set-Cookie : x-ms-gateway-slice=Production; path=/; secure; HttpOnly; SameSite=None
x-ms-ratelimit-remaining-subscription-reads: 11999
x-ms-correlation-request-id : 9952810b-0f41-4a28-a8b2-b3c986e18f3a
x-ms-routing-request-id : WESTUS:20200116T230644Z:9952810b-0f41-4a28-a8b2-b3c986e18f3a
Date : Thu, 16 Jan 2020 23:06:43 GMT
Body:
{
"value": [
{
"properties": {
"roleName": "Contributor",
"type": "BuiltInRole",
"description": "Lets you manage everything except access to resources.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete"
],
"dataActions": [],
"notDataActions": []
}
],
"createdOn": "2015-02-02T21:55:09.8806423Z",
"updatedOn": "2019-02-05T21:24:38.458061Z",
"createdBy": null,
"updatedBy": null
},
"id": "/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "b24988ac-6180-42a0-ab88-20f7382dd24c"
}
]
}
DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '01/16/2020 23:43:56 +00:00', MultipleResource? 'True', Tenant: '1273adef-00a3-4086-a51a-dbcce1857d36', UserId: 'daorozco_testuser@rbacclitest.onmicrosoft.com'
DEBUG: [Common.Authentication]: User info for token DisplayId: 'daorozco_testuser@rbacclitest.onmicrosoft.com', Name: , IdProvider: 'https://sts.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/', Uid: '11b1042e-d5b6-4f65-b308-d69565f16f1e'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '01/16/2020 23:43:56 +00:00' Comparing to '01/16/2020 23:06:44 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:37:11.7060263'
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
PUT
Absolute Uri:
https://management.azure.com//subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleAssignments/d89fe1e4-c525-4ed3-8eee-62c2ee60f8f3?api-version=2018-09-01-preview
Headers:
x-ms-client-request-id : 9f7dbb18-5e8e-4fb7-8137-d9e90c4b6485
Accept-Language : en-US
Body:
{
"properties": {
"roleDefinitionId": "/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "b5bf9607-fd63-4148-b4e9-808772b88cf5",
"canDelegate": false
}
}
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Forbidden
Headers:
Cache-Control : no-cache
Pragma : no-cache
x-ms-failure-cause : gateway
x-ms-request-id : c374cf73-61d3-4241-a4bc-2e4a5c1e8ff0
x-ms-correlation-request-id : c374cf73-61d3-4241-a4bc-2e4a5c1e8ff0
x-ms-routing-request-id : WESTUS:20200116T230644Z:c374cf73-61d3-4241-a4bc-2e4a5c1e8ff0
Strict-Transport-Security : max-age=31536000; includeSubDomains
X-Content-Type-Options : nosniff
Date : Thu, 16 Jan 2020 23:06:43 GMT
Connection : close
Body:
{
"error": {
"code": "AuthorizationFailed",
"message": "The client 'daorozco_testuser@rbacclitest.onmicrosoft.com' with object id '11b1042e-d5b6-4f65-b308-d69565f16f1e' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleAssignments/d89fe1e4-c525-4ed3-8eee-62c2ee60f8f3' or the scope is invalid. If access was recently granted, please refresh your credentials."
}
}
DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '01/16/2020 23:43:56 +00:00', MultipleResource? 'True', Tenant: '1273adef-00a3-4086-a51a-dbcce1857d36', UserId: 'daorozco_testuser@rbacclitest.onmicrosoft.com'
DEBUG: [Common.Authentication]: User info for token DisplayId: 'daorozco_testuser@rbacclitest.onmicrosoft.com', Name: , IdProvider: 'https://sts.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/', Uid: '11b1042e-d5b6-4f65-b308-d69565f16f1e'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '01/16/2020 23:43:56 +00:00' Comparing to '01/16/2020 23:06:49 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:37:06.6646613'
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://management.azure.com//subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName eq 'Contributor'&api-version=2018-01-01-preview
Headers:
x-ms-client-request-id : 7752064d-7508-4c67-8d38-5434478e1b2f
Accept-Language : en-US
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
OK
Headers:
Cache-Control : no-cache
Pragma : no-cache
x-ms-request-charge : 1
x-ms-request-id : 40964fb5-2c12-4217-8678-7f7a1de48578
X-Content-Type-Options : nosniff
Strict-Transport-Security : max-age=31536000; includeSubDomains
Set-Cookie : x-ms-gateway-slice=Production; path=/; secure; HttpOnly; SameSite=None
x-ms-ratelimit-remaining-subscription-reads: 11999
x-ms-correlation-request-id : 73c9dbd8-c72e-4202-a014-d244cd6db28e
x-ms-routing-request-id : WESTUS:20200116T230649Z:73c9dbd8-c72e-4202-a014-d244cd6db28e
Date : Thu, 16 Jan 2020 23:06:49 GMT
Body:
{
"value": [
{
"properties": {
"roleName": "Contributor",
"type": "BuiltInRole",
"description": "Lets you manage everything except access to resources.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete"
],
"dataActions": [],
"notDataActions": []
}
],
"createdOn": "2015-02-02T21:55:09.8806423Z",
"updatedOn": "2019-02-05T21:24:38.458061Z",
"createdBy": null,
"updatedBy": null
},
"id": "/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "b24988ac-6180-42a0-ab88-20f7382dd24c"
}
]
}
DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '01/16/2020 23:43:56 +00:00', MultipleResource? 'True', Tenant: '1273adef-00a3-4086-a51a-dbcce1857d36', UserId: 'daorozco_testuser@rbacclitest.onmicrosoft.com'
DEBUG: [Common.Authentication]: User info for token DisplayId: 'daorozco_testuser@rbacclitest.onmicrosoft.com', Name: , IdProvider: 'https://sts.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/', Uid: '11b1042e-d5b6-4f65-b308-d69565f16f1e'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '01/16/2020 23:43:56 +00:00' Comparing to '01/16/2020 23:06:50 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:37:06.2963031'
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
PUT
Absolute Uri:
https://management.azure.com//subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleAssignments/84e02b06-59b3-481b-a9d8-a3edd216347d?api-version=2018-09-01-preview
Headers:
x-ms-client-request-id : 8648c879-48a4-44e0-aec6-319e86460212
Accept-Language : en-US
Body:
{
"properties": {
"roleDefinitionId": "/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "b5bf9607-fd63-4148-b4e9-808772b88cf5",
"canDelegate": false
}
}
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Forbidden
Headers:
Cache-Control : no-cache
Pragma : no-cache
x-ms-failure-cause : gateway
x-ms-request-id : 589a32a9-876e-4843-accc-37d6f6c6fcd0
x-ms-correlation-request-id : 589a32a9-876e-4843-accc-37d6f6c6fcd0
x-ms-routing-request-id : WESTUS:20200116T230650Z:589a32a9-876e-4843-accc-37d6f6c6fcd0
Strict-Transport-Security : max-age=31536000; includeSubDomains
X-Content-Type-Options : nosniff
Date : Thu, 16 Jan 2020 23:06:49 GMT
Connection : close
Body:
{
"error": {
"code": "AuthorizationFailed",
"message": "The client 'daorozco_testuser@rbacclitest.onmicrosoft.com' with object id '11b1042e-d5b6-4f65-b308-d69565f16f1e' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleAssignments/84e02b06-59b3-481b-a9d8-a3edd216347d' or the scope is invalid. If access was recently granted, please refresh your credentials."
}
}
DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '01/16/2020 23:43:56 +00:00', MultipleResource? 'True', Tenant: '1273adef-00a3-4086-a51a-dbcce1857d36', UserId: 'daorozco_testuser@rbacclitest.onmicrosoft.com'
DEBUG: [Common.Authentication]: User info for token DisplayId: 'daorozco_testuser@rbacclitest.onmicrosoft.com', Name: , IdProvider: 'https://sts.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/', Uid: '11b1042e-d5b6-4f65-b308-d69565f16f1e'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '01/16/2020 23:43:56 +00:00' Comparing to '01/16/2020 23:06:55 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:37:01.2084970'
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://management.azure.com//subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName eq 'Contributor'&api-version=2018-01-01-preview
Headers:
x-ms-client-request-id : 773f8e6f-d42f-45bd-8b4b-520621eb9e50
Accept-Language : en-US
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
OK
Headers:
Cache-Control : no-cache
Pragma : no-cache
x-ms-request-charge : 1
x-ms-request-id : 960381ee-6c65-4280-84e8-712dd0378b80
X-Content-Type-Options : nosniff
Strict-Transport-Security : max-age=31536000; includeSubDomains
Set-Cookie : x-ms-gateway-slice=Production; path=/; secure; HttpOnly; SameSite=None
x-ms-ratelimit-remaining-subscription-reads: 11999
x-ms-correlation-request-id : a071e1e0-9632-42af-aec4-b1581ce8f5c1
x-ms-routing-request-id : WESTUS:20200116T230655Z:a071e1e0-9632-42af-aec4-b1581ce8f5c1
Date : Thu, 16 Jan 2020 23:06:54 GMT
Body:
{
"value": [
{
"properties": {
"roleName": "Contributor",
"type": "BuiltInRole",
"description": "Lets you manage everything except access to resources.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete"
],
"dataActions": [],
"notDataActions": []
}
],
"createdOn": "2015-02-02T21:55:09.8806423Z",
"updatedOn": "2019-02-05T21:24:38.458061Z",
"createdBy": null,
"updatedBy": null
},
"id": "/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "b24988ac-6180-42a0-ab88-20f7382dd24c"
}
]
}
DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '01/16/2020 23:43:56 +00:00', MultipleResource? 'True', Tenant: '1273adef-00a3-4086-a51a-dbcce1857d36', UserId: 'daorozco_testuser@rbacclitest.onmicrosoft.com'
DEBUG: [Common.Authentication]: User info for token DisplayId: 'daorozco_testuser@rbacclitest.onmicrosoft.com', Name: , IdProvider: 'https://sts.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/', Uid: '11b1042e-d5b6-4f65-b308-d69565f16f1e'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '01/16/2020 23:43:56 +00:00' Comparing to '01/16/2020 23:06:55 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:37:00.9659768'
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
PUT
Absolute Uri:
https://management.azure.com//subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleAssignments/ff4ae4aa-e33c-40d5-ac1c-9e2d9c2a662d?api-version=2018-09-01-preview
Headers:
x-ms-client-request-id : 1760ed42-53b1-4e83-82b0-45d1b59e9076
Accept-Language : en-US
Body:
{
"properties": {
"roleDefinitionId": "/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "b5bf9607-fd63-4148-b4e9-808772b88cf5",
"canDelegate": false
}
}
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Forbidden
Headers:
Cache-Control : no-cache
Pragma : no-cache
x-ms-failure-cause : gateway
x-ms-request-id : 91b81088-698d-4a73-be81-b6196ae51b87
x-ms-correlation-request-id : 91b81088-698d-4a73-be81-b6196ae51b87
x-ms-routing-request-id : WESTUS:20200116T230655Z:91b81088-698d-4a73-be81-b6196ae51b87
Strict-Transport-Security : max-age=31536000; includeSubDomains
X-Content-Type-Options : nosniff
Date : Thu, 16 Jan 2020 23:06:55 GMT
Connection : close
Body:
{
"error": {
"code": "AuthorizationFailed",
"message": "The client 'daorozco_testuser@rbacclitest.onmicrosoft.com' with object id '11b1042e-d5b6-4f65-b308-d69565f16f1e' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleAssignments/ff4ae4aa-e33c-40d5-ac1c-9e2d9c2a662d' or the scope is invalid. If access was recently granted, please refresh your credentials."
}
}
DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '01/16/2020 23:43:56 +00:00', MultipleResource? 'True', Tenant: '1273adef-00a3-4086-a51a-dbcce1857d36', UserId: 'daorozco_testuser@rbacclitest.onmicrosoft.com'
DEBUG: [Common.Authentication]: User info for token DisplayId: 'daorozco_testuser@rbacclitest.onmicrosoft.com', Name: , IdProvider: 'https://sts.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/', Uid: '11b1042e-d5b6-4f65-b308-d69565f16f1e'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '01/16/2020 23:43:56 +00:00' Comparing to '01/16/2020 23:07:00 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:36:55.6879879'
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://management.azure.com//subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName eq 'Contributor'&api-version=2018-01-01-preview
Headers:
x-ms-client-request-id : c48e4a30-fd74-41d7-9245-e36afa6144b3
Accept-Language : en-US
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
OK
Headers:
Cache-Control : no-cache
Pragma : no-cache
x-ms-request-charge : 1
x-ms-request-id : c286d008-a6af-4041-abe2-26e931f7504d
X-Content-Type-Options : nosniff
Strict-Transport-Security : max-age=31536000; includeSubDomains
Set-Cookie : x-ms-gateway-slice=Production; path=/; secure; HttpOnly; SameSite=None
x-ms-ratelimit-remaining-subscription-reads: 11998
x-ms-correlation-request-id : 291df1a3-e3c8-4235-8eea-6142c98e1cec
x-ms-routing-request-id : WESTUS:20200116T230700Z:291df1a3-e3c8-4235-8eea-6142c98e1cec
Date : Thu, 16 Jan 2020 23:07:00 GMT
Body:
{
"value": [
{
"properties": {
"roleName": "Contributor",
"type": "BuiltInRole",
"description": "Lets you manage everything except access to resources.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete"
],
"dataActions": [],
"notDataActions": []
}
],
"createdOn": "2015-02-02T21:55:09.8806423Z",
"updatedOn": "2019-02-05T21:24:38.458061Z",
"createdBy": null,
"updatedBy": null
},
"id": "/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "b24988ac-6180-42a0-ab88-20f7382dd24c"
}
]
}
DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '01/16/2020 23:43:56 +00:00', MultipleResource? 'True', Tenant: '1273adef-00a3-4086-a51a-dbcce1857d36', UserId: 'daorozco_testuser@rbacclitest.onmicrosoft.com'
DEBUG: [Common.Authentication]: User info for token DisplayId: 'daorozco_testuser@rbacclitest.onmicrosoft.com', Name: , IdProvider: 'https://sts.windows.net/1273adef-00a3-4086-a51a-dbcce1857d36/', Uid: '11b1042e-d5b6-4f65-b308-d69565f16f1e'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '01/16/2020 23:43:56 +00:00' Comparing to '01/16/2020 23:07:00 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:36:55.4842518'
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
PUT
Absolute Uri:
https://management.azure.com//subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleAssignments/4876eedb-097f-48d9-9ae1-2f6938d159f7?api-version=2018-09-01-preview
Headers:
x-ms-client-request-id : 4eba3377-f66d-4a92-aabc-afa1d3b23c35
Accept-Language : en-US
Body:
{
"properties": {
"roleDefinitionId": "/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "b5bf9607-fd63-4148-b4e9-808772b88cf5",
"canDelegate": false
}
}
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Forbidden
Headers:
Cache-Control : no-cache
Pragma : no-cache
x-ms-failure-cause : gateway
x-ms-request-id : dd3d727d-eedd-47b9-800f-f7657a0eac60
x-ms-correlation-request-id : dd3d727d-eedd-47b9-800f-f7657a0eac60
x-ms-routing-request-id : WESTUS:20200116T230700Z:dd3d727d-eedd-47b9-800f-f7657a0eac60
Strict-Transport-Security : max-age=31536000; includeSubDomains
X-Content-Type-Options : nosniff
Date : Thu, 16 Jan 2020 23:07:00 GMT
Connection : close
Body:
{
"error": {
"code": "AuthorizationFailed",
"message": "The client 'daorozco_testuser@rbacclitest.onmicrosoft.com' with object id '11b1042e-d5b6-4f65-b308-d69565f16f1e' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/4004a9fd-d58e-48dc-aeb2-4a4aec58606f/resourceGroups/daorozco_bug_repro/providers/Microsoft.Authorization/roleAssignments/4876eedb-097f-48d9-9ae1-2f6938d159f7' or the scope is invalid. If access was recently granted, please refresh your credentials."
}
}
DEBUG: AzureQoSEvent: CommandName - New-AzADServicePrincipal; IsSuccess - True; Duration - 00:00:33.4173972; Exception - ;
DEBUG: Finish sending metric.
DEBUG: 3:07:01 PM - NewAzureADServicePrincipalCommand end processing.
DEBUG: 3:07:01 PM - NewAzureADServicePrincipalCommand end processing.
Error output
DEBUG: 3:09:28 PM - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 3:09:28 PM - using account id 'daorozco_testuser@rbacclitest.onmicrosoft.com'...
WARNING: Breaking changes in the cmdlet 'Resolve-AzError' :
WARNING: - The `Resolve-Error` alias will be removed in a future release. Please change any scripts that use this alias to use `Resolve-AzError` instead.
WARNING: NOTE : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.
DEBUG: AzureQoSEvent: CommandName - Resolve-AzError; IsSuccess - True; Duration - 00:00:00.0073924; Exception - ;
DEBUG: Finish sending metric.
DEBUG: 3:09:32 PM - ResolveError end processing.
DEBUG: 3:09:32 PM - ResolveError end processing.