0

I get an ERROR: The request did not have a subscription or a valid tenant level resource provider. when trying to create a service principal via the azure cli under the scope of an Azure Iot Hub. I'm using the CLI (bash) but python would be sufficient, too.

As shown at end, i have correct credentials & rights to create sp's in this subscription, and i have owner rights to the iot hub in question.

In case i'm missing a better way to accomplish this, here is the context: We need to authenticate a job that automates the registration of new devices immediately after they are flashed, before they are shipped off to be plugged in. This does many things to customize the flashed filesystem (add unique device hostname & local passwords, for instance); and finally it needs to register the device with IotHub.

az iot hub device-identity create --device-id [device id] --hub-name [hub name] --edge-enabled

With my user permissions, i can az login and accomplish all of this - but it needs to run in an automated job with no interactive login. I believe service principal is the way to accomplish this (?).

Thus, attempting to create the principal I run:

# the following pulls a valid(looking) `"/subscriptions/NAME/resourceGroups/THEGROUP/providers/Microsoft.Devices/IotHubs/THEHUB"`
IOTHUB_ID="$(az iot hub show --name TheHubName --query id)

az ad sp create-for-rbac --name http://my-iothub-serviceprincipal --scopes $IOTHUB_ID --role contributor --query password --output tsv

which fails with the following as above (Note: contributor is too broad, will be a custom-role later):

WARNING:   Role assignment creation failed.
ERROR: The request did not have a subscription or a valid tenant level resource provider.

as a test to ensure i have the right az login and other local state, the following analogous command for an Azure ACR scope does succeed, with a new service principal visible in the portal.

ACR_ID="$(az iot hub show --name TheAcrName --query id)
az ad sp create-for-rbac --name http://acr-service-principal-foobar --scopes $ACR_ID --role acrpull --query password --output tsv
some bits flipped
  • 2,592
  • 4
  • 27
  • 42

1 Answers1

0

This was caused by a bug in the azure CLI. az iot hub show is returning an improperly quoted string; az acr show for example does not.

az iot hub show --name your-iothub-name --query id returns a string like the following. both quotes " are in the original

'"/subscriptions/guid/.../IotHubs/your-iothub-name"'

az acr show --name your-acr-name --query id returns the same format string, but without the extra ' quoting.

"/subscriptions/.../registries/your-acr-name"

az iot hub device-identity create cannot deal with the '"..."' (understandable) but unfortunately doesn't fail cleanly, making this a bit difficult to track down as quoting blends in a bit for script output.

some bits flipped
  • 2,592
  • 4
  • 27
  • 42