Getting token from Cloud Shell intermittently fails with 400 Client Error: Bad Request

[Kalyan-Alamuru]

I'm getting following when I'm running following command :

ARM_CLIENT_SECRET=$(az ad sp create-for-rbac
--name http://tf-sp-$UNIQUE_ID
--role Contributor
--scopes "/subscriptions/$ARM_SUBSCRIPTION_ID"
--query password
--output tsv)

Please note that I've stored ARM Subscription ID successfully and ran above command as part of creating Service Principal.

This is autogenerated. Please review and update as needed.

Describe the bug

Command Name az ad sp create-for-rbac

Errors:

400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token
Traceback (most recent call last):
python3.6/site-packages/knack/cli.py, ln 206, in invoke
    cmd_result = self.invocation.execute(args)
cli/core/commands/__init__.py, ln 608, in execute
    raise ex
cli/core/commands/__init__.py, ln 666, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
...
python3.6/site-packages/msrestazure/azure_active_directory.py, ln 486, in get_msi_token
    result.raise_for_status()
python3.6/site-packages/requests/models.py, ln 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

• Put any pre-requisite steps here...
• az ad sp create-for-rbac --name {} --role {} --scopes {} --query {} --output {}

Expected Behavior

Environment Summary

Linux-4.15.0-1064-azure-x86_64-with-debian-stretch-sid
Python 3.6.5
Shell: bash

azure-cli 2.0.78

Additional Context

[bim-msft]

@jiasli Please take a look.

[jiasli]

This is Cloud Shell issue. Could you run with --debug and share the output?

To get unblocked, please run az login and retry the command.

[Kalyan-Alamuru]

I reran the module again and it worked fine, Only difference this time is I ran Terraform Destroy command to delete the plan and then ran az ad sp create command and it worked fine, It doesn't really explain what happened !!!

[jiasli]

400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token is a known issue of Cloud Shell that it intermittently fails with this error.

Workarounds

There are 2 workarounds:

1. Use Azure CLI on a local machine
2. In Cloud Shell, run az login and retry the command

[hubert-associates]

This is Cloud Shell issue. Could you run with --debug and share the output?

To get unblocked, please run az login and retry the command.

This worked for me. Thanks.

[maertendMSFT]

This should be fixed now. I cannot repro, please close.

[jiasli]

This should be fixed now. I cannot repro, please close.

Hi @maertendMSFT, this issue doesn't happen consistently, but intermittently. If there are any changes on the Cloud Shell side, could you put some more details?

[maertendMSFT]

@jiasli , this appears to fundamentally be the same issue as a few of the other issues that I requested to close, all of which are solved with a az login. We have put out a fix and that should have been included in the latest release (20200702) and be available for all customers now.

[yonzhan]

@maertendMSFT good news, please let us know when the latest change rolls out.

[maertendMSFT]

The updated image should be available everywhere already :)

[digimaun]

I wouldn't close this issue until there is more confirmation. The issue still happens in cloudshell (today).

[yonzhan]

@maertendMSFT any update for this issue ? There are a bunch of customers are impacted by this.

[AgSync-Aaron]

This still appears to be an issue. Well it's an issue for me anyway. I hope these logs can help.

aaron@Azure:~$ az keyvault secret list-versions --vault-name $vault_name --name $vault_cert_name
Error occurred in request., HTTPError: 400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token

Here is the tail end of the output with the --debug flag

urllib3.connectionpool : Starting new HTTP connection (1): localhost:50342
urllib3.connectionpool : http://localhost:50342 "POST /oauth2/token HTTP/1.1" 400 121
msrestazure.azure_active_directory : MSI: Retrieving a token from http://localhost:50342/oauth2/token, with payload {'resource': 'https://vault.azure.net'}
msrestazure.azure_active_directory : MSI: Failed to retrieve a token from 'http://localhost:50342/oauth2/token' with an error of '400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token'. This could be caused by the MSI extension not yet fully provisioned.
msrest.exceptions : Error occurred in request., HTTPError: 400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token
cli.azure.cli.core.util : Error occurred in request., HTTPError: 400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token
Error occurred in request., HTTPError: 400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token
Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f8bf399ad90>]
az_command_data_logger : exit code: 1
telemetry.save : Save telemetry record of length 5447 in cache
telemetry.check : Negative: The /home/aaron/.azure/telemetry.txt was modified at 2020-08-11 21:39:07.906455, which in less than 600.000000 s
Command ran in 40.650 seconds (init: 0.041, invoke: 40.610)

aaron@Azure:~$ az --version
azure-cli                          2.9.1 *

command-modules-nspkg              2.0.3
core                               2.9.1 *
nspkg                              3.0.4
telemetry                          1.0.4

Python location '/opt/az/bin/python3'
Extensions directory '/home/aaron/.azure/cliextensions'

Python (Linux) 3.6.10 (default, Jul 16 2020, 08:13:15)
[GCC 5.4.0 20160609]

Legal docs and information: aka.ms/AzureCliLegal


You have 2 updates available. They will be updated with the next build of Cloud Shell.

Please let us know how we are doing: https://aka.ms/azureclihats
and let us know if you're interested in trying out our newest features: https://aka.ms/CLIUXstudy

Hopefully those 2 referenced updates take care of the issue 😁

[haitch]

@jiasli this is still happening and hurt AKS user experience, please prioritize and fix this issue.

[TannerSet]

I am seeing this issue using CentOS with AzureCLI installed. Is there any progress here? any direction I should be pointed

[jiasli]

@TannerSet,

1. Are you using an Azure VM?
2. Which command resulted in the error?
3. Could you share the full error message?

Please create a new issue for us to track.

[giggio]

I'm also getting this error. For me, it was when I ran az storage blob generate-sas. Running az login fixed it. I'm on Windows Terminal connecting directly to the cloud shell.

[oguzhanf]

I get the same error using Windows 11 - Windows Terminal, click on the drop-down to get to an Azure Cli instance. Following the device login page I'm able to work other commands but not the below:

az ad user create --display-name "..." --password "..." --user-principal-name "..."

Failed to connect to MSI. Please make sure MSI is configured correctly.
Get Token request returned: <Response [400]>

[sherdana]

Workaround doesn't work for me. Getting error while doing az login. az login --debug cli.knack.log: File logging enabled - writing logs to 'C:\Users\danasherman.azure\logs'. cli.knack.cli: Command arguments: ['login', '--debug'] cli.knack.cli: init debug log: Enable color in terminal. cli.knack.cli: Event: Cli.PreExecute [] cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x03D35148>, <function OutputProducer.on_global_arguments at 0x03FD0FA0>, <function CLIQuery.on_global_arguments at 0x03FF8B68>] cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate [] cli.azure.cli.core: Modules found from index for 'login': ['azure.cli.command_modules.profile'] cli.azure.cli.core: Loading command modules: cli.azure.cli.core: Name Load Time Groups Commands cli.azure.cli.core: profile 0.007 2 9 cli.azure.cli.core: Total (1) 0.007 2 9 cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next'] cli.azure.cli.core: Loading extensions: cli.azure.cli.core: Name Load Time Groups Commands Directory cli.azure.cli.core: Total (0) 0.000 0 0 cli.azure.cli.core: Loaded 2 groups, 9 commands. cli.azure.cli.core: Found a match in the command table. cli.azure.cli.core: Raw command : login cli.azure.cli.core: Command table: login cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x042898E0>] cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\danasherman.azure\commands\2022-02-07.06-24-26.login.35532.log'. az_command_data_logger: command args: login --debug cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x042F0340>, <function register_global_query_examples_argument..register_query_examples at 0x04352610>] cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad [] cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x04352658>, <function register_cache_arguments..add_cache_arguments at 0x043526E8>] cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded [] cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [] cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x03FE1028>, <function CLIQuery.handle_query_parameter at 0x03FF8BB0>, <function register_global_query_examples_argument..handle_example_parameter at 0x04352580>, <function register_ids_argument..parse_ids_arguments at 0x043526A0>] cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\danasherman\.azure\msal_token_cache.bin', encrypt=True cli.azure.cli.core.auth.identity: _load_msal_http_cache: C:\Users\danasherman.azure\msal_http_cache.bin cli.azure.cli.core.auth.identity: __load_msal_http_cache: C:\Users\danasherman.azure\msal_http_cache.bin urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None) msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/organizations/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/{tenantid}/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/organizations/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/organizations/kerberos', 'tenant_region_scope': None, 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'} cli.azure.cli.core.auth.identity: The default web browser has been opened at https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with az login --use-device-code. msal.telemetry: Generate or reuse correlation_id: ecaf258a-fa40-4b39-92f9-c1a035e39be6 msal.oauth2cli.oauth2: Using http://localhost:59989 as redirect_uri msal.oauth2cli.authcode: Abort by visit http://localhost:59989?error=abort msal.oauth2cli.authcode: Open a browser on this device to visit: https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=04b07795-8ddb-461a-bbee-02f9e1bf7b46&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A59989&scope=https%3A%2F%2Fmanagement.core.windows.net%2F%2F.default+offline_access+openid+profile&state=ipZGCVcmOjlvUzaL&code_challenge=KOEVToIH4MLf--YNJ4FMkWnn6pb8egGD1-Ceih3Ml9g&code_challenge_method=S256&nonce=0216694b50dfea1e46503f9febe19ad57c89d4b97c9dd066b37abfb853358a0b&client_info=1&prompt=select_account msal.oauth2cli.authcode: code 400, message Bad request version ('localhost\x00\x17\x00\x00ÿ\x01\x00\x01\x00\x00') ç¥tDo© !h2cli.authcode: "▬♥☺☻☺☺ü♥♥´↕"ô Îe' 5¼►YwM↨!v A¶ÎãZîá¥õ×Ù* Y| ::‼☺‼☻‼♥À+À/À,À0̨̩À‼À¶êê localhost↨ÿ☺☺" 400 - msal.oauth2cli.authcode: code 400, message Bad request version ('localhost\x00\x17\x00\x00ÿ\x01\x00\x01\x00\x00') ýwÛÿ↑vð♠· ð÷ËQvÁl71SPDàù∟)ÿVjµLXî↕ýXp zz‼☺‼☻‼♥À+À/À,À0̨̩À‼À¶jj localhost↨ÿ☺☺" 400 - msal.oauth2cli.authcode: code 400, message Bad request version ('localhost\x00\x17\x00\x00ÿ\x01\x00\x01\x00\x00') msal.oauth2cli.authcode: "▬♥☺☻☺☺ü♥♥îß↑ìøůº♣3ëRS!Â¥ç×Ͻü{☺Ã♣ÄD© »↕3¢ë→£Ùò)°RÐ!»1▲ü↔à 7 ð¶P*i5 JJ‼☺‼☻‼♥À+À/À,À0̨̩À‼À¶ÊÊ localhost↨ÿ☺☺" 400 - msal.oauth2cli.authcode: code 400, message Bad request version ('localhost\x00\x17\x00\x00ÿ\x01\x00\x01\x00\x00') msal.oauth2cli.authcode: "▬♥☺☻☺☺ü♥♥úÍJ#ÙU→Ëh 6oU£~A93ᬠ.·ô¢«k ¤Ï«Í↓ÌðÓ_kê:: localhost↨ÿ☺☺" 400 - msal.oauth2cli.authcode: code 400, message Bad request version ('localhost\x00\x17\x00\x00ÿ\x01\x00\x01\x00\x00') msal.oauth2cli.authcode: "▬♥☺☻☺☺ü♥♥Å°B>►:<§×ÞCå0Øz0¸R£AË¥át0©Ì ­­B|øhÿòlb§H*íb Õµ¦G 6>ñH jj‼☺‼☻‼♥À+À/À,À0̨̩À‼À¶jj localhost↨ÿ☺☺" 400 - msal.oauth2cli.authcode: code 400, message Bad request version ('ÊÊ\x13\x01\x13\x02\x13\x03À+À/À,À0̨̩À\x13À\x14\x00\x9c\x00\x9d\x00/\x005\x01\x00\x01\x93') msal.oauth2cli.authcode: "▬♥☺☻☺☺ü♥♥òôUÀg#ÎM ▬6à7Âi;gÐàüî+▼w¡ Ä@Úc↕W3Eæ® ¯£♥eâªØA ÊÊ‼☺‼☻‼♥À+À/À,À0̨̩À‼À¶" 400 - msal.oauth2cli.authcode: code 400, message Bady(v 2½´\:ËÏ¥b↕y♥ïÕÔ¹▬êêlhost\x00\x17\x00\x00ÿ\x01\x00\x01\x00\x00') mslocalhost↨ÿ☺☺" 400 -e: "▬♥☺☻☺☺ü♥♥Ý^;)ÿuÕl♣) msal.oauth2cli.authcode: code 400, message Bad request version ('localhost\x00\x17\x00\x00ÿ\x01\x00\x01\x00\x00') msal.o↓d&x¯SU↔ÊjS»ù☺%²ÇHj"▬♥☺☻☺☺õYQTE jj‼☺‼☻‼♥À+À/À,À0̨̩À‼À¶zz ~»localhost↨ÿ☺☺" 400 - msal.oauth2cli.authcode: code 400, message Bad request version ('localhost\x00\x17\x00\x00ÿ\x01\x00\x01\x00\x00') msal.oauth2cli.authcode: "▬♥☺☻☺☺ü♥♥ÝãvjP§±afsldI­&E»♠Ù§"µb→Ë)u% ªÉ].↑Ô♦ãL¶²ö"☻↑ÒÌRü¯( D ªª‼☺‼☻‼♥À+À/À,À0̨̩À‼À¶ºº localhost↨ÿ☺☺" 400 - msal.oauth2cli.▼Ey↕1EÒ♠;**ode 400, message Bad request version ('localhost\x00\x17\x00\x00ÿ\x01\x00\x01\x00\x00') ▬6localhost↨ÿ☺☺" 400 -e: "▬♥☺☻☺☺ü♥♥Å$CÌ♥æ0õ msal.oauth2cli.authcode: code 400, message Bad request syntax ('\x16\x03\x01\x02\x00\x01\x00\x01ü\x03\x03Qé\x0f^') msal.oauth2cli.authcode: "▬♥☺☻☺☺ü♥♥Qé^" 400 - msal.oauth2cli.authcode: code 400, message Bad request version ('localhost\x00\x17\x00\x00ÿ\x01\x00\x01\x00\x00') msal.oauth2cli.authcode: "▬♥☺☻☺☺ü♥♥¶0Ú8ú☺õñ-ÓÁúifùsÂÁ¼À:∟îã»,ªXYß[Tº»:¹ ZZ‼☺‼☻‼♥À+À/À,À0̨̩À‼À¶ÚÚ localhost↨ÿ☺☺" 400 -

[jiasli]

@sherdana, your message is corrupted. Also, you are not on Cloud Shell, but Windows machine. Please create a new issue with detailed information and error message.

[sabbour]

Running az login isn't an acceptable workaround. MSI login allows for elevated commands like "az ad app" which will be blocked otherwise.

[xfz11]

This issue doesn't happen on Cloud Shell created by Azure Portal, but still exists on Cloud shell created by Doc site. Is there anyone can connect Cloud Shell team to investigate the issue?

[luiznazari]

A similar error is occurring in the Microsoft Training lab Exercise - Configure a system-assigned managed identity for an Azure VM, first command.

[CornerstoneII]

400 Client Error: Bad Request for url: http://localhost:50342/oauth2/token is a known issue of Cloud Shell that it intermittently fails with this error.

Workarounds

There are 2 workarounds:

1. Use Azure CLI on a local machine
2. In Cloud Shell, run az login and retry the command

This workaround for cloud shell no longer works!!! The only alternative would be from your local machine

Invokingaz ad app permission grant --id 54e27600-df4f-4e97-96b1-6aab7c1e0189 --api 00000003-0000-0000-c000-000000000000is needed to make the change effective Failed to connect to MSI. Please make sure MSI is configured correctly. Get Token request returned: <Response [400]>

[MantisTree]

This is still an issue that crashed my deployment. running the following command without az login:

az aks create --resource-group ClusterRG01 --name AKSCluster02 --node-count 2 --enable-addons monitoring --generate-ssh-keys

resulted in error:

Failed to connect to MSI. Please make sure MSI is configured correctly. Get Token request returned: <Response [400]>

but after running az login in cloud shell and retrying the same command (with cluster number increment) succeeded without any error

EDIT: copy/pasted complete literal error