Hi Salam,
I think I got the Issue , please find complete below details
Issue:
Using az ad sp create-for-rbac to create a service principal with a specific role and then attempting to assign additional roles to the same service principal at the same scope could result in an "identity not found" error
Cause:
Scope Limitations: When you create a service principal using az ad sp create-for-rbac with a specific role and scope, it is scoped to that particular role and scope. Attempting to assign additional roles to the same service principal at the same scope may conflict with the initial role assignment.
Role Conflicts: The roles assigned to a service principal should not conflict with each other or overlap in their permissions. If there are conflicting roles assigned to the service principal, it could lead to issues such as "identity not found" errors.
Solution:
approach to avoid the "identity not found" error due to scope limitations or role conflicts is to create the service principal (az ad sp create
) separately and then assign multiple roles to it as needed. This approach allows for more flexibility in managing permissions and role assignments for the service principal.
- Create Service Principle : which you have already created with contributor permissions,
- Delete existing role : Now you delete key vault reader and identity not found both from the resources and assign as per below
- Assign roles :
Once the service principal is created, you can assign multiple roles to it using the az role assignment create
command. Specify the service principal's Object ID (--assignee-object-id
) and the roles (--role
) you want to assign.
az role assignment create --assignee-object-id <spn-object-id> --role "<role1>" --scope <scope1>
az role assignment create --assignee-object-id <spn-object-id> --role "<role2>" --scope <scope2>
By creating the service principal separately and then assigning roles to it, you can better manage permissions, avoid scope limitations, and ensure that the service principal has the necessary permissions to fulfill its roles without encountering errors related to identity resolution.
NOTE: what wrong you did is in first step you used this to create role assignment "az ad sp create-for-rbac --name eShopSecure-SPcliA2ndD --role "Key Vault Reader" --scopes /subscriptions/XXX4725-460d-8e3b-8rtrdfddd/resourcegroups/msDefenderTrialTest/providers/Microsoft.KeyVault/vaults/myKV" instead of you have just use az role assignment create to do role assignment
Please check below doc for ref
https://learn.microsoft.com/en-us/azure/role-based-access-control/overview
https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#best-practices-for-individual-keys-secrets-and-certificates-role-assignments
Kindly accept as it would help , Thanks