work around AAD service principal race condition (#716)

This works around an issue in AAD service principal creation. The race condition in AAD shows up as: ``` INFO:deploy:checking if RBAC already exists INFO:deploy:creating Application registration INFO:deploy:creating service principal Traceback (most recent call last): File "deploy.py", line 926, in <module> main() File "deploy.py", line 920, in main state[1](client) File "deploy.py", line 303, in setup_rbac client.service_principals.create(service_principal_params) File "/tmp/tmpp2x7ybfg/deploy-venv/lib/python3.8/site-packages/azure/graphrbac/operations/service_principals_operations.py", line 87, in create raise models.GraphErrorException(self._deserialize, response) azure.graphrbac.models.graph_error_py3.GraphErrorException: When using this permission, the backing application of the service principal being created must in the local tenant ``` The azure-cli has the same issue, as seen in https://github.com/Azure/azure-cli/issues/14767
2025-06-14 11:08:06 +00:00 · 2021-03-23 17:02:36 -04:00
parent 3ef7db64c3
commit de5c843eb5
1 changed files with 27 additions and 1 deletions
--- a/src/deployment/deploy.py
+++ b/src/deployment/deploy.py
@ -300,7 +300,33 @@ class Client:
                service_principal_type="Application",
                app_id=app.app_id,
            )
-            client.service_principals.create(service_principal_params)
+
+            def try_sp_create() -> None:
+                error: Optional[Exception] = None
+                for _ in range(10):
+                    try:
+                        client.service_principals.create(service_principal_params)
+                        return
+                    except GraphErrorException as err:
+                        # work around timing issue when creating service principal
+                        # https://github.com/Azure/azure-cli/issues/14767
+                        if (
+                            "service principal being created must in the local tenant"
+                            not in str(err)
+                        ):
+                            raise err
+                    logging.warning(
+                        "creating service principal failed with an error that occurs "
+                        "due to AAD race conditions"
+                    )
+                    time.sleep(60)
+                if error is None:
+                    raise Exception("service principal creation failed")
+                else:
+                    raise error
+
+            try_sp_create()
+
        else:
            app = existing[0]
            existing_role_values = [app_role.value for app_role in app.app_roles]