1. Overview
  2. Common Errors
  3. Cause
  4. Prerequisite
  5. Verification
  6. Additional Information

1. Overview

There are situations where the Azure Discovery fails with multiple errors and it goes difficult to understand where the issue is from, it could be Azure Credential, ServiceNow Cloud API, MID server or any other reasons, this article will demonstrate to verify the Azure credentials from Command line to narrow down the issue.

2. Common Errors

Failed to execute API - Failed with status code and message: 403: {"error":{"code":"AuthorizationFailed","message":
"The client '572864c1-e43f-43b3-8770-d51eaa7db603' with object id '572864c1-e43f-43b3-8770-d51eaa7db603' does not have authorization to perform action
'Microsoft.Resources/subscriptions/locations/read' over scope '/subscriptions/51da9d66-1794-405e-b15f-6d9838208edd'."}} (script_include:CloudRESTAPIInvoker; line 122)
java.lang.IllegalArgumentException: Invalid uri ' 6d1fadd8-05a4-4b22-9dec-5e7ca49f8674/resourcegroups?api-version=2015-01-01': 
escaped absolute path not valid", which says the subscription is invalid, and couldn't recognise it for discovery. 

3. Cause

  • The Secret Key might be expired 
  • The Secret key associated with the Application Id is not matching 
  • Unknown Application ID and Secret Key 
  • The User with the Subscription ID have no access or no Reader roles 

4. Prerequisite 

As mentioned in our documentation (Create a service account for Azure), to configure the Azure credentials and Service Principal, you will need: 

  • Directory ID
  • Application ID
  • Application Key
  • Subscription ID

Subscription ID is used while configuring the Service Principal and other used for Azure Credentials, the customer might have Parent subscription ID and multiple Application ID along with Application Key. 

5. Verification

Note: Once the Credentials are saved in the ServiceNow Credentials table, the provided secret key is not visible and it will not be possible to know, the customer needs to have all the information handy for verification.

  • Log in to Azure cloud Shell (If not available, customer needs to install)

  • Keep the APP_ID handy and copy, execute command "az role assignment list --assignee APP_ID"

  • Command returned no output which means there are no roles provided to the APP_ID

  • Command returned output with some result and we can see the "Reader" role provided to the APP_ID


6. Additional information

Article Information

Last Updated:2019-08-02 20:55:23
Pasted image.png[View]Pasted image.png[View]Pasted image.png[View]Pasted image.png[View]