Azure SP authentication in Python using JSON file: Invalid client secret is provided

Question

I'm attempting to authenticate with Azure DNS using a service principal I created, but I'm getting an authentication error. What am I doing wrong?

Here is how I created the SP:

az ad sp create-for-rbac --name az-dns-manager --skip-assignment --sdk-auth > az-dns-credentials.json
az role assignment create --asssignee "$CLIENT_ID_FROM_JSON" --role "DNS Zone Contributor" --scope "$AZ_DNS_SCOPE"

And here is how I'm authenticating in Python:

from azure.common.client_factory import get_client_from_auth_file
from azure.mgmt.dns import DnsManagementClient

dns_client = get_client_from_auth_file(
    DnsManagementClient, auth_path='az-dns-credentials.json')
dns_client.record_sets.create_or_update(...)

I then get the following error:

msrest.exceptions.AuthenticationError: Get Token request returned http error:
401 and server response:
{"error":"invalid_client","error_description":"AADSTS7000215: Invalid client
secret is provided.\r\nTrace ID:
e4ac8241-49c0-457f-9b8f-1d41c4fd0600\r\nCorrelation ID:
6be25bc7-01e4-4ce5-a26f-8da0e02b4a64\r\nTimestamp: 2020-12-19
22:55:00Z","error_codes":[7000215],"timestamp":"2020-12-19
22:55:00Z","trace_id":"e4ac8241-49c0-457f-9b8f-1d41c4fd0600","correlation_id":"6be25bc7-01e4-4ce5-a26f-8da0e02b4a64","error_uri":"https://login.microsoftonline.com/error?code=7000215"}

Answer 1

Not sure what I did wrong before, but it seems to be working now. I used the following commands:

az ad sp create-for-rbac --name ide-cert-manager --skip-assignment --sdk-auth > ide-cert-manager-auth.json;
CLIENT_ID=$(cat ide-cert-manager-auth.json | jq -r .clientId);
DNS_ID=$(az network dns zone show --name ide.boldidea.org --resource-group ideResourceGroup --query "id" --output tsv);
az role assignment create --assignee "$CLIENT_ID" --role "DNS Zone Contributor" --scope "$DNS_ID";