search

Azure-Samples / azure-sdk-for-go-samples

Examples of how to utilize Azure services from Go.
MIT License
296 stars 184 forks source link

issue running go test on "keyvault_test.go" #253

Closed WilliamMortlMicrosoft closed 5 years ago

WilliamMortlMicrosoft commented 5 years ago

Thank you for your contribution and feedback! Help us review faster by providing the following information:

This issue is a: (mark with an x)

Steps to reproduce:

Running "go test" in "keyvault" sample directory

Errors and log messages:

despite setting all of my env vars to the create info for my service principal, I cannot update the permissions on my keyvault (the resource group and keyvault are successfully created)

Williams-MBP:keyvault wmortl$ go test 2019/07/30 15:53:04 creating resource group 'azure-samples-go-KeyVault-UtCl8' on location: centralus 2019/07/30 15:53:09 vault created 2019/07/30 15:53:10 keyvault.VaultsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="An invalid value was provided for 'accessPolicies'." 2019/07/30 15:53:10 set vault permissions 2019/07/30 15:53:11 keyvault.BaseClient#CreateKey: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Access denied" InnerError={"code":"AccessDenied"} 2019/07/30 15:53:11 created key

Expected behavior:

test should pass

OS and Go versions:

macOS 10.14.6 go version go1.12.7 darwin/amd64

Williams-MBP:keyvault wmortl$ az --version azure-cli 2.0.69 *

command-modules-nspkg 2.0.3 core 2.0.69 * nspkg 3.0.4 telemetry 1.0.3

Further info:

Sorry if I am messing something up here - any help would be welcome! :-) I've been banging my head against the wall here

jhendrixMSFT commented 5 years ago

This is a bug in the sample, specifically how it creates a keyvault authorizer. In SetVaultPermissions() the client ID is used for the object ID which is incorrect; the object ID for the service principal should be used instead, see the following code. https://github.com/Azure-Samples/azure-sdk-for-go-samples/blob/master/keyvault/vault.go#L116 The easiest way to obtain the object ID for your service principal is to use the CLI.

az ad sp show --id <your client ID>

You should see the following as part of the output.

  "objectId": "<some GUID>",
  "objectType": "ServicePrincipal",
  "odata.metadata": "https://graph.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/$metadata#directoryObjects/@Element",

The value for objectId is what you want to use when specifying access policies. I will update the sample with this info.

jhendrixMSFT commented 5 years ago

The sample has been updated and works as expected now.