search

Azure / azure-cli

Azure Command-Line Interface
MIT License
4.03k stars 3.01k forks source link

Can't inject a non-certificate secret into vm with az vm create #10211

Open CassidyKramer opened 5 years ago

CassidyKramer commented 5 years ago

Describe the bug Hi, I'm trying to use cloud-init to automate the configuration and registration of a Linux build agent self-hosted in an ASE, since the agent will be redeployed regularly. To automate the registration, I need to inject an Azure DevOps personal access token into cloud-init. I added the token to a key vault and tried using this tutorial to inject the token, but received the following error:

Deployment failed. Correlation ID: 6a440bdb-b5fb-48df-9e0b-fa3bc03d8fe4. {
  "status": "Failed",
  "error": {
    "code": "ResourceDeploymentFailure",
    "message": "The resource operation completed with terminal provisioning state 'Failed'.",
    "details": [
      {
        "code": "CertificateImproperlyFormatted",
        "message": "The data retrieved from *** is not deserializable into JSON."
      }
    ]
  }
}

To Reproduce

secret=$(az keyvault secret list-versions --subscription "{subscription}" --vault-name {vault name} --name {secret name}  --query "[?attributes.enabled].id" --output tsv)

vm_secret=$(az vm secret format --subscription "{subscription}" -g "{resource group}" -s "$secret" --keyvault {vault name})

az vm create \
  --name {vm name} \
  --resource-group {resource group name} \
  --image Canonical:UbuntuServer:18.04-LTS:latest \
  --location eastus2 \
  --size Standard_B1ms \
  --admin-username {admin username} \
  --vnet-name {vnet name} \
  --subnet {subnet name} \
  --custom-data cloud-init.txt \
  --nsg {nsg name} \
  --ssh-key-values {public ssh} \
  --secrets "$vm_secret" \
  --tags environment=test

Expected behavior I would be allowed to inject actual secrets with az vm create --secrets, rather than only certificates.

If this isn't possible, I would like to be guided on the best practice for injecting secrets into cloud-init.

Environment summary CLI version 2.0.70 , bash shell

qwordy commented 5 years ago

I am afraid that you cannot inject secrets with az vm create --secrets other than certificates.

qwordy commented 5 years ago

az vm secret add has a mandatory parameter --certificate

https://docs.microsoft.com/en-us/cli/azure/vm/secret?view=azure-cli-latest#az-vm-secret-add

jiasli commented 5 years ago

Since it's not possible to inject non-certificate secret to VM, you may create a support ticket to get assistance from Azure VM team for best practice for injecting secrets.

qwordy commented 5 years ago

If you have further questions, open a new issue. Thanks.

dkarlovi commented 3 years ago

If anybody got the suggestion to inject secrets into VMs, please update this issue since this is where you land from Google when looking up this unexpected restriction.

Being unable to inject secrets with a command called secret is quite unusual to say the least.

zhoxing-ms commented 3 years ago

@dkarlovi This requires the service team to confirm whether non-certificate secret are supported and how to inject. I'll transfer this issue to Compute team

ghost commented 3 years ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Drewm3, @avirishuv, @vaibhav-agar, @amjads1.

Issue Details
**Describe the bug** Hi, I'm trying to use cloud-init to automate the configuration and registration of a Linux build agent self-hosted in an ASE, since the agent will be redeployed regularly. To automate the registration, I need to inject an Azure DevOps personal access token into cloud-init. I added the token to a key vault and tried using [this tutorial](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/tutorial-automate-vm-deployment) to inject the token, but received the following error: ``` Deployment failed. Correlation ID: 6a440bdb-b5fb-48df-9e0b-fa3bc03d8fe4. { "status": "Failed", "error": { "code": "ResourceDeploymentFailure", "message": "The resource operation completed with terminal provisioning state 'Failed'.", "details": [ { "code": "CertificateImproperlyFormatted", "message": "The data retrieved from *** is not deserializable into JSON." } ] } } ``` **To Reproduce** ``` secret=$(az keyvault secret list-versions --subscription "{subscription}" --vault-name {vault name} --name {secret name} --query "[?attributes.enabled].id" --output tsv) vm_secret=$(az vm secret format --subscription "{subscription}" -g "{resource group}" -s "$secret" --keyvault {vault name}) az vm create \ --name {vm name} \ --resource-group {resource group name} \ --image Canonical:UbuntuServer:18.04-LTS:latest \ --location eastus2 \ --size Standard_B1ms \ --admin-username {admin username} \ --vnet-name {vnet name} \ --subnet {subnet name} \ --custom-data cloud-init.txt \ --nsg {nsg name} \ --ssh-key-values {public ssh} \ --secrets "$vm_secret" \ --tags environment=test ``` **Expected behavior** I would be allowed to inject actual secrets with az vm create --secrets, rather than only certificates. If this isn't possible, I would like to be guided on the best practice for injecting secrets into cloud-init. **Environment summary** CLI version 2.0.70 , bash shell
Author: ps-ckramer
Assignees: jiasli, qwordy
Labels: `Compute`, `KeyVault`, `Service Attention`, `Compute - VM`
Milestone: -