`az keyvault update --default-action Deny` specifies bypasses AzureServices by default.

samueleresca commented 1 year ago

Describe the bug

Command Name az keyvault update

Errors: Executing the following command: az keyvault update --debug --resource-group {} --name {} --default-action Deny Also specifies bypass=AzureServices by default. It sends a request body with:

"networkAcls": {"bypass": "AzureServices", "defaultAction": "Deny"},

To Reproduce:

Create a keyvault with public access
Run az keyvault update --debug --resource-group {} --name {} --default-action Deny to deny public access
In the portal, the key vault's network tab has the "Allow public access from specific virtual networks and IP addresses" and the "Allow trusted Microsoft services to bypass this firewall" is checked.

Expected Behavior

The bypass value should be none. az keyvault update

Environment Summary

Linux-5.15.90.1-microsoft-standard-WSL2-x86_64-with-glibc2.31, Ubuntu 20.04.5 LTS
Python 3.10.10
Installer: DEB

azure-cli 2.47.0

Extensions:
ssh 1.1.5

Dependencies:
msal 1.20.0
azure-mgmt-resource 22.0.0

Additional Context

yonzhan commented 1 year ago

Thank you for opening this issue, we will look into it.

evelyn-ys commented 1 year ago

Hi @samueleresca, even if CLI doesn't set bypass default value, keyvault service will still set "bypass": "AzureServices".

samueleresca commented 1 year ago

Hi @samueleresca, even if CLI doesn't set bypass default value, keyvault service will still set "bypass": "AzureServices".

@evelyn-rs, is this expect? Do you know what is the right channel to raise this issue?

Azure / azure-cli