search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.95k stars 2.93k forks source link

`az apim nv` doesn't provide parameters for configuring Key Vault secrets #27822

Open jamesmcroft opened 9 months ago

jamesmcroft commented 9 months ago

Describe the bug

When using the Azure CLI, it is not currently possible to configure a named variable within API Management that uses Azure Key Vault secret values.

This functionality exists at the REST API documented here but appears to be missing as a parameter in the CLI specifically.

Related command

az apim nv

Errors

ERROR: unrecognized arguments: --keyvault {

Examples from AI knowledge base: az apim nv create --service-name MyApim --resource-group MyResourceGroup --named-value-id MyNamedValue --display-name 'My Named Value' --value 'foo' Create a Named Value.

az apim nv create --display-name 'My Named Value' --named-value-id MyNamedValue --resource-group MyResourceGroup --secret true --service-name MyApim --value 'foo' Create an API Management Named Value. (autogenerated)

https://docs.microsoft.com/en-US/cli/azure/apim/nv#az_apim_nv_create Read more about the command in reference docs

Issue script & Debug output

$keyVaultContract = @{
        identityClientId = $managedIdentityClientId
        secretIdentifier = $secretIdentifier
    } | ConvertTo-Json

az apim nv create --resource-group $resourceGroup --service-name $apiManagement --named-value-id $nvName --display-name $nvName --keyvault $keyVaultContract --debug

ERROR: unrecognized arguments: --keyvault {

Examples from AI knowledge base: az apim nv create --service-name MyApim --resource-group MyResourceGroup --named-value-id MyNamedValue --display-name 'My Named Value' --value 'foo' Create a Named Value.

az apim nv create --display-name 'My Named Value' --named-value-id MyNamedValue --resource-group MyResourceGroup --secret true --service-name MyApim --value 'foo' Create an API Management Named Value. (autogenerated)

https://docs.microsoft.com/en-US/cli/azure/apim/nv#az_apim_nv_create Read more about the command in reference docs

Expected behavior

When providing a Key Vault contract object as described in the REST API documentation for API Management named variables, the CLI should accept this value and configure the named variable in Azure.

Environment Summary

azure-cli 2.53.0 *

core 2.53.0 * telemetry 1.1.0

Extensions: resource-graph 2.1.0

Dependencies: msal 1.24.0b2 azure-mgmt-resource 23.1.0b2

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe' Extensions directory 'C:\Users\jamescroft.azure\cliextensions'

Python (Windows) 3.10.10 (tags/v3.10.10:aad5f6a, Feb 7 2023, 17:20:36) [MSC v.1929 64 bit (AMD64)]

Additional context

No response

azure-client-tools-bot-prd[bot] commented 9 months ago

Hi @jamesmcroft,

2.53.0 is not the latest Azure CLI(2.53.1).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

yonzhan commented 9 months ago

Thank you for opening this issue, we will look into it.

jamesmcroft commented 9 months ago

More than happy to help contribute to fixing this if needed.

jamesmcroft commented 9 months ago

I wanted to also add here, I'm finding myself needing to use az rest for a lot of the supported APIs for APIM (e.g., backends, policies, etc.) which are not available in the az apim CLI

aldodfm commented 9 months ago

same here! i was looking to update some name values using az cli and link a keyvault secret...: az apim nv update --service-name "z-xxx-xxx-dv-ew-apim02" -g "z-xxx-xxx-dv01-ew-01" --named-value-id "mapping" and there is no way to do it :s

jamesmcroft commented 9 months ago

same here! i was looking to update some name values using az cli and link a keyvault secret...: az apim nv update --service-name "z-xxx-xxx-dv-ew-apim02" -g "z-xxx-xxx-dv01-ew-01" --named-value-id "mapping" and there is no way to do it :s

@aldodfm

You can use az rest to do the update, but it does require you to construct the request body.

The endpoint is as follows replacing any $ prefix parts with your specific deployment: https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.ApiManagement/service/$apiManagement/namedValues/$namedValue?api-version=2022-08-01

The request body is simply a JSON object representing:

{
    "properties": {
        "displayName": "$namedValue",
        "secret": true,
        "keyVault": {
            "identityClientId": "$managedIdentityClientId",
            "secretIdentifier": "$keyVaultSecretUri"
        }
    }
}

The CLI to call is: az rest --uri $endpoint --method PUT --body $requestBody --headers "Content-Type=application/json"

Not the most elegant, but does allow you to stay in the flow using the Azure CLI.

RobBowman commented 4 months ago

@jamesmcroft I have a problem when implementing the suggested work-around: https://stackoverflow.com/questions/78298862/az-cli-to-create-an-apim-named-value-that-references-a-key-vault-secret.

Would be grateful for any pointers.

kristianschneider commented 2 months ago

Hi @yonzhan Whats the status on this ? Would be nice to be able to unify the interaction with APIM using az commands