Closed iainfoulds closed 3 years ago
@devigned can you take a look? The "regular" keyvault commands look up the resource group from the keyvault name. It may be that one of the code paths ends up not doing this?
@tjprescott just ran the same thing against master and it worked... Hmm, what's going on?
Furthermore: shall I file an issue for this? The help does not say what is done with whatever is passed here. THEN in addition, there's a vm format-secret
that does something FOR This argument, but WHAT is done is not described.
--secrets : One or many Key Vault secrets as JSON strings or files via
'@<file path>' containing '[{ "sourceVault": { "id":
"value" }, "vaultCertificates": [{ "certificateUrl":
"value", "certificateStore": "cert store name (only on
windows)"}] }]'.
Okay, there's something in capitalization in resources. If I just go with straight all-lowercase names, this works (I appended my initials to the vault name to make it unique):
az keyvault create --resource-group resourcegroupname --name vaultnameikf --enabled-for-deployment
az keyvault certificate create --vault-name vaultnameikf -n cert1 \
-p “$(az keyvault certificate get-default-policy)”
secrets=$(az keyvault secret list-versions --vault-name vaultnameikf \
-n cert1 --query “[?attributes.enabled].id” -o tsv)
vm_secrets=$(az vm format-secret -s “$secrets”)
By twist of fate, we have naming conventions in our docs that typically uses camel-casing. As such, the following fails with the error initially noted:
az keyvault create --resource-group myResourceGroup --name myVaultIKF --enabled-for-deployment
az keyvault certificate create --vault-name myVaultIKF -n cert1 \
-p “$(az keyvault certificate get-default-policy)”
secrets=$(az keyvault secret list-versions --vault-name myVaultIKF \
-n cert1 --query “[?attributes.enabled].id” -o tsv)
vm_secrets=$(az vm format-secret -s “$secrets”)
So yes, it does work, but it seems case sensitive. Does this help narrow things down at all?
case-sensitive is considered BAD, as nothing else in the resource system is case-sensitive: resource groups, image names, vm names, whatever casing you pass is preserved for usage, but whatever you ASK for is given to you insensitively.
BTW, @iainfoulds, what do you mean, "work"? What happens? Where do these values end up on the VM?
@squillace Secrets are dropped in to /var/lib/waagent
on the VM. For this example, you get a .crt and .prv placed there.
to what end? what happens?
I'm just going on what the help says: nothing. one, doesn't say what's going to happen. Two, doesn't say what you should do with them there. Three, doesn't say anything about any other kind of secrets.
Beyond placing the secrets on the VM? Nothing.
One scenario I'm looking to build out is drop a cert on the VM during deployment, then apply that cert to NGINX site. So, rather than baking certs in to the image, you would pull them from Key Vault. If the cert needs to be renewed or rolled, you don't have to update an entire image to accommodate.
But, back to original issue - yes, case sensitivity isn't great. Hopefully that gives some pointers as to where to look for a fix.
@squillace I like to use this flow to provision an identity onto the machine so that I can access Azure resources like DocumentDb keys or Storage keys via config management tools.
@iainfoulds perhaps, we should be run a to_lower on any incoming string to find the resource group.
Thank you for the details!
@squillace It would be really nice if you could provide a name to the secret, so you could reference the cert by name instead of by fingerprint. It would make rolling the certificate so much easier.
So, is the idea here that it drops "something" on the machine, and cloud-init (in the Linux case) does something with it? What? How do you process these "things" once they get there? I'm waiting to understand how this is not merely customscript, with which I can also pull things.... (ignoring that with that I have to pull the secret in the cli first and then push it with customscript to do something....)
@squillace the point is that you'd have to push this in a custom script. When you do that you have to access to the secret and pull it down to semi secure environment (your dev or deployment machine). In the vm-secrets model, fabric puts the secret onto the machine, so it never touches the outside world.
Still no fix available for this ? I ran into this problem with Azure CLI version 2.0.20.
close stable issue. feel free to create new issue if any error met. thanks.
Environment summary
Install Method: How did you install the CLI? (e.g. pip, interactive script, apt-get, Docker, MSI, nightly)
Docker: docker run -v ${HOME}:/root -it azuresdk/azure-cli-python:latest
CLI Version: What version of the CLI and modules are installed? (Use
az --version
)azure-cli (2.0.2+dev)
acr (2.0.0+dev) acs (2.0.2+dev) appservice (0.1.2+dev) batch (2.0.0+dev) cloud (2.0.0+dev) component (2.0.0+dev) configure (2.0.2+dev) container (0.1.2+dev) core (2.0.2+dev) dla (0.0.1+dev) dls (0.0.1+dev) documentdb (0.1.2+dev) feedback (2.0.0+dev) find (0.0.1b1+dev) iot (0.1.2+dev) keyvault (2.0.0+dev) lab (0.0.1+dev) monitor (0.0.1+dev) network (2.0.2+dev) nspkg (2.0.0+dev) profile (2.0.2+dev) redis (0.1.1b3+dev) resource (2.0.2+dev) role (2.0.1+dev) sql (2.0.0+dev) storage (2.0.2+dev) taskhelp (0.1.1b4+dev) vm (2.0.2+dev)
Python (Linux) 3.5.2 (default, Dec 27 2016, 21:33:11) [GCC 5.3.0]
OS Version: What OS and version are you using?
Alpine 3.4.6
Shell Type: What shell are you using? (e.g. bash, cmd.exe, Bash on Windows)
GNU bash, version 4.3.42(1)-release (x86_64-alpine-linux-musl)
Description
I'm following through the steps add a secret from Key Vault when creating a VM. The steps as indicated in various parts of the CLI help and ref content should be:
When it comes to
az vm format-secret
, I receive the error:Parameter ‘resource_group_name’ can not be None.
. I can't see anything in the commands that have me define a resource group, other than when you first create the Key Vault.$secrets is defined:
Full debug output:
This behavior also replicates on another machine that was installed from latest interactive script rather than Docker image:
'User-Agent': 'python/2.7.6 (Linux-3.4.0+-x86_64-with-Ubuntu-14.04-trusty) requests/2.13.0 msrest/0.4.7 msrest_azure/0.4.7 keyvaultmanagementclient/0.30.0 Azure-SDK-For-Python AZURECLI/2.0.2'