Open nadoylemsft opened 4 months ago
Thank you for opening this issue, we will look into it.
az keyvault certificate show --vault-name $VaultName --version "'$CertificateVerion'" --name $certificatename --debug cli.knack.cli: Command arguments: ['keyvault', 'certificate', 'show', '--vault-name', 'pipelineops', '--version', "''", '--name', 'pipelineopsdemo', '--debug']
Per your debug log we can see that the version isn't passed in to CLI. The value is "''"
Please try "$CertificateVerion"
instead of "'$CertificateVerion'"
. See my example:
Describe the bug
When running the command az keyvault certificate show --vault-name $vaultname --name $certname --version "
"$certversion"
"in pwsh 7.4 (az cli is 2.57.0), the command always returns the latest certificate, rather than the specified version Running by the --Id works as expected.
Related command
az keyvault certificate show --vault-name $vaultname --name $certname --version "
"$certversion"
"Errors
No error. Returns incorrect version, always latest.
Issue script & Debug output
az keyvault certificate show --vault-name $VaultName --version ".add_subscription_parameter at 0x0000020B62556E80>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x0000020B6258CF40>, <function register_cache_arguments..add_cache_arguments at 0x0000020B6258D080>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x0000020B5F6060C0>, <function CLIQuery.handle_query_parameter at 0x0000020B5F633C40>, <function register_ids_argument..parse_ids_arguments at 0x0000020B6258CFE0>]
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\* \.azure\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\DoyleNJ.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.us/***/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.us/***/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.us/***/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.us/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.us/***/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.us/***/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.us/***/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.us/***/kerberos', 'tenant_region_scope': 'USGov', 'tenant_region_sub_scope': '', 'cloud_instance_name': 'microsoftonline.us', 'cloud_graph_host_name': 'graph.microsoftazure.us', 'msgraph_host': 'graph.microsoft.us', 'rbac_url': 'https://pasff.usgovcloudapi.net'}
msal.application: Broker enabled? False
urllib3.connectionpool: Starting new HTTPS connection (1): pipelineops.vault.usgovcloudapi.net:443
urllib3.connectionpool: https://.vault.usgovcloudapi.net:443 "GET /certificates/pipelineopsdemo/%27%27?api-version=7.4 HTTP/1.1" 401 97
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://vault.usgovcloudapi.net/.default',), kwargs={'tenant_id': ''}
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://vault.usgovcloudapi.net/.default',), claims=None, kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 5b7aa5eb-9c58-4376-8ae8-5805ac848c00
urllib3.connectionpool: https://.vault.usgovcloudapi.net:443 "GET /certificates/pipelineopsdemo/%27%27?api-version=7.4 HTTP/1.1" 200 2462
cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x0000020B625560C0>, <function _x509_from_base64_to_hex_transform at 0x0000020B62556160>]
cli.knack.cli: Event: CommandInvoker.OnFilterResult []
{
"attributes": {
"created": "2024-02-20T17:45:27+00:00",
"enabled": true,
"expires": "2025-02-20T17:45:27+00:00",
"notBefore": "2024-02-20T17:35:27+00:00",
"recoveryLevel": "CustomizedRecoverable+Purgeable",
"updated": "2024-02-20T17:45:27+00:00"
},
"cer": "",
"contentType": null,
"id": "https://.vault.usgovcloudapi.net/certificates/pipelineopsdemo/5023970a1b7e4d7b89a68aec9a8856ac",
"kid": "https://***.vault.usgovcloudapi.net/keys/pipelineopsdemo/5023970a1b7e4d7b89a68aec9a8856ac",
"name": "pipelineopsdemo",
"policy": {
"attributes": {
"created": "2024-02-14T18:54:45+00:00",
"enabled": true,
"expires": null,
"notBefore": null,
"recoveryLevel": null,
"updated": "2024-02-20T17:45:26+00:00"
},
"id": "https://***.vault.usgovcloudapi.net/certificates/pipelineopsdemo/policy",
"issuerParameters": {
"certificateTransparency": null,
"certificateType": null,
"name": "Self"
},
"keyProperties": {
"curve": null,
"exportable": true,
"keySize": 2048,
"keyType": "RSA",
"reuseKey": false
},
"lifetimeActions": [
{
"action": {
"actionType": "AutoRenew"
},
"trigger": {
"daysBeforeExpiry": null,
"lifetimePercentage": 80
}
}
],
"secretProperties": {
"contentType": "application/x-pkcs12"
},
"x509CertificateProperties": {
"ekus": [
"1.3.6.1.5.5.7.3.1",
"1.3.6.1.5.5.7.3.2"
],
"keyUsage": [
"digitalSignature",
"keyEncipherment"
],
"subject": "CN=",
"subjectAlternativeNames": {
"dnsNames": [
""
],
"emails": null,
"upns": null
},
"validityInMonths": 12
}
},
"sid": "https://***.vault.usgovcloudapi.net/secrets/pipelineopsdemo/5023970a1b7e4d7b89a68aec9a8856ac",
"tags": {},
"x509Thumbprint": "***",
"x509ThumbprintHex": "6D4EDD13D7053D0DC0563C291DAD0F1783823E61"
}
cli.knack.cli: Event: Cli.SuccessfulExecute []
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x0000020B6251ACA0>]
az_command_data_logger: exit code: 0
cli.main: Command ran in 2.279 seconds (init: 0.687, invoke: 1.592)
cli.azure.cli.core.decorators: Suppress exception:
Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/main.py", line 62, in
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/main.py", line 55, in
SystemExit: 0
'$CertificateVerion
'" --name $certificatename --debug cli.knack.cli: Command arguments: ['keyvault', 'certificate', 'show', '--vault-name', 'pipelineops', '--version', "''", '--name', 'pipelineopsdemo', '--debug'] cli.knack.cli: init debug log: Enable color in terminal. Enable VT mode. cli.knack.cli: Event: Cli.PreExecute [] cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0000020B5F47B880>, <function OutputProducer.on_global_arguments at 0x0000020B5F606020>, <function CLIQuery.on_global_arguments at 0x0000020B5F633BA0>] cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate [] cli.azure.cli.core: Modules found from index for 'keyvault': ['azure.cli.command_modules.keyvault'] cli.azure.cli.core: Loading command modules: cli.azure.cli.core: Name Load Time Groups Commands cli.azure.cli.core: keyvault 0.020 20 113 cli.azure.cli.core: Total (1) 0.020 20 113 cli.azure.cli.core: Loaded 20 groups, 113 commands. cli.azure.cli.core: Found a match in the command table. cli.azure.cli.core: Raw command : keyvault certificate show cli.azure.cli.core: Command table: keyvault certificate show cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x0000020B6251AA20>] cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users*.azure\commands\2024-02-20.14-23-44.keyvault_certificate_show.11492.log'. az_command_data_logger: command args: keyvault certificate show --vault-name {} --version {} --name {} --debug cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/decorators.py", line 79, in _wrapped_func File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/telemetry.py", line 532, in _get_secrets_warning_config File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/config.py", line 147, in getboolean ValueError: Not a boolean: None
telemetry.main: Begin splitting cli events and extra events, total events: 1 telemetry.client: Accumulated 0 events. Flush the clients. telemetry.main: Finish splitting cli events and extra events, cli events: 1 telemetry.save: Save telemetry record of length 3382 in cache telemetry.main: Begin creating telemetry upload process. telemetry.process: Creating upload process: "C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry__init__.pyc C:\Users***.azure" telemetry.process: Return from creating process telemetry.main: Finish creating telemetry upload process.
Expected behavior
It returns the correct version of the certificate
Environment Summary
az cli 2.57.0 pwsh 7.4.1
Additional context
tested in powershell5.1 and against multiple tenants in MAG