az keyvault certificate show --version always returns latest in pwsh

[nadoylemsft]

Describe the bug

When running the command az keyvault certificate show --vault-name $vaultname --name $certname --version ""$certversion""

in pwsh 7.4 (az cli is 2.57.0), the command always returns the latest certificate, rather than the specified version Running by the --Id works as expected.

Related command

az keyvault certificate show --vault-name $vaultname --name $certname --version ""$certversion""

• requested cert version is fecd7938869f4dc09fc1bb4e30f0fad4

Errors

No error. Returns incorrect version, always latest.

Issue script & Debug output

az keyvault certificate show --vault-name $VaultName --version "'$CertificateVerion'" --name $certificatename --debug cli.knack.cli: Command arguments: ['keyvault', 'certificate', 'show', '--vault-name', 'pipelineops', '--version', "''", '--name', 'pipelineopsdemo', '--debug'] cli.knack.cli: init debug log: Enable color in terminal. Enable VT mode. cli.knack.cli: Event: Cli.PreExecute [] cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0000020B5F47B880>, <function OutputProducer.on_global_arguments at 0x0000020B5F606020>, <function CLIQuery.on_global_arguments at 0x0000020B5F633BA0>] cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate [] cli.azure.cli.core: Modules found from index for 'keyvault': ['azure.cli.command_modules.keyvault'] cli.azure.cli.core: Loading command modules: cli.azure.cli.core: Name Load Time Groups Commands cli.azure.cli.core: keyvault 0.020 20 113 cli.azure.cli.core: Total (1) 0.020 20 113 cli.azure.cli.core: Loaded 20 groups, 113 commands. cli.azure.cli.core: Found a match in the command table. cli.azure.cli.core: Raw command : keyvault certificate show cli.azure.cli.core: Command table: keyvault certificate show cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x0000020B6251AA20>] cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users*.azure\commands\2024-02-20.14-23-44.keyvault_certificate_show.11492.log'. az_command_data_logger: command args: keyvault certificate show --vault-name {} --version {} --name {} --debug cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x0000020B62556E80>] cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad [] cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x0000020B6258CF40>, <function register_cache_arguments..add_cache_arguments at 0x0000020B6258D080>] cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded [] cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [] cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x0000020B5F6060C0>, <function CLIQuery.handle_query_parameter at 0x0000020B5F633C40>, <function register_ids_argument..parse_ids_arguments at 0x0000020B6258CFE0>] cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\*\.azure\msal_token_cache.bin', encrypt=True cli.azure.cli.core.auth.binary_cache: load: C:\Users\DoyleNJ.azure\msal_http_cache.bin urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None) msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.us/***/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.us/***/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.us/***/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.us/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.us/***/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.us/***/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.us/***/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.us/***/kerberos', 'tenant_region_scope': 'USGov', 'tenant_region_sub_scope': '', 'cloud_instance_name': 'microsoftonline.us', 'cloud_graph_host_name': 'graph.microsoftazure.us', 'msgraph_host': 'graph.microsoft.us', 'rbac_url': 'https://pasff.usgovcloudapi.net'} msal.application: Broker enabled? False urllib3.connectionpool: Starting new HTTPS connection (1): pipelineops.vault.usgovcloudapi.net:443 urllib3.connectionpool: https://.vault.usgovcloudapi.net:443 "GET /certificates/pipelineopsdemo/%27%27?api-version=7.4 HTTP/1.1" 401 97 cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://vault.usgovcloudapi.net/.default',), kwargs={'tenant_id': ''} cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://vault.usgovcloudapi.net/.default',), claims=None, kwargs={} msal.application: Cache hit an AT msal.telemetry: Generate or reuse correlation_id: 5b7aa5eb-9c58-4376-8ae8-5805ac848c00 urllib3.connectionpool: https://.vault.usgovcloudapi.net:443 "GET /certificates/pipelineopsdemo/%27%27?api-version=7.4 HTTP/1.1" 200 2462 cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x0000020B625560C0>, <function _x509_from_base64_to_hex_transform at 0x0000020B62556160>] cli.knack.cli: Event: CommandInvoker.OnFilterResult [] { "attributes": { "created": "2024-02-20T17:45:27+00:00", "enabled": true, "expires": "2025-02-20T17:45:27+00:00", "notBefore": "2024-02-20T17:35:27+00:00", "recoveryLevel": "CustomizedRecoverable+Purgeable", "updated": "2024-02-20T17:45:27+00:00" }, "cer": "", "contentType": null, "id": "https://.vault.usgovcloudapi.net/certificates/pipelineopsdemo/5023970a1b7e4d7b89a68aec9a8856ac", "kid": "https://***.vault.usgovcloudapi.net/keys/pipelineopsdemo/5023970a1b7e4d7b89a68aec9a8856ac", "name": "pipelineopsdemo", "policy": { "attributes": { "created": "2024-02-14T18:54:45+00:00", "enabled": true, "expires": null, "notBefore": null, "recoveryLevel": null, "updated": "2024-02-20T17:45:26+00:00" }, "id": "https://***.vault.usgovcloudapi.net/certificates/pipelineopsdemo/policy", "issuerParameters": { "certificateTransparency": null, "certificateType": null, "name": "Self" }, "keyProperties": { "curve": null, "exportable": true, "keySize": 2048, "keyType": "RSA", "reuseKey": false }, "lifetimeActions": [ { "action": { "actionType": "AutoRenew" }, "trigger": { "daysBeforeExpiry": null, "lifetimePercentage": 80 } } ], "secretProperties": { "contentType": "application/x-pkcs12" }, "x509CertificateProperties": { "ekus": [ "1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2" ], "keyUsage": [ "digitalSignature", "keyEncipherment" ], "subject": "CN=", "subjectAlternativeNames": { "dnsNames": [ "" ], "emails": null, "upns": null }, "validityInMonths": 12 } }, "sid": "https://***.vault.usgovcloudapi.net/secrets/pipelineopsdemo/5023970a1b7e4d7b89a68aec9a8856ac", "tags": {}, "x509Thumbprint": "***", "x509ThumbprintHex": "6D4EDD13D7053D0DC0563C291DAD0F1783823E61" } cli.knack.cli: Event: Cli.SuccessfulExecute [] cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x0000020B6251ACA0>] az_command_data_logger: exit code: 0 cli.main: Command ran in 2.279 seconds (init: 0.687, invoke: 1.592) cli.azure.cli.core.decorators: Suppress exception: Traceback (most recent call last): File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/main.py", line 62, in File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/main.py", line 55, in SystemExit: 0

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/decorators.py", line 79, in _wrapped_func File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/telemetry.py", line 532, in _get_secrets_warning_config File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/config.py", line 147, in getboolean ValueError: Not a boolean: None

telemetry.main: Begin splitting cli events and extra events, total events: 1 telemetry.client: Accumulated 0 events. Flush the clients. telemetry.main: Finish splitting cli events and extra events, cli events: 1 telemetry.save: Save telemetry record of length 3382 in cache telemetry.main: Begin creating telemetry upload process. telemetry.process: Creating upload process: "C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry__init__.pyc C:\Users***.azure" telemetry.process: Return from creating process telemetry.main: Finish creating telemetry upload process.

Expected behavior

It returns the correct version of the certificate

Environment Summary

az cli 2.57.0 pwsh 7.4.1

Additional context

tested in powershell5.1 and against multiple tenants in MAG

[yonzhan]

Thank you for opening this issue, we will look into it.

[evelyn-ys]

az keyvault certificate show --vault-name $VaultName --version "'$CertificateVerion'" --name $certificatename --debug cli.knack.cli: Command arguments: ['keyvault', 'certificate', 'show', '--vault-name', 'pipelineops', '--version', "''", '--name', 'pipelineopsdemo', '--debug']

Per your debug log we can see that the version isn't passed in to CLI. The value is "''" Please try "$CertificateVerion" instead of "'$CertificateVerion'". See my example: