Unable to list KeyVault Certificates - Bearer token authentication is not permitted for non-TLS protected (non-https) URLs

[MatthewSteeples]

Describe the bug

On Az CLI version 2.59: trying to list certificates using the Id of the KeyVault results in an error message

Related command

az keyvault certificate list --id /subscriptions/{SubScriptionId/resourceGroups/{resourceGroup}/providers/Microsoft.KeyVault/vaults/{vaultName}

Errors

Bearer token authentication is not permitted for non-TLS protected (non-https) URLs.

Issue script & Debug output

cli.knack.cli: Command arguments: ['keyvault', 'certificate', 'list', '--id', '/subscriptions/aa5a955c-bfd6-43a4-8136-58586adce400/resourceGroups/ls-prod/providers/Microsoft.KeyVault/vaults/lsprod', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x00000270C115B880>, <function OutputProducer.on_global_arguments at 0x00000270C12E6020>, <function CLIQuery.on_global_arguments at 0x00000270C1313BA0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'keyvault': ['azure.cli.command_modules.keyvault']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: keyvault                  0.007        20       113
cli.azure.cli.core: Total (1)                 0.007        20       113
cli.azure.cli.core: Loaded 20 groups, 113 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command  : keyvault certificate list
cli.azure.cli.core: Command table: keyvault certificate list
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x00000270C423EE80>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\MatthewSteeples\.azure\commands\2024-04-04.08-43-53.keyvault_certificate_list.16196.log'.
az_command_data_logger: command args: keyvault certificate list --id {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x00000270C424B4C0>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x00000270C4289440>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x00000270C4289580>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x00000270C12E60C0>, <function CLIQuery.handle_query_parameter at 0x00000270C1313C40>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x00000270C42894E0>]
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\\Users\\MatthewSteeples\\.azure\\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\MatthewSteeples\.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/{tenantId}/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/{tenantId}/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/{tenantId}/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? True
cli.azure.cli.core.azclierror: Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_command_type.py", line 113, in keyvault_command_handler
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_transformers.py", line 12, in _multi_transformers
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_transformers.py", line 259, in transform_certificate_list
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_transformers.py", line 259, in <listcomp>
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/paging.py", line 123, in __next__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/paging.py", line 75, in __next__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/keyvault/certificates/_generated/v7_4/operations/_key_vault_client_operations.py", line 795, in get_next
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/_base.py", line 213, in run
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/_base.py", line 70, in send
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/_base.py", line 70, in send
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/_base.py", line 70, in send
  [Previous line repeated 2 more times]
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/policies/_redirect.py", line 181, in send
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/policies/_retry.py", line 489, in send
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/policies/_retry.py", line 467, in send
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/policies/_authentication.py", line 113, in send
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/keyvault/certificates/_shared/challenge_auth_policy.py", line 67, in on_request
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/keyvault/certificates/_shared/challenge_auth_policy.py", line 40, in _enforce_tls
azure.core.exceptions.ServiceRequestError: Bearer token authentication is not permitted for non-TLS protected (non-https) URLs.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 664, in execute
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 731, in _run_jobs_serially
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 701, in _run_job
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 334, in __call__
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_command_type.py", line 135, in keyvault_command_handler
  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_command_type.py", line 49, in keyvault_exception_handler
knack.util.CLIError: Bearer token authentication is not permitted for non-TLS protected (non-https) URLs.

cli.azure.cli.core.azclierror: Bearer token authentication is not permitted for non-TLS protected (non-https) URLs.
az_command_data_logger: Bearer token authentication is not permitted for non-TLS protected (non-https) URLs.
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x00000270C423F100>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 5.399 seconds (init: 0.254, invoke: 5.144)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3709 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry\__init__.pyc C:\Users\MatthewSteeples\.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

Expected behavior

Certificates to be output

Environment Summary

{
  "azure-cli": "2.59.0",
  "azure-cli-core": "2.59.0",
  "azure-cli-telemetry": "1.1.0",
  "extensions": {}
}

Additional context

az keyvault certificate list --vault-name {vaultName} works fine on the same device

[yonzhan]

Thank you for opening this issue, we will look into it.

[rcomanne]

Hi, I saw the same behaviour today when I was trying to list the secrets of a KeyVault.

az keyvault secret list --id /subscriptions/${subscriptionId}/resourceGroups/${resourceGroup}/providers/Microsoft.KeyVault/vaults/${keyVault}

This results in

ERROR: Bearer token authentication is not permitted for non-TLS protected (non-https) URLs.

I was running this command in an Azure DevOps pipeline after loggin in with a ServicePrincipal, but it also occured when executing the command locally and being authenticated with Azure.

Environment information

{
  "azure-cli": "2.62.0",
  "azure-cli-core": "2.62.0",
  "azure-cli-telemetry": "1.1.0",
  "extensions": {
    "aks-preview": "0.5.121",
    "azure-devops": "0.26.0",
    "bastion": "0.3.0",
    "ssh": "2.0.2"
  }
}

[evelyn-ys]

@rcomanne Please use az keyvault secret/certificate list with --vault-name as a workaround. The auth issue with --id is under investigation.

[jpenna]

I received the same error when running the following:

az keyvault role assignment create \
  --role "Key Vault Administrator" \
  --scope "/" \
  --assignee "$OBJECT_ID" \
  --name "$NAME" \
  --id "/subscriptions/$SUBS/resourceGroups/$RG/Microsoft.KeyVault/vaults/$KV"

Also tried with --id "https://$KV.vault.azure.net", but got another error, this time HTTP 404:

<div id="content">
 <div class="content-container"><fieldset>
  <h2>404 - File or directory not found.</h2>
  <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
 </fieldset></div>
</div>

[d13g0s0uz4]

Hello,

Same issue here using the Windows version.

If we try from azure cloud shell it works.

[AndYggdrasil]

Same issue here