search

Azure / azure-cli

Azure Command-Line Interface
MIT License
4.01k stars 2.98k forks source link

Azure SQL Auditing Not Working With Managed Identity Authentication Type #30081

Open CSanches opened 1 week ago

CSanches commented 1 week ago

Describe the bug

MS wiki points to provide empty value for "--storage-key" parameter to use Managed Identity Authentication type: https://learn.microsoft.com/en-us/azure/azure-sql/database/auditing-managed-identity?view=azuresql&tabs=azure-cli

Image

But, when we do the same using Azure CLI, it fails with the below error message: Image

In text: az : ERROR: argument --storage-key: expected one argument At line:2 char:1

Examples from AI knowledge base: az sql server audit-policy update --resource-group mygroup --name myserver --state Disabled Disable an auditing policy. https://docs.microsoft.com/en-US/cli/azure/sql/server/audit-policy#az_sql_server_audit_policy_update Read more about the command in reference docs

Related command

az sql server audit-policy Update --name $AzServerName --resource-group $PortalResourceGroup --subscription $PortalSubscriptionName --state Enabled --storage-key "" --blob-storage-target-state Enabled --storage-endpoint $StorageEndpoint --retention-days $RetentionDays ` --debug

Errors

az : ERROR: argument --storage-key: expected one argument At line:2 char:1

Examples from AI knowledge base: az sql server audit-policy update --resource-group mygroup --name myserver --state Disabled Disable an auditing policy. https://docs.microsoft.com/en-US/cli/azure/sql/server/audit-policy#az_sql_server_audit_policy_update Read more about the command in reference docs

Issue script & Debug output

az : DEBUG: cli.knack.cli: Command arguments: ['sql', 'server', 'audit-policy', 'Update', '--name', 'azdbdp-00123-xxxxxxxx', '--resource-group', 'RG-6393-777X-XXXX-XXXX', '--subscription', 'AZ-PRO-IT-XXXXXXX', '--state', 'Enabled', '--storage-key', '--blob-storage-target-state', 'Enabled', '--storage-endpoint', 'auditazdbdxxxxxxxxxx', '--retention-days', '90', '--debug'] At line:2 char:1

DEBUG: cli.knack.cli: init debug log: Cannot enable color. DEBUG: cli.knack.cli: Event: Cli.PreExecute [] DEBUG: cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0000021E317DFD80>, <function OutputProducer.on_global_arguments at 0x0000021E319840E0>, <function CLIQuery.on_global_arguments at 0x0000021E319ADC60>] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate [] DEBUG: cli.azure.cli.core: Modules found from index for 'sql': ['azure.cli.command_modules.sql', 'azure.cli.command_modules.sqlvm'] DEBUG: cli.azure.cli.core: Loading command modules: DEBUG: cli.azure.cli.core: Name Load Time Groups Commands DEBUG: cli.azure.cli.core: sql 0.423 56 215 DEBUG: cli.azure.cli.core: sqlvm 0.040 4 20 DEBUG: cli.azure.cli.core: Total (2) 0.463 60 235 DEBUG: cli.azure.cli.core: Loaded 59 groups, 235 commands. DEBUG: cli.azure.cli.core: Found a match in the command table. DEBUG: cli.azure.cli.core: Raw command : sql server audit-policy update DEBUG: cli.azure.cli.core: Command table: sql server audit-policy update DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x0000021E33C280E0>] DEBUG: cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\saocsanc.azure\commands\2024-10-14.14-47-00.sql_server_audit-policy_Update.10676.log'. INFO: az_command_data_logger: command args: sql server audit-policy update --name {} --resource-group {} --subscription {} --state {} --storage-key --blob-storage-target-state {} --storage-endpoint {} --retention-days {} --debug DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x0000021E33CB0AE0>] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad [] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x0000021E33CB0B80>, <function register_cache_arguments..add_cache_arguments at 0x0000021E33CB0CC0>, <function register_upcoming_breaking_change_info..update_breaking_change_info at 0x0000021E33CB0D60>] DEBUG: cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded [] DEBUG: cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [] DEBUG: urllib3.connectionpool: Starting new HTTPS connection (1): app.aladdin.microsoft.com:443 DEBUG: urllib3.connectionpool: https://app.aladdin.microsoft.com:443 "GET /api/v1.0/suggestions?query=%7B%22command%22%3A+%22sql+server+audit-policy+update%22%2C+%22parameters%22%3A+%22--blob-storage-target-state%2C--retention-days%2 C--name%2C--state%2C--storage-endpoint%2C--resource-group%2C--subscription%2C--storage-key%22%7D&clientType=AzureCli&context=%7B%22versionNumber%22%3A+%222.65.0%22%2C+%22errorType%22%3A+%22ExpectedArgument%22%2C+%22correlationId%22%3 A+%2226f7b22c-6193-4d17-9bb8-dbe2216fd700%22%2C+%22subscriptionId%22%3A+%228fa3aaf6-678e-4e42-9576-291ec0d20c25%22%2C+%22eventId%22%3A+%22dfbe2f26-e58f-4709-8cc6-e3fff8819d0c%22%7D HTTP/1.1" 200 None DEBUG: cli.azure.cli.core.azclierror: Traceback (most recent call last): File "argparse.py", line 1902, in parse_known_args File "argparse.py", line 2114, in _parse_known_args File "argparse.py", line 2044, in consume_optional File "argparse.py", line 2208, in _match_argument argparse.ArgumentError: argument --storage-key: expected one argument ERROR: cli.azure.cli.core.azclierror: argument --storage-key: expected one argument ERROR: az_command_data_logger: argument --storage-key: expected one argument Examples from AI knowledge base: az sql server audit-policy update --resource-group mygroup --name myserver --state Disabled Disable an auditing policy. https://docs.microsoft.com/en-US/cli/azure/sql/server/audit-policy#az_sql_server_audit_policy_update Read more about the command in reference docs DEBUG: cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x0000021E33C28360>] INFO: az_command_data_logger: exit code: 2 INFO: cli.main: Command ran in 2.502 seconds (init: 0.746, invoke: 1.756) INFO: telemetry.main: Begin splitting cli events and extra events, total events: 1 INFO: telemetry.client: Accumulated 0 events. Flush the clients. INFO: telemetry.main: Finish splitting cli events and extra events, cli events: 1 INFO: telemetry.save: Save telemetry record of length 3899 in cache file under C:\Users\saocsanc.azure\telemetry\20241014144702564 INFO: telemetry.main: Begin creating telemetry upload process. INFO: telemetry.process: Creating upload process: "C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry__init__.pyc C:\Users\saocsanc.azure C:\Users\saocsanc.azure\telemetry\20241014144702564" INFO: telemetry.process: Return from creating process 7364 INFO: telemetry.main: Finish creating telemetry upload process.

Expected behavior

az sql server audit-policy Update command to be completed successfully having Azure SQL Audting on storage account with Managed Identity authentication.

Environment Summary

azure-cli 2.65.0

core 2.65.0 telemetry 1.1.0

Dependencies: msal 1.31.0 azure-mgmt-resource 23.1.1

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe' Extensions directory 'C:\Users\saocsanc.azure\cliextensions'

Python (Windows) 3.11.8 (tags/v3.11.8:db85d51, Feb 6 2024, 22:03:32) [MSC v.1937 64 bit (AMD64)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

No response

yonzhan commented 1 week ago

Thank you for opening this issue, we will look into it.

microsoft-github-policy-service[bot] commented 1 week ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @azureSQLGitHub.