search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.95k stars 2.93k forks source link

Creating a Certificate in the Azure Key Vault from the command line fails silently #7881

Open akrone-hach opened 5 years ago

akrone-hach commented 5 years ago

Describe the bug When trying to create a certificate in an existing Key Vault, the command fails silently and no error is displayed. When running the command with the --debug flag the following output is displayed:

...
INFO: Starting long-running operation 'keyvault certificate create'
DEBUG: msrest.universal_http.requests : Configuring retry: max_retries=4, backoff_factor=0.8, max_backoff=90
DEBUG: msrest.universal_http.requests : Configuring retry: max_retries=4, backoff_factor=0.8, max_backoff=90
DEBUG: msrest.exceptions : Unable to deserialize to object: type, AttributeError: 'str' object has no attribute 'get'
DEBUG: msrest.exceptions : Unable to build a model: Unable to deserialize to object: type, AttributeError: 'str' object has no attribute 'get', DeserializationError: Unable to deserialize to object: type, AttributeError: 'str' object has no attribute 'get'
DEBUG: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x057EA0C0>, <function _x509_from_base64_to_hex_transform at 0x057EA108>]
DEBUG: Event: CommandInvoker.OnFilterResult []
DEBUG: Event: Cli.PostExecute []

To Reproduce

  1. Create a Key Vault with the name "MyTestKeyVault"
  2. Execute the following PowerShell script:
az keyvault certificate get-default-policy | Out-File -Encoding utf8 defaultpolicy.json
$policy = Get-Content  'defaultpolicy.json' -raw | ConvertFrom-Json
$policy.x509CertificateProperties.subject = "CN=SomethingToSecure"
$policy | ConvertTo-Json | Set-Content 'defaultpolicy.json'

az keyvault certificate create --vault-name "MyTestKeyVault" --name "MyCertificate" --policy `@defaultpolicy.json --debug
Remove-Item defaultpolicy.json

Expected behavior A self signed certificate is created and enabled in the Key Vault, or an error message is displayed

Environment summary Install Method (e.g. pip, interactive script, apt-get, Docker, MSI, edge build) MSI

CLI version (az --version) 

azure-cli (2.0.50)

acr (2.1.8)
acs (2.3.11)
advisor (2.0.0)
ams (0.3.0)
appservice (0.2.6)
backup (1.2.1)
batch (3.4.1)
batchai (0.4.4)
billing (0.2.0)
botservice (0.1.1)
cdn (0.2.0)
cloud (2.1.0)
cognitiveservices (0.2.3)
command-modules-nspkg (2.0.2)
configure (2.0.19)
consumption (0.4.0)
container (0.3.8)
core (2.0.50)
cosmosdb (0.2.3)
dla (0.2.3)
dls (0.1.4)
dms (0.1.1)
eventgrid (0.2.0)
eventhubs (0.3.1)
extension (0.2.3)
feedback (2.1.4)
find (0.2.12)
hdinsight (0.1.0)
interactive (0.4.0)
iot (0.3.4)
iotcentral (0.1.3)
keyvault (2.2.6)
lab (0.1.3)
maps (0.3.2)
monitor (0.2.6)
network (2.2.8)
nspkg (3.0.3)
policyinsights (0.1.0)
profile (2.1.2)
rdbms (0.3.4)
redis (0.3.2)
relay (0.1.2)
reservations (0.4.0)
resource (2.1.6)
role (2.1.9)
search (0.1.1)
servicebus (0.3.2)
servicefabric (0.1.7)
signalr (1.0.0)
sql (2.1.5)
storage (2.2.4)
telemetry (1.0.0)
vm (2.2.7)

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\akrone\.azure\cliextensions'

Python (Windows) 3.6.6 (v3.6.6:4cf1f54eb7, Jun 27 2018, 02:47:15) [MSC v.1900 32 bit (Intel)]

OS version Windows 10 Pro 64-bit (10.0, Build 16299)

Shell Type (e.g. bash, cmd.exe, Bash on Windows)
PowerShell

Additional context The default policy is written to a file because of how powershell encodes the JSON data. Reference https://github.com/Azure/azure-cli/issues/4626

yugangw-msft commented 5 years ago

7846 should fix it. Please verify again on this Wednesday using the latest and let me know if you still see the problem

akrone-hach commented 5 years ago

@yugangw-msft Awesome! I'll give it a try. Just so I'm clear, the latest edge build should fix this and not the latest MSI installer version (2.0.50), correct?

yugangw-msft commented 5 years ago

Not the 2.0.50, rather the 2.0.51 to be released tomorrow. Stay tuned.

akrone-hach commented 5 years ago

@yugangw-msft Saw that the MSI for 2.0.51 was released and gave it a try. The Create Cert still isn't working for me and the error message from the CLI didn't change and isn't helpful. Here's the dump of the output from the az keyvault certificate create command:

3480 : 2018-11-20 15:48:19,985 : DEBUG : cli.knack.log : File logging enabled - writing logs to 'C:\Users\akrone\.azure\logs'.
3480 : 2018-11-20 15:48:19,985 : DEBUG : cli.knack.cli : Command arguments: ['keyvault', 'certificate', 'create', '--vault-name', 'aaronkrone5-SF-Keyvault', '--name', 'aaronkrone5', '--policy', '@defaultpolicy.json', '--debug']
3480 : 2018-11-20 15:48:19,986 : DEBUG : cli.knack.cli : Event: Cli.PreExecute []
3480 : 2018-11-20 15:48:19,986 : DEBUG : cli.knack.cli : Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x05BAAE40>, <function OutputProducer.on_global_arguments at 0x05BDCA98>, <function CLIQuery.on_global_arguments at 0x05AC96F0>]
3480 : 2018-11-20 15:48:19,987 : DEBUG : cli.azure.cli.core.util : attempting to read file defaultpolicy.json as utf-8-sig
3480 : 2018-11-20 15:48:19,987 : DEBUG : cli.knack.cli : Event: CommandInvoker.OnPreCommandTableCreate []
3480 : 2018-11-20 15:48:19,996 : DEBUG : cli.azure.cli.core : Installed command modules ['acr', 'acs', 'advisor', 'ams', 'appservice', 'backup', 'batch', 'batchai', 'billing', 'botservice', 'cdn', 'cloud', 'cognitiveservices', 'configure', 'consumption', 'container', 'cosmosdb', 'dla', 'dls', 'dms', 'eventgrid', 'eventhubs', 'extension', 'feedback', 'find', 'hdinsight', 'interactive', 'iot', 'iotcentral', 'keyvault', 'lab', 'maps', 'monitor', 'network', 'policyinsights', 'profile', 'rdbms', 'redis', 'relay', 'reservations', 'resource', 'role', 'search', 'servicebus', 'servicefabric', 'signalr', 'sql', 'storage', 'vm']
3480 : 2018-11-20 15:48:20,001 : DEBUG : cli.azure.cli.core : Loaded module 'acr' in 0.004 seconds.
3480 : 2018-11-20 15:48:20,005 : DEBUG : cli.azure.cli.core : Loaded module 'acs' in 0.004 seconds.
3480 : 2018-11-20 15:48:20,007 : DEBUG : cli.azure.cli.core : Loaded module 'advisor' in 0.002 seconds.
3480 : 2018-11-20 15:48:20,008 : DEBUG : cli.knack.cli : Event: CommandLoader.OnLoadCommandTable []
3480 : 2018-11-20 15:48:20,013 : DEBUG : cli.azure.cli.core : Loaded module 'ams' in 0.006 seconds.
3480 : 2018-11-20 15:48:20,018 : DEBUG : cli.azure.cli.core : Loaded module 'appservice' in 0.005 seconds.
3480 : 2018-11-20 15:48:20,021 : DEBUG : cli.azure.cli.core : Loaded module 'backup' in 0.003 seconds.
3480 : 2018-11-20 15:48:20,025 : DEBUG : cli.knack.cli : Event: CommandLoader.OnLoadCommandTable []
3480 : 2018-11-20 15:48:20,029 : DEBUG : cli.azure.cli.core : Loaded module 'batch' in 0.008 seconds.
3480 : 2018-11-20 15:48:20,033 : DEBUG : cli.azure.cli.core : Loaded module 'batchai' in 0.003 seconds.
3480 : 2018-11-20 15:48:20,035 : DEBUG : cli.azure.cli.core : Loaded module 'billing' in 0.002 seconds.
3480 : 2018-11-20 15:48:20,040 : DEBUG : cli.azure.cli.core : Loaded module 'botservice' in 0.004 seconds.
3480 : 2018-11-20 15:48:20,041 : DEBUG : cli.knack.cli : Event: CommandLoader.OnLoadCommandTable []
3480 : 2018-11-20 15:48:20,043 : DEBUG : cli.azure.cli.core : Loaded module 'cdn' in 0.003 seconds.
3480 : 2018-11-20 15:48:20,045 : DEBUG : cli.azure.cli.core : Loaded module 'cloud' in 0.002 seconds.
3480 : 2018-11-20 15:48:20,047 : DEBUG : cli.azure.cli.core : Loaded module 'cognitiveservices' in 0.002 seconds.
3480 : 2018-11-20 15:48:20,048 : DEBUG : cli.azure.cli.core : Loaded module 'configure' in 0.001 seconds.
3480 : 2018-11-20 15:48:20,051 : DEBUG : cli.azure.cli.core : Loaded module 'consumption' in 0.003 seconds.
3480 : 2018-11-20 15:48:20,053 : DEBUG : cli.azure.cli.core : Loaded module 'container' in 0.002 seconds.
3480 : 2018-11-20 15:48:20,057 : DEBUG : cli.azure.cli.core : Loaded module 'cosmosdb' in 0.003 seconds.
3480 : 2018-11-20 15:48:20,061 : DEBUG : cli.azure.cli.core : Loaded module 'dla' in 0.004 seconds.
3480 : 2018-11-20 15:48:20,065 : DEBUG : cli.azure.cli.core : Loaded module 'dls' in 0.003 seconds.
3480 : 2018-11-20 15:48:20,067 : DEBUG : cli.azure.cli.core : Loaded module 'dms' in 0.002 seconds.
3480 : 2018-11-20 15:48:20,069 : DEBUG : cli.azure.cli.core : Loaded module 'eventgrid' in 0.002 seconds.
3480 : 2018-11-20 15:48:20,072 : DEBUG : cli.azure.cli.core : Loaded module 'eventhubs' in 0.003 seconds.
3480 : 2018-11-20 15:48:20,074 : DEBUG : cli.azure.cli.core : Loaded module 'extension' in 0.001 seconds.
3480 : 2018-11-20 15:48:20,075 : DEBUG : cli.azure.cli.core : Loaded module 'feedback' in 0.001 seconds.
3480 : 2018-11-20 15:48:20,076 : DEBUG : cli.azure.cli.core : Loaded module 'find' in 0.001 seconds.
3480 : 2018-11-20 15:48:20,078 : DEBUG : cli.azure.cli.core : Loaded module 'hdinsight' in 0.002 seconds.
3480 : 2018-11-20 15:48:20,079 : DEBUG : cli.azure.cli.core : Loaded module 'interactive' in 0.001 seconds.
3480 : 2018-11-20 15:48:20,084 : DEBUG : cli.azure.cli.core : Loaded module 'iot' in 0.005 seconds.
3480 : 2018-11-20 15:48:20,087 : DEBUG : cli.azure.cli.core : Loaded module 'iotcentral' in 0.003 seconds.
3480 : 2018-11-20 15:48:20,093 : DEBUG : cli.azure.cli.core : Loaded module 'keyvault' in 0.005 seconds.
3480 : 2018-11-20 15:48:20,096 : DEBUG : cli.azure.cli.core : Loaded module 'lab' in 0.004 seconds.
3480 : 2018-11-20 15:48:20,099 : DEBUG : cli.azure.cli.core : Loaded module 'maps' in 0.002 seconds.
3480 : 2018-11-20 15:48:20,104 : DEBUG : cli.azure.cli.core : Loaded module 'monitor' in 0.005 seconds.
3480 : 2018-11-20 15:48:20,125 : DEBUG : cli.azure.cli.core : Loaded module 'network' in 0.022 seconds.
3480 : 2018-11-20 15:48:20,128 : DEBUG : cli.azure.cli.core : Loaded module 'policyinsights' in 0.002 seconds.
3480 : 2018-11-20 15:48:20,130 : DEBUG : cli.azure.cli.core : Loaded module 'profile' in 0.002 seconds.
3480 : 2018-11-20 15:48:20,135 : DEBUG : cli.azure.cli.core : Loaded module 'rdbms' in 0.005 seconds.
3480 : 2018-11-20 15:48:20,138 : DEBUG : cli.azure.cli.core : Loaded module 'redis' in 0.002 seconds.
3480 : 2018-11-20 15:48:20,141 : DEBUG : cli.azure.cli.core : Loaded module 'relay' in 0.003 seconds.
3480 : 2018-11-20 15:48:20,144 : DEBUG : cli.azure.cli.core : Loaded module 'reservations' in 0.002 seconds.
3480 : 2018-11-20 15:48:20,151 : DEBUG : cli.azure.cli.core : Loaded module 'resource' in 0.008 seconds.
3480 : 2018-11-20 15:48:20,155 : DEBUG : cli.azure.cli.core : Loaded module 'role' in 0.003 seconds.
3480 : 2018-11-20 15:48:20,157 : DEBUG : cli.azure.cli.core : Loaded module 'search' in 0.002 seconds.
3480 : 2018-11-20 15:48:20,161 : DEBUG : cli.azure.cli.core : Loaded module 'servicebus' in 0.004 seconds.
3480 : 2018-11-20 15:48:20,163 : DEBUG : cli.azure.cli.core : Loaded module 'servicefabric' in 0.002 seconds.
3480 : 2018-11-20 15:48:20,165 : DEBUG : cli.azure.cli.core : Loaded module 'signalr' in 0.002 seconds.
3480 : 2018-11-20 15:48:20,173 : DEBUG : cli.azure.cli.core : Loaded module 'sql' in 0.008 seconds.
3480 : 2018-11-20 15:48:20,175 : DEBUG : cli.knack.cli : Event: CommandLoader.OnLoadCommandTable []
3480 : 2018-11-20 15:48:20,199 : DEBUG : cli.azure.cli.core : Loaded module 'storage' in 0.026 seconds.
3480 : 2018-11-20 15:48:20,212 : DEBUG : cli.azure.cli.core : Loaded module 'vm' in 0.013 seconds.
3480 : 2018-11-20 15:48:20,212 : DEBUG : cli.azure.cli.core : Loaded all modules in 0.206 seconds. (note: there's always an overhead with the first module loaded)
3480 : 2018-11-20 15:48:20,213 : DEBUG : cli.azure.cli.core.extension : Extensions directory: 'C:\Users\akrone\.azure\cliextensions'
3480 : 2018-11-20 15:48:20,214 : DEBUG : cli.knack.cli : Event: CommandInvoker.OnPreCommandTableTruncate []
3480 : 2018-11-20 15:48:20,600 : DEBUG : cli.knack.cli : Event: CommandInvoker.OnPostCommandTableCreate [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x05B10348>, <function register_ids_argument.<locals>.add_ids_arguments at 0x05B10D68>]
3480 : 2018-11-20 15:48:20,602 : DEBUG : cli.knack.cli : Event: CommandInvoker.OnCommandTableLoaded []
3480 : 2018-11-20 15:48:20,602 : DEBUG : cli.knack.cli : Event: CommandInvoker.OnPreParseArgs [<function _documentdb_deprecate at 0x068FF858>]
3480 : 2018-11-20 15:48:20,603 : DEBUG : cli.knack.cli : Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x05BDCAE0>, <function CLIQuery.handle_query_parameter at 0x05AC9738>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x05B10DB0>, <function handler at 0x0698CC00>]
3480 : 2018-11-20 15:48:20,611 : INFO : cli.azure.cli.command_modules.keyvault.custom : Starting long-running operation 'keyvault certificate create'
3480 : 2018-11-20 15:48:20,618 : DEBUG : msrest.universal_http.requests : Configuring retry: max_retries=4, backoff_factor=0.8, max_backoff=90
3480 : 2018-11-20 15:48:20,620 : DEBUG : msrest.universal_http.requests : Configuring retry: max_retries=4, backoff_factor=0.8, max_backoff=90
3480 : 2018-11-20 15:48:20,622 : DEBUG : msrest.exceptions : Unable to deserialize to object: type, AttributeError: 'str' object has no attribute 'get'
3480 : 2018-11-20 15:48:20,622 : DEBUG : msrest.exceptions : Unable to build a model: Unable to deserialize to object: type, AttributeError: 'str' object has no attribute 'get', DeserializationError: Unable to deserialize to object: type, AttributeError: 'str' object has no attribute 'get'
3480 : 2018-11-20 15:48:20,622 : ERROR : cli.azure.cli.core.util : Unable to build a model: Unable to deserialize to object: type, AttributeError: 'str' object has no attribute 'get', DeserializationError: Unable to deserialize to object: type, AttributeError: 'str' object has no attribute 'get'
yugangw-msft commented 5 years ago

@akrone-hach, I meant to communicate that the silent failure was supposed to be fixed. For the failure underneath, i am not able to reproduce this problem, but I would suggest skip the following updates and see whether it would work. If yes, then I suspect SomethingToSecure might be the cause

$policy = Get-Content  'defaultpolicy.json' -raw | ConvertFrom-Json
$policy.x509CertificateProperties.subject = "CN=SomethingToSecure"
$policy | ConvertTo-Json | Set-Content 'defaultpolicy.json'
tjprescott commented 5 years ago

From the last few lines of the debug trace, it looks very much like there may have been a breaking change in the KeyVault SDK where some property went from accepting a string to a list of strings. @schaabs

yonzhan commented 4 years ago

@schaabs any update for this issue?

santoshsinha100 commented 3 years ago

Is this issue addressed?. I am getting the below error when trying to create a cert in keyVault using Azure CLI

Error detail: Expecting property name enclosed in double quotes: line 1 column 5 (char 4)

az keyvault certificate create --vault-name RGTestkeyVault -n cert1 -p "$(az keyvault certificate get-default-policy)" --debug

my power shell version 5.1.2