search

Azure / azure-powershell

Microsoft Azure PowerShell
Other
4.27k stars 3.87k forks source link

Update-AzSynapseSqlVulnerabilityAssessmentSetting cannot use Managed Identity #22714

Open qzhou-hmcts opened 1 year ago

qzhou-hmcts commented 1 year ago

Description

Using Update-AzSynapseSqlVulnerabilityAssessmentSetting targeting a storage account with keys disabled, the command fails

Update-AzSynapseSqlVulnerabilityAssessmentSetting -ResourceGroupName xxx-rg -WorkspaceName xxxxx -StorageAccountName XXXX -RecurringScansInterval "Weekly" -NotificationEmail "xxxx@xxxx.com" -EmailAdmins $True -ScanResultsContainerName "synapse-vulnerability-assessment"

Issue script & Debug output

DEBUG: 1:47:44 PM - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
Update-AzSynapseSqlVulnerabilityAssessmentSetting: The provided storage account shared access signature or account storage key is not valid. The provided storage account shared access signature or account storage key is not valid.
DEBUG: 1:47:44 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Synapse:2.0.0; CommandName: Update-AzSynapseSqlVulnerabilityAssessmentSetting; PSVersion: 7.3.4; IsSuccess: False; Duration: 00:00:01.7677708; Exception: The provided storage account shared access signature or account storage key is not valid. The provided storage account shared access signature or account storage key is not valid.;
DEBUG: 1:47:44 PM - UpdateAzureSynapseSqlVulnerabilityAssessmentSetting end processing.

Environment data

Name                           Value
----                           -----
PSVersion                      7.3.4
PSEdition                      Core
GitCommitId                    7.3.4
OS                             Darwin 22.5.0 Darwin Kernel Version 22.5.0: Mon Apr 24 20:51:50 PDT 2023; root:xnu-8796.121.2~5/RELEASE_X86_64
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     2.10.3                Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…}
Script     2.0.0                 Az.Synapse                          {Add-AzSynapseDataFlowDebugSessionPackage, Add-AzSynapseTriggerSubscription, Clear-AzSyn…

Error output

Resolve-AzError                                             
DEBUG: 2:14:53 PM - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 2:14:53 PM - using account id 'XXXXXX'...
DEBUG: 2:14:53 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
WARNING: Upcoming breaking changes in the cmdlet 'Resolve-AzError' :
The `Resolve-Error` alias will be removed in a future release.  Please change any scripts that use this alias to use `Resolve-AzError` instead.
Note : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.

  HistoryId: 14

Message        : The provided storage account shared access signature or account storage key is not valid. The provided storage account shared access 
                signature or account storage key is not valid.
StackTrace     :    at Microsoft.Azure.Commands.Synapse.Models.SynapseAnalyticsManagementClient.CreateOrUpdateWorkspaceVulnerabilityAssessmentSettings(String 
                resourceGroupName, String workspaceName, ServerVulnerabilityAssessment parameters)
                   at Microsoft.Azure.Commands.Synapse.UpdateAzureSynapseSqlVulnerabilityAssessmentSetting.ExecuteCmdlet()
                   at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.<>c__3`1.<ExecuteSynchronouslyOrAsJob>b__3_0(T c)
                   at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet, Action`1 executor)
                   at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet)
                   at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception      : Microsoft.Azure.Commands.Common.Exceptions.AzPSException
InvocationInfo : {Update-AzSynapseSqlVulnerabilityAssessmentSetting}
Line           : Update-AzSynapseSqlVulnerabilityAssessmentSetting -ResourceGroupName XXXXXX-rg -WorkspaceName XXXXXX  -StorageAccountName 
                miaudittest `

Position       : At line:1 char:1
                + Update-AzSynapseSqlVulnerabilityAssessmentSetting -ResourceGroupName  …
                + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 14

RequestId      : 863ad5bf-cb84-47c8-a4fa-38cc9ec8e440
Message        : The provided storage account shared access signature or account storage key is not valid.
ServerMessage  : InvalidStorageAccountCredentials: The provided storage account shared access signature or account storage key is not valid. 
                (System.Collections.Generic.List`1[Microsoft.Rest.Azure.CloudError])
ServerResponse : {BadRequest}
RequestMessage : {PUT https://management.azure.com/subscriptions/XXXXXX/resourceGroups/XXXXXX-rg/providers/Microsoft.Synapse/wo
                rkspaces/XXXXXX/vulnerabilityAssessments/default?api-version=2021-06-01}
InvocationInfo : {Update-AzSynapseSqlVulnerabilityAssessmentSetting}
Line           : Update-AzSynapseSqlVulnerabilityAssessmentSetting -ResourceGroupName XXXXXX-rg -WorkspaceName XXXXXX  -StorageAccountName 
                miaudittest `

Position       : At line:1 char:1
                + Update-AzSynapseSqlVulnerabilityAssessmentSetting -ResourceGroupName  …
                + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
StackTrace     :    at 
                Microsoft.Azure.Management.Synapse.WorkspaceManagedSqlServerVulnerabilityAssessmentsOperations.CreateOrUpdateWithHttpMessagesAsync(String 
                resourceGroupName, String workspaceName, ServerVulnerabilityAssessment parameters, Dictionary`2 customHeaders, CancellationToken 
                cancellationToken)
                   at Microsoft.Azure.Management.Synapse.WorkspaceManagedSqlServerVulnerabilityAssessmentsOperationsExtensions.CreateOrUpdateAsync(IWorkspace
                ManagedSqlServerVulnerabilityAssessmentsOperations operations, String resourceGroupName, String workspaceName, ServerVulnerabilityAssessment 
                parameters, CancellationToken cancellationToken)
                   at Microsoft.Azure.Management.Synapse.WorkspaceManagedSqlServerVulnerabilityAssessmentsOperationsExtensions.CreateOrUpdate(IWorkspaceManag
                edSqlServerVulnerabilityAssessmentsOperations operations, String resourceGroupName, String workspaceName, ServerVulnerabilityAssessment 
                parameters)
                   at Microsoft.Azure.Commands.Synapse.Models.SynapseAnalyticsManagementClient.CreateOrUpdateWorkspaceVulnerabilityAssessmentSettings(String 
                resourceGroupName, String workspaceName, ServerVulnerabilityAssessment parameters)
HistoryId      : 14
microsoft-github-policy-service[bot] commented 1 year ago

Thank you for your feedback. This has been routed to the support team for assistance.

qzhou-hmcts commented 1 year ago

to add to the issue, The documentation states that configuration can use Storage Keys, SAS token or Managed Identity. To use Managed Identity Storage key and SAS token should be null However, the client enforces the Storage key when storage account is provided

https://github.com/Azure/azure-powershell/blob/30b8ef4bb49d483a0b52a91b963b9aa0090351fe/src/Synapse/Synapse/Commands/ManagementCommands/VulnerabilityAssessment/VulnerabilityAssessmentSettings/UpdateAzureSynapseSqlVulnerabilityAssessmentSetting.cs#L151

Official doc https://learn.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-storage?view=azuresql&toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json

microsoft-github-policy-service[bot] commented 1 year ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @wonner, @v-yanjungao.

microsoft-github-policy-service[bot] commented 1 year ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @wonner, @v-yanjungao.