Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
az keyvault secret show command doesn't show a shared access signature definition
See original GitHub issueDescribe the bug
I follow the document to manage my storage account with my key vault, after generating a shared access signature definition I get the output:
{
"attributes": {
"created": "2020-08-07T05:40:24+00:00",
"enabled": true,
"recoveryLevel": "Recoverable+Purgeable",
"updated": "2020-08-07T05:40:24+00:00"
},
"id": <mySASDefinitionID>,
"sasType": "account",
"secretId": https://<myKeyVaultName>.vault.azure.net:443/secrets/<mySecretCreatedWithCLI>
"tags": null,
"templateUri": <templateSASToken>,
"validityPeriod": "P2D"
}
Seems everything goes well, but when I try to get my key secret with az keyvault secret list --vault-name <myKeyVaultName> as the document says so, I get an empty list as if there is no secret created.
$ az keyvault secret list --vault-name <myKeyVaultName>
[]
Then I follow this document and go through the process again with azure powershell tool. I successfully create a new SAS definition and the output of the command Get-AzKeyVaultSecret -VaultName <myKeyVaultName> contains not only the secret created by powershell tool but the secret just created by azure cli tool, as below:
Vault Name : <myKeyVaultName>
Name : <mySecretCreatedWithCLI>
Version :
Id : https://<myKeyVaultName>.vault.azure.net:443/secrets/<mySecretCreatedWithCLI>
Enabled : True
Expires :
Not Before :
Created :
Updated :
Content Type : application/vnd.ms-sastoken-storage
Tags :
Vault Name : <myKeyVaultName>
Name : <mySecretCreatedWithPowerShell>
Version :
Id : https://<myKeyVaultName>.vault.azure.net:443/secrets/<mySecretCreatedWithPowerShell>
Enabled : True
Expires :
Not Before :
Created :
Updated :
Content Type : application/vnd.ms-sastoken-storage
Tags :
This indicates that Azure CLI tool have created a secret but fails to show it and this should be a bug of Azure CLI.
To Reproduce
Install latest Azure CLI and create a new storage account and a new key vault resource, then follow the document to manage the storage account key with key vault, after generating the SAS definition, type az keyvault secret list --vault-name <vaultName> then you will get an empty list.
Expected behavior
A secret created by Azure Portal is perfectly displayed with azure cli tool. Expect that az keyvault secret list or show command can also show me the secret created by az keyvault storage sas-definition create command instead of an empty list.
Environment summary
I’m using windows 10 powershell 7 pwsh, azure cli version as below: { “azure-cli”: “2.10.1”, “azure-cli-command-modules-nspkg”: “2.0.3”, “azure-cli-core”: “2.10.1”, “azure-cli-nspkg”: “3.0.4”, “azure-cli-telemetry”: “1.0.4”, “extensions”: {} }
Additional context
By the way, the Azure Portal doesn’t show me the secrets neither <mySecretCreatedWithCLI> nor <mySecretCreatedWithPowerShell>, I’m not sure this is for security or is also a bug of Portal.
Issue Analytics
- State:
- Created 3 years ago
- Comments:6 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Anyway, this would be really inconvenient if you want to check the generated secret but you don’t know its name. I will add an extra parameter for the command
az keyvault secret/key listlike--include-managedto show all internal things. The documentation also needs to be updated.Hi @hund030 CLI command
listdoesn’t show those “managed” secrets or keys. “managed” means they are not user-created but created internally, working along with storage accounts or certificates. Anyway, theshowcommand can access those hidden secrets/keys. CLI and Portal share the same design for this feature, so you cannot see those things on Portal too. Powershell may not follow the same rule.