Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

`az vm create --secrets` fails with "not a properly encoded Base64 string"

See original GitHub issue

Description

I am using the following commands to create a keyvault, a key value pair secret, and then a VM.

keyvault=mykeyvault007
keyvaultrg=testkvrg007
vmFront=vmfront

az group create --name $keyvaultrg --location westus

az keyvault create --name $keyvault --resource-group $keyvaultrg --enabled-for-deployment
az keyvault secret set --vault-name $keyvault --name 'sqlpassword' --value 'Password12'

secret=$(az keyvault secret list-versions --vault-name $keyvault --name sqlpassword --query "[?attributes.enabled].id" --output tsv)
vm_secret=$(az vm format-secret --secret "$secret")

az vm create --resource-group $keyvaultrg --name $vmFront --image UbuntuLTS --generate-ssh-keys --custom-data cloud-init-front.txt --secrets "$vm_secret"

The secret is successfully returned and formatted using az vm format-secret.

[ { "sourceVault": { "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testkvrg007/providers/Microsoft.KeyVault/vaults/mykeyvault007" }, "vaultCertificates": [ { "certificateUrl": "https://mykeyvault007.vault.azure.net/secrets/sqlpassword/8e531e8ea9e948e6a8c0b81b6b4977b2" } ] } ]

However the following is thrown:

At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details. {
  "status": "Failed",
  "error": {
    "code": "ResourceDeploymentFailure",
    "message": "The resource operation completed with terminal provisioning state 'Failed'.",
    "details": [
      {
        "code": "CertificateImproperlyFormatted",
        "message": "The secret retrieved from https://mykeyvault007.vault.azure.net/secrets/sqlpassword/8e531e8ea9e948e6a8c0b81b6b4977b2 is not a properly encoded Base64 string."
      }
    ]
  }
}  Correlation ID: 3f9d790c-ab44-4670-b0a9-d2068487d47e

I see that the az keyvault secret set command has an --encoding argument, however this only applies when providing a file, which I am not.

I can reproduce the issue on a Macbook Pro.

Environment summary

Install Method: How did you install the CLI? (e.g. pip, interactive script, apt-get, Docker, MSI, nightly)
apt-get

CLI Version: What version of the CLI and modules are installed? (Use az --version)

azure-cli (2.0.3)

acr (2.0.1)
acs (2.0.3)
appservice (0.1.3)
batch (2.0.1)
cloud (2.0.1)
component (2.0.1)
configure (2.0.3)
container (0.1.3)
core (2.0.3)
documentdb (0.1.3)
feedback (2.0.1)
find (0.0.2)
iot (0.1.3)
keyvault (2.0.1)
lab (0.0.2)
monitor (0.0.2)
network (2.0.3)
nspkg (2.0.0)
profile (2.0.3)
redis (0.2.0)
resource (2.0.3)
role (2.0.2)
sql (2.0.1)
storage (2.0.3)
vm (2.0.3)

Python (Linux) 2.7.6 (default, Oct 26 2016, 20:30:19)
[GCC 4.8.4]

OS Version: What OS and version are you using?
WSL / Windows 10

Shell Type: What shell are you using? (e.g. bash, cmd.exe, Bash on Windows)
Bash on Windows

Issue Analytics

State:
Created 6 years ago
Comments:13 (11 by maintainers)

Top GitHub Comments

1reaction

rbigeardcommented, Sep 6, 2017

Should I understand form this discussion that the current example sitting at https://docs.microsoft.com/fi-fi/azure/virtual-machines/linux/tutorial-secure-web-server is actually misleading and should be amended? I am getting the exact same error as OP by following it (which is not surprising after reading this thread).

(edited): the same error occurs using an openssl generated certificate that has been imported into vault. using a certificate generated by ‘az keyvault certificate create’ is fine. The documentation is not super clear on those encoding issues.

1reaction

devignedcommented, Apr 28, 2017

Seems reasonable. Perhaps, this calls for a feature discussion.