Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to import certificate with lifetime actions with AZ cli version 2.51 #27220

Closed
prabhkaur04 opened this issue Aug 22, 2023 · 6 comments · Fixed by #27225
Closed

Unable to import certificate with lifetime actions with AZ cli version 2.51 #27220

prabhkaur04 opened this issue Aug 22, 2023 · 6 comments · Fixed by #27225
Assignees
@evelyn-ys
Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. KeyVault az keyvault question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
Backlog

Comments

@prabhkaur04
Copy link

prabhkaur04 commented Aug 22, 2023
edited

Describe the bug

Trying to upload a certificate into the KV using the AZ CLI. The format of the command is:

az keyvault certificate import --vault-name $KEY_VAULT_NAME --file testfile.pem --policy @policy.json --name certname

The contents of the policy file is

{
'lifetimeActions': [

{'action':{'actionType':'EmailContacts'},'trigger':{'daysBeforeExpiry': 5}}
]
}

The command works fine with CLI version 2.45, 2.47. On latest Az version 2.51, getting following error:

(BadParameter) Property policy has invalid value
Code: BadParameter
Message: Property policy has invalid value

Related command

az keyvault certificate import

Errors

(BadParameter) Property policy has invalid value
Code: BadParameter
Message: Property policy has invalid value

Issue script & Debug output

urllib3.connectionpool: https://contosokv.vault.azure.net:443 "POST /certificates/contosocert/import?api-version=7.4 HTTP/1.1" 400 83
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_command_type.py", line 112, in keyvault_command_handler
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/tracing/decorator.py", line 78, in wrapper_use_tracer
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/keyvault/certificates/_client.py", line 401, in import_certificate
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/keyvault/certificates/_generated/_operations_mixin.py", line 1947, in import_certificate
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/tracing/decorator.py", line 78, in wrapper_use_tracer
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/keyvault/certificates/_generated/v7_4/operations/_key_vault_client_operations.py", line 1947, in import_certificate
azure.core.exceptions.HttpResponseError: (BadParameter) Property policy has invalid value

Code: BadParameter
Message: Property policy has invalid value

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 663, in execute
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 726, in _run_jobs_serially
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 697, in _run_job
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 333, in call
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_command_type.py", line 138, in keyvault_command_handler
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_command_type.py", line 51, in keyvault_exception_handler
knack.util.CLIError: (BadParameter) Property policy has invalid value

Code: BadParameter
Message: Property policy has invalid value

cli.azure.cli.core.azclierror: (BadParameter) Property policy has invalid value

Code: BadParameter
Message: Property policy has invalid value

az_command_data_logger: (BadParameter) Property policy has invalid value

Code: BadParameter
Message: Property policy has invalid value

Expected behavior

Successful certificate import based on previous behavior with older Az CLI versions

Environment Summary

az --version
azure-cli 2.51.0

core 2.51.0
telemetry 1.1.0

Dependencies:
msal 1.24.0b1
azure-mgmt-resource 23.1.0b2

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\prabh.azure\cliextensions'

Python (Windows) 3.10.10 (tags/v3.10.10:aad5f6a, Feb 7 2023, 17:20:36) [MSC v.1929 64 bit (AMD64)]

Additional context

No response
@prabhkaur04 prabhkaur04 added the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Aug 22, 2023
@microsoft-github-policy-service microsoft-github-policy-service bot added customer-reported Issues that are reported by GitHub users external to the Azure organization. Auto-Assign Auto assign by bot KeyVault az keyvault labels Aug 22, 2023
@microsoft-github-policy-service microsoft-github-policy-service bot added Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Aug 22, 2023
@yonzhan
Copy link
Collaborator

yonzhan commented Aug 22, 2023

Thank you for opening this issue, we will look into it.

@yonzhan yonzhan added this to the Backlog milestone Aug 22, 2023
@yonzhan yonzhan removed the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Aug 22, 2023
evelyn-ys added a commit to evelyn-ys/azure-cli that referenced this issue Aug 22, 2023
@evelyn-ys
fix Azure#27220
360002d
@evelyn-ys
Copy link
Member

evelyn-ys commented Aug 22, 2023
edited

Thanks for reporting. We will fix this issue in next version. For now, pls manually add content_type info in your policy file to unblock:

{
  "lifetimeActions": [
    {
      "action":{"actionType":"EmailContacts"},
      "trigger":{"daysBeforeExpiry": 5}
    }
  ],
  "secretProperties": {
    "contentType": "application/x-pem-file"
  },
}

@evelyn-ys evelyn-ys mentioned this issue Aug 22, 2023
Merged
3 tasks
@FabianGonzalez-MSFT
Copy link

@evelyn-ys I spent couple of hours yesterday troubleshooting the issue. The 400 (BadRequest) error when missing content-type is not a PSH but a Service thing. You may see that, no content type returns:

image

On the other hand, when content type is specified, it succeeds. So, it seems that content type is required/enforced by the service so:

  1. Is it really possible to mark it as not required on PSH?
  2. Should you do it when the service is the one that asks for it?

What we do not understand is that yesterday, when we found out about the content type, we tried the following command:

az keyvault certificate import --vault-name $KEY_VAULT_NAME --file testfile.pem --policy @policy.json --name certname

With the following policy.json content (which looks pretty similar to what you suggested except for the x-pem-file):

"lifetime_actions": [
      {
        "trigger": {
          "days_before_expiry": 5
        },
        "action": {
          "action_type": "EmailContacts"
        }
      }
    ],
    "secret_props": {
      "contentType": "application/x-pkcs12"
    }

Even with the above, they kept receiving the error. What's was wrong?

Final question is:

  1. If this seems to be a service requirement bc if you try direct API call it fails, why CLI was allowing the missing content type in the past versions?

@evelyn-ys
Copy link
Member

@FabianGonzalez-MSFT For some historical reason CLI allows optional content type in the past and we don't want to bring breaking change so we just keep such behavior. But even me don't know why we allow in the past since I'm the fifth keyvault owner and it has been so long😂

And your policy looks good in general but have one problem, you should use secret_properties instead of secret_props. Hope this can help

@FabianGonzalez-MSFT
Copy link

FabianGonzalez-MSFT commented Aug 23, 2023
edited

@evelyn-ys weird 'cause API spec shows secret_props: https://learn.microsoft.com/en-us/rest/api/keyvault/certificates/import-certificate/import-certificate?tabs=HTTP#certificatepolicy. Does CLI work different? I also noticed you used "lifetimeActions" instead of "lifetime_actions" and "daysBeforeExpiry" instead of "days_before_expiry". Where can I find a reference for policy's properties on CLI?

evelyn-ys added a commit that referenced this issue Aug 24, 2023
@evelyn-ys
[Keyvault] Fix #27220: az keyvault certificate import: Fix invalid …
53d1455 
…policy issue when no content_type provided (#27225)
@evelyn-ys
Copy link
Member

CLI can accept both snack case and camel case.

You can run az keyvault certificate get-default-policy to get a sample

@MarkPorohnja MarkPorohnja mentioned this issue Oct 17, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@evelyn-ys evelyn-ys

Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team customer-reported Issues that are reported by GitHub users external to the Azure organization. KeyVault az keyvault question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Milestone
Backlog
4 participants
@evelyn-ys @yonzhan @FabianGonzalez-MSFT @prabhkaur04