az apim nv doesn't provide parameters for configuring Key Vault secrets

[jamesmcroft]

Describe the bug

When using the Azure CLI, it is not currently possible to configure a named variable within API Management that uses Azure Key Vault secret values.

This functionality exists at the REST API documented here but appears to be missing as a parameter in the CLI specifically.

Related command

az apim nv

Errors

ERROR: unrecognized arguments: --keyvault {

Examples from AI knowledge base:
az apim nv create --service-name MyApim --resource-group MyResourceGroup --named-value-id MyNamedValue --display-name 'My Named Value' --value 'foo'
Create a Named Value.

az apim nv create --display-name 'My Named Value' --named-value-id MyNamedValue --resource-group MyResourceGroup --secret true --service-name MyApim --value 'foo'
Create an API Management Named Value. (autogenerated)

https://docs.microsoft.com/en-US/cli/azure/apim/nv#az_apim_nv_create
Read more about the command in reference docs

Issue script & Debug output

$keyVaultContract = @{
        identityClientId = $managedIdentityClientId
        secretIdentifier = $secretIdentifier
    } | ConvertTo-Json
 
az apim nv create --resource-group $resourceGroup --service-name $apiManagement --named-value-id $nvName --display-name $nvName --keyvault $keyVaultContract --debug

ERROR: unrecognized arguments: --keyvault {

Examples from AI knowledge base:
az apim nv create --service-name MyApim --resource-group MyResourceGroup --named-value-id MyNamedValue --display-name 'My Named Value' --value 'foo'
Create a Named Value.

az apim nv create --display-name 'My Named Value' --named-value-id MyNamedValue --resource-group MyResourceGroup --secret true --service-name MyApim --value 'foo'
Create an API Management Named Value. (autogenerated)

https://docs.microsoft.com/en-US/cli/azure/apim/nv#az_apim_nv_create
Read more about the command in reference docs

Expected behavior

When providing a Key Vault contract object as described in the REST API documentation for API Management named variables, the CLI should accept this value and configure the named variable in Azure.

Environment Summary

azure-cli 2.53.0 *

core 2.53.0 *
telemetry 1.1.0

Extensions:
resource-graph 2.1.0

Dependencies:
msal 1.24.0b2
azure-mgmt-resource 23.1.0b2

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\jamescroft.azure\cliextensions'

Python (Windows) 3.10.10 (tags/v3.10.10:aad5f6a, Feb 7 2023, 17:20:36) [MSC v.1929 64 bit (AMD64)]

Additional context

No response

[azure-client-tools-bot-prd]

Hi @jamesmcroft,

2.53.0 is not the latest Azure CLI(2.53.1).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

[yonzhan]

Thank you for opening this issue, we will look into it.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @solankisamir, @mikebudzynski, @KedarJoshi, @yingru97.

[jamesmcroft]

More than happy to help contribute to fixing this if needed.

[jamesmcroft]

I wanted to also add here, I'm finding myself needing to use az rest for a lot of the supported APIs for APIM (e.g., backends, policies, etc.) which are not available in the az apim CLI

[aldodfm]

same here!
i was looking to update some name values using az cli and link a keyvault secret...:
az apim nv update --service-name "z-xxx-xxx-dv-ew-apim02" -g "z-xxx-xxx-dv01-ew-01" --named-value-id "mapping"
and there is no way to do it :s

[jamesmcroft]

same here! i was looking to update some name values using az cli and link a keyvault secret...: az apim nv update --service-name "z-xxx-xxx-dv-ew-apim02" -g "z-xxx-xxx-dv01-ew-01" --named-value-id "mapping" and there is no way to do it :s

@aldodfm

You can use az rest to do the update, but it does require you to construct the request body.

The endpoint is as follows replacing any $ prefix parts with your specific deployment: https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.ApiManagement/service/$apiManagement/namedValues/$namedValue?api-version=2022-08-01

The request body is simply a JSON object representing:

{
    "properties": {
        "displayName": "$namedValue",
        "secret": true,
        "keyVault": {
            "identityClientId": "$managedIdentityClientId",
            "secretIdentifier": "$keyVaultSecretUri"
        }
    }
}

The CLI to call is: az rest --uri $endpoint --method PUT --body $requestBody --headers "Content-Type=application/json"

Not the most elegant, but does allow you to stay in the flow using the Azure CLI.

[RobBowman]

@jamesmcroft I have a problem when implementing the suggested work-around: https://stackoverflow.com/questions/78298862/az-cli-to-create-an-apim-named-value-that-references-a-key-vault-secret.

Would be grateful for any pointers.