Azure CLI weirdness

Azure CLI weirdness

AZ FML

·

3 min read

Some team members and I were hitting some odd Azure CLI issues in our automation. I had recently worked with the scripts and everything ran to completion.

When attempting to set the Access Policy:

az keyvault set-policy -n $kv --key-permissions "all" --secret-permissions "all" --upn "$account_name@some_company.com"

This error kept occuring:

The Vault '$KeyVaultName' not found within subscription

The current subscription was checked az account --show and it was fine. The same command was run again it succeeded. We suspected that it was some issue with the KeyVault not yet being finished in creation, but on hindsight, the response JSON from creation was returned.

I thought it may have been the Azure CLI version used. We updated the version to 2.43.0 on that machine and hit other issues:

function get_existing_spn() {
  # Get the existing service principal for the environment.
  spName=$1

  if [[ -z $spName ]]; then
    export spName="s${fgid}${env}sp"
  fi

  echo "Querying Azure for existing SPN with name=$spName..."
  read sp_appId existing_spn < <( echo $(az ad sp list --filter "displayName eq '$spName'" \
    | jq -r '.[] | .appId, .displayName'))

  if [[ -z $sp_appId || -z $existing_spn ]]; then
    echo -e "${FAIL}Expected the SPN($spName) to have already been created manually or with the secrets train and stored in $SecretsKeyVaultName.${NC}"
    return 1
  fi

  echo "Found '$existing_spn' with appId=$sp_appId"
  export sp_appId
  return 0
}

Specifically, the az sp list

Continuous access evaluation resulted in claims challenge with result: InteractionRequired and code: TokenCreatedWithoutDatedPolicies

With some googling, it turns out this version seems to have some open issues with Continuous Access Evaluation (CAE) starting with version 2.41.0.

List all available packages for azure-cli for apt/apt-get:

apt list -a azure-cli
azure-cli/focal 2.43.0-1~focal all [upgradable from: 2.40.0-1~focal]
azure-cli/focal 2.42.0-1~focal all
azure-cli/focal 2.41.0-1~focal all
azure-cli/focal,now 2.40.0-1~focal all [installed,upgradable to: 2.43.0-1~focal]
azure-cli/focal 2.39.0-1~focal all
azure-cli/focal 2.38.0-1~focal all
azure-cli/focal 2.37.0-1~focal all
...

The workaround, for now, is to downgrade to 2.40.0.

sudo apt-get install -y azure-cli=2.40.0-1~focal --allow-downgrades

Takeaways

The downgrade is helpful for issues like this. Chimed in on the open issue for the azure-cli documentation.

We had some issues with scripts working even though the variables/functions were not defined. This was due to developing/testing in the same bash session and running the main entry script. Always start a new bash session when testing end-to-end.

Supplemental:

There were older methods of installing az-cli that would lead to broken references and not support az upgrade . This could lead to multiple versions installed if one were to use the curl method or apt-get or pip. You can determine which version from the shell:

which az

Uninstall the older (prior to 2.11.0). Thanks to Srinivas manikanta Pechetti for the suggestion.

References