Some team members and I were hitting some odd Azure CLI issues in our automation. I had recently worked with the scripts and everything ran to completion.
When attempting to set the Access Policy:
az keyvault set-policy -n $kv --key-permissions "all" --secret-permissions "all" --upn "$account_name@some_company.com"
This error kept occuring:
The Vault '$KeyVaultName' not found within subscription
The current subscription was checked az account --show
and it was fine. The same command was run again it succeeded. We suspected that it was some issue with the KeyVault not yet being finished in creation, but on hindsight, the response JSON from creation was returned.
I thought it may have been the Azure CLI version used. We updated the version to 2.43.0
on that machine and hit other issues:
function get_existing_spn() {
# Get the existing service principal for the environment.
spName=$1
if [[ -z $spName ]]; then
export spName="s${fgid}${env}sp"
fi
echo "Querying Azure for existing SPN with name=$spName..."
read sp_appId existing_spn < <( echo $(az ad sp list --filter "displayName eq '$spName'" \
| jq -r '.[] | .appId, .displayName'))
if [[ -z $sp_appId || -z $existing_spn ]]; then
echo -e "${FAIL}Expected the SPN($spName) to have already been created manually or with the secrets train and stored in $SecretsKeyVaultName.${NC}"
return 1
fi
echo "Found '$existing_spn' with appId=$sp_appId"
export sp_appId
return 0
}
Specifically, the az sp list
Continuous access evaluation resulted in claims challenge with result: InteractionRequired and code: TokenCreatedWithoutDatedPolicies
With some googling, it turns out this version seems to have some open issues with Continuous Access Evaluation (CAE) starting with version 2.41.0
.
List all available packages for azure-cli
for apt/apt-get:
apt list -a azure-cli
azure-cli/focal 2.43.0-1~focal all [upgradable from: 2.40.0-1~focal]
azure-cli/focal 2.42.0-1~focal all
azure-cli/focal 2.41.0-1~focal all
azure-cli/focal,now 2.40.0-1~focal all [installed,upgradable to: 2.43.0-1~focal]
azure-cli/focal 2.39.0-1~focal all
azure-cli/focal 2.38.0-1~focal all
azure-cli/focal 2.37.0-1~focal all
...
The workaround, for now, is to downgrade to 2.40.0
.
sudo apt-get install -y azure-cli=2.40.0-1~focal --allow-downgrades
Takeaways
The downgrade is helpful for issues like this. Chimed in on the open issue for the azure-cli
documentation.
We had some issues with scripts working even though the variables/functions were not defined. This was due to developing/testing in the same bash session and running the main entry script. Always start a new bash session when testing end-to-end.
Supplemental:
There were older methods of installing az-cli
that would lead to broken references and not support az upgrade
. This could lead to multiple versions installed if one were to use the curl
method or apt-get
or pip
. You can determine which version from the shell:
which az
Uninstall the older (prior to 2.11.0
). Thanks to Srinivas manikanta Pechetti for the suggestion.