Azure-cli: [Key Vault] Using Key Vault quickly after create fails
Description
When creating a Key Vault using az keyvault create with a randomly selected DNS entry, then subsequently running az keyvault certificate create it will often fail stating: Max retries exceeded attempting to connect to vault. The vault may not exist or you may need to flush your DNS cache and try again later.
The error only happens for a short time following initial creation. This causes scripts which create Key Vaults to be rather unstable.
I would expect that Key Vault create would only successfully complete after it is able to reach the newly created Key Vault instance.
Environment summary
Install Method: How did you install the CLI? (e.g. pip, interactive script, apt-get, Docker, MSI, nightly)
Answer here: source
CLI Version: What version of the CLI and modules are installed? (Use az --version)
Answer here: azure-cli (2.0.6+dev)
OS Version: What OS and version are you using?
Answer here: OS X
Shell Type: What shell are you using? (e.g. bash, cmd.exe, Bash on Windows)
Answer here: bash
devigned
All 9 comments
+1
kamoljan
on 19 Oct 2017
Is anyone looking at this issue?
kamoljan
on 19 Feb 2018
Having the same problem. Any update?
mcwienczek
on 20 Feb 2018
@mcwienczek got an solution:
# Create a KeyVault
az keyvault create \
--name ${ENV_NAME}-keyvault \
--resource-group ${ENV_NAME} \
--location ${AZURE_LOCATION} \
--enabled-for-template-deployment true
# Due to KeyVault DNS propagation, we have to wait for 15 sec
while [[ -z "$(az keyvault show -n ${ENV_NAME}-keyvault -g ${ENV_NAME})" ]]; do
sleep 0.15
echo "Waiting for 15 seconds for KeyVault DNS propagation"
done
# Create a secrete for Github token in KeyVault
az keyvault secret set \
--vault-name ${ENV_NAME}-keyvault \
--name "GIT-TOKEN" \
--value "${GIT_TOKEN}"
@schaabs for comment
tjprescott
on 20 Feb 2018
Thanks @kamoljan, I ended up doing sleep 10 to wait for vault to get up ;)
mcwienczek
on 20 Feb 2018
the problem still exists as of today. Can we have the command 'az keyvault create' block until the Key Vault is actually reachable by a VM?
osvalban
on 30 May 2018
There is a fix available for this. Currently it is in our preview command module, available as an Azure CLI Extension. To install the preview run the command:
az extension add -n keyvault-preview
In this preview extension the 'az keyvault create' command has been updated to a long running command. It will now block until the DNS entries have propagated. Please try it out and verify that it fixes the problem you're encountering.
More information on the keyvault-preview extension can be found here https://github.com/azure/azure-keyvault-cli-extension/.
schaabs
on 31 May 2018
This fix has been released in the current version of the CLI.
schaabs
on 11 Dec 2018
Related issues
ambakshi
路
3Comments
cicorias
路
3Comments
oakeyc
路
3Comments
dhermans
路
3Comments
amarzavery
路
3Comments
Most helpful comment
There is a fix available for this. Currently it is in our preview command module, available as an Azure CLI Extension. To install the preview run the command:
In this preview extension the 'az keyvault create' command has been updated to a long running command. It will now block until the DNS entries have propagated. Please try it out and verify that it fixes the problem you're encountering.
More information on the keyvault-preview extension can be found here https://github.com/azure/azure-keyvault-cli-extension/.