Azure-cli: [Keyvault][2.0.6] "az keyvault secret list" doesn't show "name" of secret, but download/show require it

Created on 28 May 2017  路  14Comments  路  Source: Azure/azure-cli

Description

To use keyvault as a rsa keystore, I'll need to use download and show when I setting up new local machines (let alone servers in Azure). But both of those require --name of the secret. Unfortunately, the name value is not displayed by the output of list.

Result: I can't script directly from list, because I have to put a sed from xargs in there to calculate the name from the id value that _is_ returned.

GOAL: the metadata from list has the name value already in it so that you can easily script the keys from there without interpolating xargs/sed.

EXAMPLE:

az keyvault secret list --vault-name xxx
[
  {
    "attributes": {
      "created": "2017-05-28T09:50:49+00:00",
      "enabled": true,
      "expires": null,
      "notBefore": null,
      "updated": "2017-05-28T09:50:49+00:00"
    },
    "contentType": "Password-less private key for dcos demos",
    "id": "https://xxx.vault.azure.net/secrets/<name of key>",
    "managed": null,
    "tags": {
      "file-encoding": "utf-8"
    }
  }

Environment summary

Install Method: How did you install the CLI? (e.g. pip, interactive script, apt-get, Docker, MSI, nightly)
Answer here:
sudo -H pip install azure-cli

CLI Version: What version of the CLI and modules are installed? (Use az --version)
Answer here:
鈺扳攢 az --version
azure-cli (2.0.6)

acr (2.0.4)
acs (2.0.6)
appservice (0.1.6)
batch (2.0.4)
cdn (0.0.2)
cloud (2.0.2)
cognitiveservices (0.1.2)
command-modules-nspkg (2.0.0)
component (2.0.4)
configure (2.0.6)
core (2.0.6)
cosmosdb (0.1.6)
dla (0.0.6)
dls (0.0.6)
feedback (2.0.2)
find (0.2.2)
interactive (0.3.2)
iot (0.1.5)
keyvault (2.0.4)
lab (0.0.4)
monitor (0.0.4)
network (2.0.6)
nspkg (3.0.0)
profile (2.0.4)
rdbms (0.0.1)
redis (0.2.3)
resource (2.0.6)
role (2.0.4)
sf (1.0.1)
sql (2.0.3)
storage (2.0.6)
vm (2.0.6)

Python (Darwin) 2.7.13 (default, Apr 4 2017, 08:47:57)
[GCC 4.2.1 Compatible Apple LLVM 8.1.0 (clang-802.0.38)]

Python location '/usr/local/opt/python/bin/python2.7'

OS Version: What OS and version are you using?
Answer here:
macOS Sierra, 10.12.5

Shell Type: What shell are you using? (e.g. bash, cmd.exe, Bash on Windows)
Answer here:
oh-my-zsh

KeyVault
Source
picture squillace

Most helpful comment

Until this is fixed, here's a workaround I use for reading secrets using bash and jq:

# this prints all the secrets in the keyvault
VAULT_NAME=my-key-vault
for i in `az keyvault secret list --vault-name $VAULT_NAME | jq  --raw-output '.[]|(.id / "/")[4]'`
do 
  az keyvault secret show --vault-name $VAULT_NAME --name $i 
done | jq --raw-output '[(.id / "/")[4], .value] | join("=")'
picture shtratos on 14 Mar 2018
👍3

All 14 comments

Unfortunately, this happens because the service, at present, only returns the key ID. cc/ @schaabs

tjprescott picture tjprescott on 31 May 2017

Is there a movement afoot to change that?

squillace picture squillace on 4 Jun 2017

@squillace yes we are currently looking to change the service so that these fields are returned in addition to the ID. However, I'm not sure when this fix will be available. I'm also looking into adding methods into the cli to parse the ID, currently you can do this through the python azure-keyvault SDK using the KeyVaultId class.

schaabs picture schaabs on 6 Jun 2017

Hi @schaabs, not sure we should have you do the work for that if the server side is updated in the future. I just wanted THAT updated. But parsing the ID is 'ok' for now. I'd let this be the issue to fix the server and close it when that is done.

squillace picture squillace on 27 Jun 2017
👍1

I would agree with @squillace. If you really wanted to, you could simulate the server fix by introducing an output transformer for the KeyVault data plane commands. That would be a more seamless workaround than introducing ID parse commands (unless they have a role in some other usage scenario).

tjprescott picture tjprescott on 27 Jun 2017

Sounds good @squillace could you possibly share a sample of the work around you used here for any others that encounter this issue in the meantime?

schaabs picture schaabs on 27 Jun 2017

Cleaning u old issues, reopen if this is still active.

JasonRShaver picture JasonRShaver on 3 Nov 2017

This is very important, making az keyvault almost useless to me - I cannot enumerate the secrets in a keyvault and then act on them, I need to know what their name is.

az keyvault secret list --vault-name <vault-name>

returns

  {
    "attributes": {
      "created": "2017-11-10T21:55:15+00:00",
      "enabled": true,
      "expires": null,
      "notBefore": null,
      "recoveryLevel": "Purgeable",
      "updated": "2017-11-10T21:55:15+00:00"
    },
    "contentType": null,
    "id": "https://<vault-name>.vault.azure.net/secrets/<secret-name>",
    "managed": null,
    "tags": null
  }

but to do anything to the secret, I need <secret-name> - ...

MaurGi picture MaurGi on 9 Mar 2018

@schaabs, when is this service-side fix coming? If it will be far in the future, I'd recommend implementing the client-side workaround.

tjprescott picture tjprescott on 12 Mar 2018

Until this is fixed, here's a workaround I use for reading secrets using bash and jq:

# this prints all the secrets in the keyvault
VAULT_NAME=my-key-vault
for i in `az keyvault secret list --vault-name $VAULT_NAME | jq  --raw-output '.[]|(.id / "/")[4]'`
do 
  az keyvault secret show --vault-name $VAULT_NAME --name $i 
done | jq --raw-output '[(.id / "/")[4], .value] | join("=")'
shtratos picture shtratos on 14 Mar 2018
👍3

I appreciate the workaround. I had one, but yours is equivalent. I had missed the earlier request for mine.

squillace picture squillace on 15 Mar 2018

Repinging on this, @schaabs. Is there an ETA?

squillace picture squillace on 4 Apr 2018

I have added a work around for this issue which is in the above mentioned PR. I have added an '--id' parameter to secret show/download (as well as other command where it makes sense) so that you can use the id property of a secret directly rather than having to parse into vault-name name and version. 

$ az keyvault secret show -h

Command
    az keyvault secret show : Get a specified secret from a given key vault.
        The GET operation is applicable to any secret stored in Azure Key Vault. This operation
        requires the secrets/get permission.
Arguments

Id Arguments
    --id           : Id of the secret.  If specified all other 'Id' arguments should be omitted.
    --name -n      : Name of the secret. Required if --id is not specified.
    --vault-name   : Name of the key vault. Required if --id is not specified.
    --version -v   : The secret version. If omitted, uses the latest version.

Global Arguments
    --debug        : Increase logging verbosity to show all debug logs.
    --help -h      : Show this help message and exit.
    --output -o    : Output format.  Allowed values: json, jsonc, table, tsv, yaml.  Default: json.
    --query        : JMESPath query string. See http://jmespath.org/ for more information and
                     examples.
    --subscription : Name or ID of subscription. You can configure the default subscription using
                     `az account set -s NAME_OR_ID`.
    --verbose      : Increase logging verbosity. Use --debug for full debug logs.

These changes are currently available by installing the keyvault-preview cli extension. You can find instructions on how to install the extension as well as file any issues encountered here: https://github.com/azure/azure-keyvault-cli-extension/

These changes should be released in the next update of the azure-cli-keyvault command module.

schaabs picture schaabs on 9 Aug 2018

Since the PR has been merged, I'm closing this.

tjprescott picture tjprescott on 9 Aug 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

seanknox picture seanknox  路  3Comments
oakeyc picture oakeyc  路  3Comments
Kannaj picture Kannaj  路  3Comments
williexu picture williexu  路  3Comments
idkjs picture idkjs  路  3Comments