Azure-cli: [RBAC] `az app update` generic arguments do not work
What if I want to set a value such as a key name (that's in a json list.)? Like so:
"passwordCredentials": [
{
"customKeyIdentifier": null,
"endDate": "2299-12-31T00:00:00Z",
"keyId": "d7bd63f7-f6e6-4e13-a86d-2b65922a0864",
"startDate": "2018-07-18T00:25:14.658779Z",
"value": null
}
],
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 921aa920-c25f-5227-aabb-49116da38fa7
- Version Independent ID: 9b5a53ad-edf8-4d89-f8e6-cde01b7866f6
- Content: az ad app
- Content Source: src/command_modules/azure-cli-role/azure/cli/command_modules/role/_help.py
- Service: active-directory
- GitHub Login: @rloutlaw
- Microsoft Alias: routlaw
unacceptable
All 13 comments
Sorry I didn't realize that this would open a GitHub bug. However, it would appear that this is not well documented if the capability does exist. I am rather surprised that az ad app create does not appear to have a way to set this but it does have a way to set the password.
¯\_(ツ)_/¯
unacceptable
on 18 Jul 2018
To add clarity here is my code snippet as well (I have tried several different variations of the following as well):
az ad app update `
--id $AzureResp.appId `
--set passwordCredentials.0.customKeyIdentifier='GraphKey'
As well as the associated error:
```az : ERROR: Couldn't find '0' in 'passwordCredentials'. 'passwordCredentials' does not support further indexing.
At C:\Users\robert_jackson1\Documents\Scripts\PowerShell\AzureADAutomation.ps1:105 char:9
- az ad app update `
~~~~~~
- CategoryInfo : NotSpecified: (ERROR: Couldn't...rther indexing.:String) [], RemoteException
- FullyQualifiedErrorId : NativeCommandError```
unacceptable
on 18 Jul 2018
--set passwordCredentials[0].customKeyIdentifer='blah'
tjprescott
on 18 Jul 2018
You should also be able to use syntax like:
--set passwordCredentials[keyId='blah'].customKeyIdentifier='foo' so that you can search for a key value in the list.
tjprescott
on 18 Jul 2018
@tjprescott I have already tried the first syntax that you have suggested (with the correct spelling of customKeyIdentifier). I will have to try the second recommendation after I get back from lunch.
unacceptable
on 18 Jul 2018
If you run the first syntax with --debug you can see if your value was correctly set. If nothing happened it doesn't mean the syntax didn't work--it could very well mean that you can't change that property.
tjprescott
on 18 Jul 2018
The syntax I provided you is correct. The problem here is two-fold. First there is a bug in the CLI that needs to be fixed. However, this cannot be fixed yet because of a bug in the REST API specs will not permit the fix to work. https://github.com/Azure/azure-rest-api-specs/issues/3437
tjprescott
on 18 Jul 2018
cc/ @yugangw-msft
tjprescott
on 18 Jul 2018
The generic arguments now work, but I will keep this issue open to remove the workaround once the REST API specs issue is fixed.
tjprescott
on 19 Jul 2018
@tjprescott when is the documentation going to be updated to reflect this change?
unacceptable
on 19 Jul 2018
My PR was a bugfix, so the documentation won't change. It ensures that the syntax --set passwordCredentials[0].customKeyIdentifer='blah' will work as it should.
However, it won't help your scenario because when I tried to update this parameter I got a service error saying this property can't be updated. That's why the other issue was created in order to support managing key/password credentials, which will fully support your scenario.
tjprescott
on 20 Jul 2018
Was this issue resolved?
yonzhan
on 22 Dec 2019
I think there is still a bug in the code: In update_application, if no password is provided, password_credentials will be set to None, causing the generic update --set to fail.
At the same time, updating an existing password credential is not a supported operation by AAD.
When I directly invoke the API with
PATCH https://graph.windows.net/{}/applications/{}
{
"passwordCredentials": [
{
"customKeyIdentifier": "//5yAGIACQBjAA==",
"endDate": "2021-02-18T05:47:34.393950+00:00",
"keyId": "1d0823d4-ce00-48e4-ace4-4172c0ffa909",
"startDate": "2020-02-18T05:47:34.393950+00:00",
"value": null
}
]
}
I got 400 Bad Request:
{
"odata.error": {
"code": "Request_BadRequest",
"message": {
"lang": "en",
"value": "Update to existing credential with KeyId '1d0823d4-ce00-48e4-ace4-4172c0ffa909' is not allowed."
},
"requestId": "e4750dca-6e44-4c45-b14b-7dfaf719b018",
"date": "2020-02-18T07:13:14",
"values": [
{
"item": "PropertyName",
"value": "passwordCredentials"
},
{
"item": "PropertyErrorCode",
"value": "KeyNotUpdatable"
}
]
}
}
So fixing this bug in CLI code is meaningless.
jiasli
on 18 Feb 2020
Related issues
derekbekoe
·
3Comments
ambakshi
·
3Comments
rlewkowicz
·
3Comments
williexu
·
3Comments
PrHar
·
3Comments
Most helpful comment
My PR was a bugfix, so the documentation won't change. It ensures that the syntax
--set passwordCredentials[0].customKeyIdentifer='blah'will work as it should.However, it won't help your scenario because when I tried to update this parameter I got a service error saying this property can't be updated. That's why the other issue was created in order to support managing key/password credentials, which will fully support your scenario.