Azure-cli: `az keyvault create` sets wrong tenant for the vault
Describe the bug
When we use az keyvault create --subscription=REQUIRED_SUB parameter, the KeyVault is create/updated in the correct REQUIRED_SUB. However, the TENANT is set to the tenant id of the current default subscription as reported by az account show.
There is a workaround (see below) that is far from ideal as it eliminates the whole purpose and benefits of --subscription parameter which is now thankfully present for all commands.
The impact of this incorrect behaviour is at least a lot of confusion and inability to use KeyVault in Azure Portal due to message "The directory currently selected differs from this key vault's directory. Some actions will be disabled.. Other functionality also may be affected by this but I don't know.
To Reproduce
The following are the snippets and condensed/redacted outputs as run in bash
# Current account
az account show
{
"isDefault": true,
"name": "SUB_A",
"tenantId": "TENANT_A"
}
# Show details of another non-default account
az account show --subscription REQUIRED_SUB
{
"isDefault": false,
"name": "REQUIRED_SUB",
"tenantId": "REQUIRED_TENANT"
}
# Create KeyVault in REQUIRED_SUB.
# In theory, this should create it in REQUIRED_TENANT.
az keyvault create \
--subscription=REQUIRED_SUB \
--resource-group=some_rg \
--location=northeurope \
--name=philip-test-kv
# See details of created KeyVault.
# This shows that the vault is in REQUIRED_SUB, but has the
# TENANT_A which is the tenant of SUB_A.
az keyvault show --subscription=REQUIRED_SUB --name philip-test-kv
{
"id": "/subscriptions/REQUIRED_SUB/resourceGroups/some_rg/providers/Microsoft.KeyVault/vaults/philip-test-kv",
"location": "northeurope",
"name": "philip-test-kv",
"properties": {
"tenantId": "TENANT_A",
"vaultUri": "https://philip-test-kv.vault.azure.net/"
},
"resourceGroup": "some_rg",
"type": "Microsoft.KeyVault/vaults"
}
WORKAROUND.
# The only workaround I found is
# to re-run `az vault create` command with the
# default subscription set to the sub in which vault
# is being created. E.g.
# set default sub to REQUIRED_SUB
az account set --subscription=REQUIRED_SUB
# re-run vault create command
az keyvault create \
--subscription=REQUIRED_SUB \
--resource-group=some_rg \
--location=northeurope \
--name=philip-test-kv
# check details, this now shows correct
az keyvault show --subscription=REQUIRED_SUB --name philip-test-kv
{
"id": "/subscriptions/REQUIRED_SUB/resourceGroups/some_rg/providers/Microsoft.KeyVault/vaults/philip-test-kv",
"location": "northeurope",
"name": "philip-test-kv",
"properties": {
"tenantId": "REQUIRED_TENANT",
"vaultUri": "https://philip-test-kv.vault.azure.net/"
},
"resourceGroup": "some_rg",
"type": "Microsoft.KeyVault/vaults"
}
Expected behavior
The expectation is that az keyvault create --subscription=REQUIRED_SUB should use and set the tenant id of REQUIRED_SUB as supplied by--subscription=REQUIRED_SUB argument.
Environment summary
OS X, installed via brew, latest version as of 2018-10-18
az --version
azure-cli (2.0.48)
ppanyukov
All 3 comments
@jiasli add to S162.
yonzhan
on 31 Oct 2019
Similar to #11871 , mark it as FeatureRequest temporarily.
bim-msft
on 22 Apr 2020
@bim-msft how come this is a feature request and not a bug when the command argument is not working properly?
t3mi
on 22 Apr 2020
Related issues
dhermans
路
3Comments
troydai
路
3Comments
seanknox
路
3Comments
Kannaj
路
3Comments
amarzavery
路
3Comments
Most helpful comment
@bim-msft how come this is a feature request and not a bug when the command argument is not working properly?