Azure-cli: az webapp config ssl import assumes the key vault is in the resource group of the web app

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AzureAppServiceCLI @antcp

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AzureAppServiceCLI @antcp

We have the same issue; when the key vault is in a different RG (very common, as you want your compute to be torn down easily without impacting config elements) from your web app, this command fails. Setting the RG with -g to the web app RG causes an error that it can't find the keyvault, and vice versa. Note setting "az configure --defaults group" doesn't help.

Just hit the same problem as well, with LetsEncrypt certs in Key Vault in a different RG then the Web Apps.

It would be great to have --key-vault-resource-group option in order to get around this issue.

Same here... I have a key vault that is used cross resource group because it contains the 1 wildcard certificate that I want to bind a number of apps in different resource groups :-(.

Same problem here, looking for that --key-vault-resource-group parameter ;)

One workaround is to download certificate from the key vault az keyvault secret download and then upload it with az webapp config ssl upload

EDIT: or mayby even better, just look for the keyvault in the whole subscription (eg az keyvault does not have a --resource-group argument, is only based on the name of the keyvault)

I think the correct fix is not to require the resource group that the keyvault is in as a parameter at all.

I guess I'll just keep on downloading and uploading the SSL cert in PowerShell scripts until this actually works

The docs on this should clearly callout the that the current implementation require the webapp and the keyvault to be in the same resource group.

@madsd FYI.

Hi all, @collinstevens @tsgenge @jvanderbiest @jsmed-renson @gavinbarron

The key vault does not have to be in the same resource group as the web app. The --key-vault parameter accepts both a name (then it needs to be in same resource group) or a resource id (then it can be in any resource group or subscription). This is also mentioned in the documentation - how can I make this more clear? More examples, better naming?

@madsd I think we all missed that value since the majority of samples don't touch on using resource IDs. In fact, I don't think I've ever used one of them (but will now!) since the description for it seemed...complex?

For other commands, I never clued in what --ids: "One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. If provided, no other 'Resource Id' arguments should be specified." meant.

@derekmckinnon - I think we need to make some changes to the command then. Because it is not the --ids, but the --key-vault parameter, that can accept both a name and an id. E.g. az webapp config ssl import -g myGroup -n myWebApp --key-vault /subscriptions/xxxxxxxx-3304-4890-82af-ec04cb38xxxx/resourceGroups/otherGroup/providers/Microsoft.KeyVault/vaults/myKeyVault --key-vault-certificate-name myCert

I would like input/ideas from the people on this thread. Should the parameter "key-vault" be split in key-vault-name and key-vault-id (validating that only one is provided). I can also add a --key-vault-resource-group, but then also need to add --key-vault-subscription for completeness? Let me know your thoughts.

I can also add an example in the help text; or throw a warning when a key vault is not found in the current resource group and suggest to provide a specific resource id. Many options :-)

I'll freely admit that I missed the fact that the docs do say that --key-vault is a name or resouceId. Personally I think that's confusing and easy to miss, however having a clear example call that uses that format would go a long way to improving the docs on this and should be done immediately.

Altering the parameter list to be have explicit name/id parameters could be a good idea too, although I'd want to retain the --key-vault as is to avoid breaking changes.

Hi @madsd , thanks for looking into this!

I've missed it too, and frankly, I've never worked with a resource ID. I find it more convenient to use the name in deployment scripts, as I know it before execution.

As mentioned, I would suggest to look for the keyvault with given name in the whole subscription. It's the easiest to use and it is consistent with the az keyvaultcommands (eg. az keyvault secret show) where you don't have to give the resource group of the keyvault. The (optional) --key-vault-subscription might be a good idea to cover the cases where the key vault is not in the same/default subscription.

Thank you for your comments @jsmed-renson, @gavinbarron, @derekmckinnon .
Based on that I have drafted a modification to the command, where it looks for the key vault in the full subscription in context. If it does not find it, it will throw a warning saying:

_The Key Vault 'my-cert' was not found in the subscription in context. If your Key Vault is in a different subscription, please specify the full Resource ID:
az .. ssl import -n weu-madsd -g webapp-global --key-vault-certificate-name test --key-vault /subscriptions/[sub id]/resourceGroups/[rg]/providers/Microsoft.KeyVault/vaults/my-cert_

I also added an additional example to the docs and help text:

Import an SSL certificate to a web app from Key Vault using resource id (typically if Key Vault
is in another subscription).
    az webapp config ssl import --resource-group MyResourceGroup --name MyWebapp --key-vault
    /subscriptions/[sub id]/resourceGroups/[rg]/providers/Microsoft.KeyVault/vaults/[vault name]
    --key-vault-certificate-name MyCertificateName

Let me know your thoughts - if I have not heard from you by the end of next week, I will submit the PR.

@panchagnula fyi

@madsd, thanks for the improvement. I do wonder, how secure is using the Id? It feels like something I wouldn't want to include in my scripts, similar to the reason you didn't include it in your example, I presume.

Doc improvement would be to update the --resource-group description from "Name of resource group. You can configure the default group using az configure --defaults group=." to "Name of web resource group. You can configure the default group using az configure --defaults group=."

Hi @awentzel, the change also includes an improvement that is will look for key vault across the same subscription and not just the web resource group. So resource id for Key Vault is only necessary if the kv is in another subscription. In that case, you will have to specify the subscription id as part of the resource id. Regarding security, it still has full security in the sense that the executor need Contributor permissions on the Key Vault and an Access policy for Microsoft.Azure.WebSites SPN needs to be in place. The Id would probably be an input parameter to a given script anyways, but I would not consider it a direct security issue. And thank you for the doc tip, I will keep that in mind for the next update of the script.

@panchagnula This can be closed as the changes were merged yesterday.

Thanks @madsd next time can you make sure to include the issue# in the title so that the issue gets auto-closed after merged (Ex. [ARM] Fix #10246: az resource tag crashes when the parameter --ids passed in is resource group ID)

Thanks guys, a good balanced solution. Appreciate the help, and it’s great to see the feedback system being so transparent with the users.

@madsd Hi, this command seems to be in preview at the moment, is there an ETA for the GA of this? We cannot use preview features in production. Thank you

Hi @abrignola - ETA is when we have the next natural update. Currently it is considered stable, and we just need to remove the Preview flag. If either @panchagnula or @Kotasudhakarreddy makes changes to App Service CLI first, they are welcome to remove the flag as well.