Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

az apim nv doesn't provide parameters for configuring Key Vault secrets #27822

Open
jamesmcroft opened this issue Nov 10, 2023 · 8 comments
Open

az apim nv doesn't provide parameters for configuring Key Vault secrets #27822

jamesmcroft opened this issue Nov 10, 2023 · 8 comments
Labels
API Management az apim Auto-Assign Auto assign by bot Auto-Resolve Auto resolve by bot bug This issue requires a change to an existing behavior in the product in order to be resolved. Service Attention This issue is responsible by Azure service team.

Comments

@jamesmcroft
Copy link
Member

Describe the bug

When using the Azure CLI, it is not currently possible to configure a named variable within API Management that uses Azure Key Vault secret values.

This functionality exists at the REST API documented here but appears to be missing as a parameter in the CLI specifically.

Related command

az apim nv

Errors

ERROR: unrecognized arguments: --keyvault {

Examples from AI knowledge base:
az apim nv create --service-name MyApim --resource-group MyResourceGroup --named-value-id MyNamedValue --display-name 'My Named Value' --value 'foo'
Create a Named Value.

az apim nv create --display-name 'My Named Value' --named-value-id MyNamedValue --resource-group MyResourceGroup --secret true --service-name MyApim --value 'foo'
Create an API Management Named Value. (autogenerated)

https://docs.microsoft.com/en-US/cli/azure/apim/nv#az_apim_nv_create
Read more about the command in reference docs

Issue script & Debug output

$keyVaultContract = @{
        identityClientId = $managedIdentityClientId
        secretIdentifier = $secretIdentifier
    } | ConvertTo-Json
 
az apim nv create --resource-group $resourceGroup --service-name $apiManagement --named-value-id $nvName --display-name $nvName --keyvault $keyVaultContract --debug

ERROR: unrecognized arguments: --keyvault {

Examples from AI knowledge base:
az apim nv create --service-name MyApim --resource-group MyResourceGroup --named-value-id MyNamedValue --display-name 'My Named Value' --value 'foo'
Create a Named Value.

az apim nv create --display-name 'My Named Value' --named-value-id MyNamedValue --resource-group MyResourceGroup --secret true --service-name MyApim --value 'foo'
Create an API Management Named Value. (autogenerated)

https://docs.microsoft.com/en-US/cli/azure/apim/nv#az_apim_nv_create
Read more about the command in reference docs

Expected behavior

When providing a Key Vault contract object as described in the REST API documentation for API Management named variables, the CLI should accept this value and configure the named variable in Azure.

Environment Summary

azure-cli 2.53.0 *

core 2.53.0 *
telemetry 1.1.0

Extensions:
resource-graph 2.1.0

Dependencies:
msal 1.24.0b2
azure-mgmt-resource 23.1.0b2

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\jamescroft.azure\cliextensions'

Python (Windows) 3.10.10 (tags/v3.10.10:aad5f6a, Feb 7 2023, 17:20:36) [MSC v.1929 64 bit (AMD64)]

Additional context

No response
@jamesmcroft jamesmcroft added the bug This issue requires a change to an existing behavior in the product in order to be resolved. label Nov 10, 2023
@azure-client-tools-bot-prd azure-client-tools-bot-prd
Copy link

Hi @jamesmcroft,

2.53.0 is not the latest Azure CLI(2.53.1).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

@azure-client-tools-bot-prd azure-client-tools-bot-prd bot added the Auto-Resolve Auto resolve by bot label Nov 10, 2023
@microsoft-github-policy-service microsoft-github-policy-service bot added Auto-Assign Auto assign by bot Service Attention This issue is responsible by Azure service team. API Management az apim labels Nov 10, 2023
@yonzhan
Copy link
Collaborator

yonzhan commented Nov 10, 2023

Thank you for opening this issue, we will look into it.

@jamesmcroft
Copy link
Member Author

More than happy to help contribute to fixing this if needed.

@jamesmcroft
Copy link
Member Author

I wanted to also add here, I'm finding myself needing to use az rest for a lot of the supported APIs for APIM (e.g., backends, policies, etc.) which are not available in the az apim CLI

@aldodfm
Copy link

aldodfm commented Nov 16, 2023

same here!
i was looking to update some name values using az cli and link a keyvault secret...:
az apim nv update --service-name "z-xxx-xxx-dv-ew-apim02" -g "z-xxx-xxx-dv01-ew-01" --named-value-id "mapping"
and there is no way to do it :s

@jamesmcroft
Copy link
Member Author

jamesmcroft commented Nov 16, 2023
edited
Loading

same here! i was looking to update some name values using az cli and link a keyvault secret...: az apim nv update --service-name "z-xxx-xxx-dv-ew-apim02" -g "z-xxx-xxx-dv01-ew-01" --named-value-id "mapping" and there is no way to do it :s

@aldodfm

You can use az rest to do the update, but it does require you to construct the request body.

The endpoint is as follows replacing any $ prefix parts with your specific deployment: https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.ApiManagement/service/$apiManagement/namedValues/$namedValue?api-version=2022-08-01

The request body is simply a JSON object representing:

{
    "properties": {
        "displayName": "$namedValue",
        "secret": true,
        "keyVault": {
            "identityClientId": "$managedIdentityClientId",
            "secretIdentifier": "$keyVaultSecretUri"
        }
    }
}

The CLI to call is: az rest --uri $endpoint --method PUT --body $requestBody --headers "Content-Type=application/json"

Not the most elegant, but does allow you to stay in the flow using the Azure CLI.

@RobBowman
Copy link

@jamesmcroft I have a problem when implementing the suggested work-around: https://stackoverflow.com/questions/78298862/az-cli-to-create-an-apim-named-value-that-references-a-key-vault-secret.

Would be grateful for any pointers.

@kristianschneider
Copy link

Hi @yonzhan
Whats the status on this ? Would be nice to be able to unify the interaction with APIM using az commands

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
API Management az apim Auto-Assign Auto assign by bot Auto-Resolve Auto resolve by bot bug This issue requires a change to an existing behavior in the product in order to be resolved. Service Attention This issue is responsible by Azure service team.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@aldodfm @RobBowman @kristianschneider @jamesmcroft @yonzhan