Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get-AzKeyVaultSecret: Operation get is not allowed on a disabled secret #15378

Closed
ktdixit opened this issue Jun 30, 2021 · 7 comments
Closed

Get-AzKeyVaultSecret: Operation get is not allowed on a disabled secret #15378

ktdixit opened this issue Jun 30, 2021 · 7 comments
Assignees
@BethanyZhou
Labels
customer-reported KeyVault needs-author-feedback More information is needed from author to address the issue. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@ktdixit
Copy link

ktdixit commented Jun 30, 2021
edited
Loading

Get-AzKeyVaultSecret -VaultName $keyVaultName

Error:
2021-06-30T12:20:46.1348367Z ##[error]Operation returned an invalid status code 'Forbidden'
Code: Forbidden
Message: Operation get is not allowed on a disabled secret.
2021-06-30T12:20:46.3023398Z ##[error]PowerShell exited with code '1'.

Note: I am running this command in AzureDevOps (Azure Powershell) which has Get, List, Set permission in Keyvault access policies (PermissionsToKeys and PermissionsToSecrets)
@ghost ghost added needs-triage This is a new issue that needs to be triaged to the appropriate team. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that customer-reported labels Jun 30, 2021
@ghost ghost removed the needs-triage This is a new issue that needs to be triaged to the appropriate team. label Jul 1, 2021
@dingmeng-xue
Copy link
Member

Thanks for reporting. We will look into it.

@BethanyZhou
Copy link
Contributor

BethanyZhou commented Jul 1, 2021
edited
Loading

Hi @ktdixit , what's the version of Az.KeyVault you are using? I remembered we have fixed this issue in #14740, please try Az.KeyVault>=3.4.3.

@dingmeng-xue dingmeng-xue added the needs-author-feedback More information is needed from author to address the issue. label Jul 1, 2021
@ktdixit
Copy link
Author

ktdixit commented Jul 1, 2021

I am using AzurePowershell Task 5.x in Azure Pipelines. I want to get only enabled secrets and name of the disabled secrets (so that we will know what are disabled)

@ghost ghost added needs-team-attention This issue needs attention from Azure service team or SDK team and removed needs-author-feedback More information is needed from author to address the issue. labels Jul 1, 2021
@BethanyZhou
Copy link
Contributor

BethanyZhou commented Jul 1, 2021
edited
Loading

Thanks for your quick response.

I recommend to use our latest Azure PowerShell version as following:
image

Latest Az PowerShell supports what you want to do:
image

@BethanyZhou BethanyZhou added needs-author-feedback More information is needed from author to address the issue. and removed needs-team-attention This issue needs attention from Azure service team or SDK team labels Jul 1, 2021
@ktdixit
Copy link
Author

ktdixit commented Jul 1, 2021

@BethanyZhou thanks for your response. I can get the secret names status (true or false) using Get-AzKeyVaultSecret -VaultName $(keyVaultName) with azure powershell version 6.1.0 (specific version), but it doesn't skip disabled secrets. Entire pipeline fails.
Scenario: I have 50+ secrets in a keyvault and 15th secret is disabled, it doesnt move to the next secret for printing.

Here is my code: Am I missing any parameter?

Get-AzKeyVaultSecret -VaultName $(keyVaultName) -AsPlainText | Foreach-Object {
$secret = Get-AzKeyVaultSecret -VaultName $(keyVaultName) -Name $.Name -AsPlainText
@{
"Value" = $secret; "Name" = $.Name
}
}
Error:
##[error]Operation returned an invalid status code 'Forbidden'
Code: Forbidden
Message: Operation get is not allowed on a disabled secret.
2021-07-01T17:18:35.7987139Z ##[error]PowerShell exited with code '1'.
2021-07-01T17:18:36.6177123Z ##[section]Finishing: AzureDevOps Account - Get Keyvault Secret

@ghost ghost added needs-team-attention This issue needs attention from Azure service team or SDK team and removed needs-author-feedback More information is needed from author to address the issue. labels Jul 1, 2021
@BethanyZhou
Copy link
Contributor

BethanyZhou commented Jul 2, 2021
edited
Loading

Hi @ktdixit ,

Thanks for sharing further information.

I believe the error is from $secret = Get-AzKeyVaultSecret -VaultName $(keyVaultName) -Name $.Name -AsPlainText. We are not allowed to perform Get operation on a disabled secret.

As you said you only want to get the name of disable secrets, I suggest following code:

Get-AzKeyVaultSecret -VaultName $(keyVaultName) | Foreach-Object {
  if($_.Enabled){
    $secret = Get-AzKeyVaultSecret -VaultName $(keyVaultName) -Name $_.Name -AsPlainText
    @{"Value" = $secret; "Name" = $_.Name}
  }else{
    @{"Value" = "None"; "Name" = $_.Name}
  }
}

@BethanyZhou BethanyZhou added needs-author-feedback More information is needed from author to address the issue. and removed needs-team-attention This issue needs attention from Azure service team or SDK team labels Jul 2, 2021
@ktdixit
Copy link
Author

ktdixit commented Jul 2, 2021

@BethanyZhou works perfectly fine. Thank you so much for your help. Much appreciated

@ktdixit ktdixit closed this as completed Jul 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@BethanyZhou BethanyZhou

Labels
customer-reported KeyVault needs-author-feedback More information is needed from author to address the issue. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@BethanyZhou @dingmeng-xue @ktdixit