Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set-AzKeyVaultAccessPolicy - "all","purge" permissions bug #15844

Closed
pmsousa opened this issue Sep 8, 2021 · 11 comments
Closed

Set-AzKeyVaultAccessPolicy - "all","purge" permissions bug #15844

pmsousa opened this issue Sep 8, 2021 · 11 comments
Assignees
@qinl-li
Labels
customer-reported KeyVault needs-team-attention This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention This issue is responsible by Azure service team. Service This issue points to a problem in the service.

Comments

@pmsousa
Copy link

pmsousa commented Sep 8, 2021

Description

Set-AzKeyVaultAccessPolicy with "all" should allow to set all permissions, including "purge" or @("all","purge") should be accepted as valid. Second options is preferable because "purge" is a Privileged Permission and should be treated as that.

At this moment, to set all permissions and also purge, we have to fall back to the enumerating all the options. This was first reported in feature request #12722 and

Steps to reproduce

Set-AzKeyVaultAccessPolicy -VaultName $vaultName -ObjectID $id -PermissionsToKeys 'all' -PermissionsToSecrets 'all' -PermissionsToCertificates 'all'

(Get-AzKeyVault -KeyVaultName $vaultName).AccessPolicies

This will result in all the permissions to be set except purge.

    Set-AzKeyVaultAccessPolicy -VaultName $vaultName -ObjectID $group.id `
        -PermissionsToKeys ('decrypt','encrypt','unwrapKey','wrapKey','verify','sign','get','list','update','create','import','delete','backup','restore','recover','purge') `
        -PermissionsToSecrets ('get','list','set','delete','backup','restore','recover','purge') `
        -PermissionsToCertificates ('get','list','delete','create','import','update','managecontacts','getissuers','listissuers','setissuers','deleteissuers','manageissuers','recover','purge','backup','restore')


(Get-AzKeyVault -KeyVaultName $vaultName).AccessPolicies

This will result in all the permissions, including purge, to be set.

Desired solution

Set-AzKeyVaultAccessPolicy -VaultName $vaultName -ObjectID $id -PermissionsToKeys 'all','purge' -PermissionsToSecrets 'all','purge' -PermissionsToCertificates 'all','purge'

Get-AzKeyVault -KeyVaultName $vaultName ).AccessPolicies
@pmsousa pmsousa added the needs-triage This is a new issue that needs to be triaged to the appropriate team. label Sep 8, 2021
@ghost ghost added question The issue doesn't require a change to the product in order to be resolved. Most issues start as that customer-reported labels Sep 8, 2021
@dingmeng-xue dingmeng-xue added KeyVault and removed needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Sep 9, 2021
@isra-fel
Copy link
Member

isra-fel commented Sep 9, 2021

Hey @pmsousa , thanks for reaching out to us!
I just tested the -PermissionsToKeys 'all','purge' solution and it worked on Az.KeyVault 3.5.0:

PS C:\> Set-AzKeyVaultAccessPolicy -VaultName *** -ResourceGroupName *** -UserPrincipalName '***@microsoft.com' -PermissionsToKeys all,purge -PermissionsToSecrets get -PermissionsToCertificates get
PS C:\> Get-AzKeyVault -VaultName ***
......
Access Policies                     :
                                      Tenant ID                                  : 72f988bf-86f1-41af-91ab-2d7cd011db47
                                      Object ID                                  : ***
                                      Application ID                             :
                                      Display Name                               : *** (***@microsoft.com)
                                      Permissions to Keys                        : all, purge        <----------- here
                                      Permissions to Secrets                     : get
                                      Permissions to Certificates                : get
                                      Permissions to (Key Vault Managed) Storage :

If you are using a previous version could you update and try it again? And if the problem still reproduces please share the debug log with us by running $DebugPreference = 'Continue' at the beginning of the script. Thanks.

@isra-fel isra-fel added the needs-author-feedback More information is needed from author to address the issue. label Sep 9, 2021
@pmsousa
Copy link
Author

pmsousa commented Sep 9, 2021

Hey @isra-fel

I've checked my Az modules and I had Az.KeyVault 3.4.5. I've updated the module and the problem persists.

Module versions:

Get-Module -ListAvailable '*Az*' | Select Name, Version

Name Version

Az 6.4.0
Az.Accounts 2.5.3
Az.Advisor 1.1.1
Az.Aks 2.4.0
Az.AnalysisServices 1.1.4
Az.ApiManagement 2.3.0
Az.AppConfiguration 1.0.0
Az.ApplicationInsights 1.2.0
Az.Automation 1.7.1
Az.Batch 3.1.0
Az.Billing 2.0.0
Az.Cdn 1.8.0
Az.CognitiveServices 1.9.0
Az.Compute 4.17.0
Az.ContainerInstance 2.1.0
Az.ContainerRegistry 2.2.3
Az.CosmosDB 1.3.1
Az.DataBoxEdge 1.1.0
Az.Databricks 1.1.0
Az.DataFactory 1.14.0
Az.DataLakeAnalytics 1.0.2
Az.DataLakeStore 1.3.0
Az.DataShare 1.0.0
Az.DeploymentManager 1.1.0
Az.DesktopVirtualization 3.0.0
Az.DevTestLabs 1.0.2
Az.Dns 1.1.2
Az.EventGrid 1.3.0
Az.EventHub 1.8.0
Az.FrontDoor 1.8.0
Az.Functions 3.1.0
Az.HDInsight 4.3.0
Az.HealthcareApis 1.3.1
Az.IotHub 2.7.3
Az.KeyVault 3.5.0
Az.Kusto 2.0.0
Az.LogicApp 1.5.0
Az.MachineLearning 1.1.3
Az.Maintenance 1.1.1
Az.ManagedServices 2.0.0
Az.MarketplaceOrdering 1.0.2
Az.Media 1.1.1
Az.Migrate 1.1.1
Az.Monitor 2.7.0
Az.Network 4.11.0
Az.NotificationHubs 1.1.1
Az.OperationalInsights 2.3.0
Az.PolicyInsights 1.4.1
Az.PowerBIEmbedded 1.1.2
Az.PrivateDns 1.0.3
Az.RecoveryServices 4.6.0
Az.RedisCache 1.5.0
Az.RedisEnterpriseCache 1.0.0
Az.Relay 1.0.3
Az.ResourceMover 1.0.0
Az.Resources 4.3.1
Az.Security 1.0.0
Az.SecurityInsights 1.1.0
Az.ServiceBus 1.5.0
Az.ServiceFabric 3.0.1
Az.SignalR 1.3.0
Az.Sql 3.5.0
Az.SqlVirtualMachine 1.1.0
Az.Storage 3.11.0
Az.StorageSync 1.6.0
Az.StreamAnalytics 2.0.0
Az.Support 1.0.0
Az.Tools.Predictor 0.3.0
Az.TrafficManager 1.0.4
Az.Websites 2.8.2
AzureAD 2.0.2.128
AzureAD 2.0.2.128

Executing:

Set-AzKeyVaultAccessPolicy -VaultName $vaultName -ObjectID $group.id -PermissionsToKeys all,purge -PermissionsToSecrets all,purge -PermissionsToCertificates all,purge

Results in:

image

@ghost ghost added needs-team-attention This issue needs attention from Azure service team or SDK team and removed needs-author-feedback More information is needed from author to address the issue. labels Sep 9, 2021
@isra-fel
Copy link
Member

isra-fel commented Sep 10, 2021
edited
Loading

According to my test, after the Set-AzKeyVaultAccessPolicy cmdlet, the permissions have been correctly set to "all","purge". If you inspect the vault via Get-AzKeyVault the permissions are updated, and if you try to purge a key it works.
The only issue here is that azure portal doesn't seem to respect this combination of permissions.

@isra-fel
Copy link
Member

@jlichwa Hi Jack, we have an issue when you set the access policy of a vault to "all","purge" via PowerShell (in fact, via REST API), in Azure Portal, the checkbox of "Purge" is not checked.
Could you help involve the correct team? Thanks

@jlichwa
Copy link

jlichwa commented Sep 10, 2021

@qinl-li can you take a look. It seems like 'all' is missing purge.
image

@isra-fel isra-fel added Service This issue points to a problem in the service. Service Attention This issue is responsible by Azure service team. labels Sep 13, 2021
@ghost
Copy link

ghost commented Sep 13, 2021

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @RandalliLama, @schaabs, @jlichwa.

Issue Details

Description

Set-AzKeyVaultAccessPolicy with "all" should allow to set all permissions, including "purge" or @("all","purge") should be accepted as valid. Second options is preferable because "purge" is a Privileged Permission and should be treated as that.

At this moment, to set all permissions and also purge, we have to fall back to the enumerating all the options. This was first reported in feature request #12722 and

Steps to reproduce

Set-AzKeyVaultAccessPolicy -VaultName $vaultName -ObjectID $id -PermissionsToKeys 'all' -PermissionsToSecrets 'all' -PermissionsToCertificates 'all'

(Get-AzKeyVault -KeyVaultName $vaultName).AccessPolicies

This will result in all the permissions to be set except purge.

    Set-AzKeyVaultAccessPolicy -VaultName $vaultName -ObjectID $group.id `
        -PermissionsToKeys ('decrypt','encrypt','unwrapKey','wrapKey','verify','sign','get','list','update','create','import','delete','backup','restore','recover','purge') `
        -PermissionsToSecrets ('get','list','set','delete','backup','restore','recover','purge') `
        -PermissionsToCertificates ('get','list','delete','create','import','update','managecontacts','getissuers','listissuers','setissuers','deleteissuers','manageissuers','recover','purge','backup','restore')


(Get-AzKeyVault -KeyVaultName $vaultName).AccessPolicies

This will result in all the permissions, including purge, to be set.

Desired solution

Set-AzKeyVaultAccessPolicy -VaultName $vaultName -ObjectID $id -PermissionsToKeys 'all','purge' -PermissionsToSecrets 'all','purge' -PermissionsToCertificates 'all','purge'

Get-AzKeyVault -KeyVaultName $vaultName ).AccessPolicies
Author: pmsousa
Assignees: isra-fel
Labels:

KeyVault, Service Attention, question, customer-reported, Service, needs-team-attention
Milestone: -

@sebansal
Copy link

this is by design that 'purge' permission should be granted with caution.

@jlichwa
Copy link

jlichwa commented Oct 29, 2021

@sebansal the problem here is that even when customer wants to set purge for their administrator it does not work through our API.

set the access policy of a vault to "all","purge" via PowerShell (in fact, via REST API), in Azure Portal, the checkbox of "Purge" is not checked.

@isra-fel
Copy link
Member

isra-fel commented Nov 1, 2021

I'm pretty sure the issue was portal GUI cannot handle the combination of "all" and "purge". While the API handled it well.

@qinl-li
Copy link

qinl-li commented Nov 1, 2021

Yes. Portal doesn't understand when it returned keys: ["all"]. It expects an array with each permission listed. I will get it fixed.

@isra-fel isra-fel assigned qinl-li and unassigned isra-fel Nov 10, 2021
@qinl-li
Copy link

qinl-li commented Nov 18, 2021

The fix is rolling to prod.

@qinl-li qinl-li closed this as completed Nov 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@qinl-li qinl-li

Labels
customer-reported KeyVault needs-team-attention This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention This issue is responsible by Azure service team. Service This issue points to a problem in the service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@isra-fel @pmsousa @jlichwa @dingmeng-xue @sebansal @qinl-li