Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keyvault Certificate Contact powershell doesnt work #19531

Closed
B0na5 opened this issue Sep 20, 2022 · 3 comments · Fixed by #19558
Closed

Keyvault Certificate Contact powershell doesnt work #19531

B0na5 opened this issue Sep 20, 2022 · 3 comments · Fixed by #19558
Assignees
@BethanyZhou
Labels
bug This issue requires a change to an existing behavior in the product in order to be resolved. customer-reported KeyVault
Milestone
October 2022 (202...

Comments

@B0na5
Copy link

B0na5 commented Sep 20, 2022
edited
Loading

Description

Unable to add, get, or remove email addresses using the Add-AzKeyVaultCertificateContact cmdlet.
If I run the cmd:
Add-AzKeyVaultCertificateContact -VaultName mykvt01
It will prompt for an email address to add. It continually asks for more and more emails. As soon as you dont put an email in, it will fail with object reference not set to an instance of an object.

I cannot even use the Get-AzKeyVaultCertificateContact cmdlet to see emails already added manually by the GUI.

Issue script & Debug output

PS C:\Users\david> $DebugPreference='Continue'

PS C:\Users\david> Add-AzKeyVaultCertificateContact -VaultName mykvt01
cmdlet Add-AzKeyVaultCertificateContact at command pipeline position 1
Supply values for the following parameters:
(Type !? for Help.)
EmailAddress[0]: test@outlook.com
EmailAddress[1]: test2@outlook.com
EmailAddress[2]: test3@outlook.com
EmailAddress[3]: 
DEBUG: 9:20:10 AM - AddAzureKeyVaultCertificateContact begin processing with ParameterSet 'Interactive'.
DEBUG: 9:20:10 AM - using account id '[email protected]'...
DEBUG: 9:20:10 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: [Common.Authentication]: Authenticating using Account: '[email protected]', environment: 'AzureCloud', tenant: '943e6074-9b1a-46fs-9h61-6ccbf404ebr1'
DEBUG: 9:20:10 AM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'943e6074-9b1a-46fs-9h61-6ccbf404ebr1', Scopes:'https://vault.azure.net/.default', Authorit
yHost:'https://login.microsoftonline.com/', UserId:'[email protected]'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - beb17bd8-6f28-410b-ae3c-02064b3dd5a5] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - beb17bd8-6f28-410b-ae3c-02064b3dd5a5] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - beb17bd8-6f28-410b-ae3c-02064b3dd5a5] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - beb17bd8-6f28-410b-ae3c-02064b3dd5a5] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - beb17bd8-6f28-410b-ae3c-02064b3dd5a5] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - beb17bd8-6f28-410b-ae3c-02064b3dd5a5] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - beb17bd8-6f28-410b-ae3c-02064b3dd5a5] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - beb17bd8-6f28-410b-ae3c-02064b3dd5a5] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - beb17bd8-6f28-410b-ae3c-02064b3dd5a5] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88] Found 5 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88] Returning 5 accounts
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - af01d8a5-854e-4e60-aa0c-27cdf07f0be3] MSAL MSAL.Desktop with assembly version '4.39.0.0'. CorrelationId(
af01d8a5-854e-4e60-aa0c-27cdf07f0be3)
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - af01d8a5-854e-4e60-aa0c-27cdf07f0be3] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - af01d8a5-854e-4e60-aa0c-27cdf07f0be3] LoginHint provided: False
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - af01d8a5-854e-4e60-aa0c-27cdf07f0be3] Account provided: True
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - af01d8a5-854e-4e60-aa0c-27cdf07f0be3] ForceRefresh: False
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - af01d8a5-854e-4e60-aa0c-27cdf07f0be3] 
=== Request Data ===
Authority Provided? - True
Scopes - https://vault.azure.net/.default
Extra Query Params Keys (space separated) - 
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - af01d8a5-854e-4e60-aa0c-27cdf07f0be3
UserAssertion set: False
LongRunningOboCacheKey set: False

DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.88 - af01d8a5-854e-4e60-aa0c-27cdf07f0be3] === Token Acquisition (SilentRequest) started:
	 Scopes: https://vault.azure.net/.default
	Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.89 - af01d8a5-854e-4e60-aa0c-27cdf07f0be3] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.89 - af01d8a5-854e-4e60-aa0c-27cdf07f0be3] Access token is not expired. Returning the found cache entry. [Cur
rent time (09/20/2022 23:20:10) - Expiration Time (09/21/2022 00:32:45 +00:00) - Extended Expiration Time (09/21/2022 00:32:45 +00:00)]
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.89 - af01d8a5-854e-4e60-aa0c-27cdf07f0be3] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.89 - af01d8a5-854e-4e60-aa0c-27cdf07f0be3] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.89 - af01d8a5-854e-4e60-aa0c-27cdf07f0be3] Fetched access token from host login.microsoftonline.com. 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.89 - af01d8a5-854e-4e60-aa0c-27cdf07f0be3] 
	=== Token Acquisition finished successfully:
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:10.89 - af01d8a5-854e-4e60-aa0c-27cdf07f0be3]  AT expiration time: 21/09/2022 12:32:45 AM +00:00, scopes https:/
/vault.azure.net/user_impersonation https://vault.azure.net/.default source Cache from login.microsoftonline.com appHashCode 34311014
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://vault.azure.net/.default ] ParentRequestId:  ExpiresOn: 2022-09-21T00:32:45.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: '943e6074-9b1a-46fs-9h61-6ccbf404ebr1', UserId: '[email protected]'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://mykvt01.vault.azure.net//certificates/contacts?api-version=7.0

Headers:
x-ms-client-request-id        : 7c6db135-411f-4d53-be5e-936911d98356
accept-language               : en-US

Body:



DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Forbidden

Headers:
Pragma                        : no-cache
x-ms-keyvault-region          : Australia East
x-ms-client-request-id        : 7c6db135-411f-4d53-be5e-936911d98356
x-ms-request-id               : e804065f-1feb-4c3d-9e00-aac131c9eb62
x-ms-keyvault-service-version : 1.9.538.1
x-ms-keyvault-network-info    : conn_type=Ipv4;addr=10.10.10.10;act_addr_fam=InterNetwork;
X-Content-Type-Options        : nosniff
Strict-Transport-Security     : max-age=31536000;includeSubDomains
Cache-Control                 : no-cache
Date                          : Tue, 20 Sep 2022 23:20:10 GMT

Body:
{
  "error": {
    "code": "Forbidden",
    "message": "The user, group or application 'appid=1950a258-227b-4e31-a9cf-717495945fc2;oid=f960e666-c8ba-44f9-807f-cbab773b9047;numgroups=10;iss=https://sts.windows.net/943e6074-9b1a-4623-9
f91-6ccbf959ebd1/' does not have certificates managecontacts permission on key vault 'mykvt01;location=AustraliaEast'. For help resolving this issue, please see https://go.microsoft.com/f
wlink/?linkid=2125287",
    "innererror": {
      "code": "AccessDenied"
    }
  }
}


DEBUG: 9:20:11 AM - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
Add-AzKeyVaultCertificateContact : Object reference not set to an instance of an object.
At line:1 char:1
+ Add-AzKeyVaultCertificateContact -VaultName mykvt01
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Add-AzKeyVaultCertificateContact], NullReferenceException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.AddAzureKeyVaultCertificateContact
 
DEBUG: 9:20:11 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent: Module: Az.KeyVault:4.7.0; CommandName: Add-AzKeyVaultCertificateContact; PSVersion: 5.1.19041.1682; IsSuccess: False; Duration: 00:00:00.3332798; Exception: Object refere
nce not set to an instance of an object.;
DEBUG: Finish sending metric.
DEBUG: 9:20:11 AM - AddAzureKeyVaultCertificateContact end processing.

PS C:\Users\david> Get-AzKeyVaultCertificateContact -VaultName mykvt01
DEBUG: 9:20:18 AM - GetAzureKeyVaultCertificateContact begin processing with ParameterSet 'VaultName'.
DEBUG: 9:20:18 AM - using account id '[email protected]'...
DEBUG: 9:20:18 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: [Common.Authentication]: Authenticating using Account: '[email protected]', environment: 'AzureCloud', tenant: '943e6074-9b1a-46fs-9h61-6ccbf404ebr1'
DEBUG: 9:20:18 AM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'943e6074-9b1a-46fs-9h61-6ccbf404ebr1', Scopes:'https://vault.azure.net/.default', Authorit
yHost:'https://login.microsoftonline.com/', UserId:'[email protected]'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - d3e4623b-2e0a-4a1a-8714-6244e166ba29] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - d3e4623b-2e0a-4a1a-8714-6244e166ba29] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - d3e4623b-2e0a-4a1a-8714-6244e166ba29] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - d3e4623b-2e0a-4a1a-8714-6244e166ba29] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - d3e4623b-2e0a-4a1a-8714-6244e166ba29] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - d3e4623b-2e0a-4a1a-8714-6244e166ba29] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - d3e4623b-2e0a-4a1a-8714-6244e166ba29] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - d3e4623b-2e0a-4a1a-8714-6244e166ba29] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - d3e4623b-2e0a-4a1a-8714-6244e166ba29] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23] Found 5 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23] Returning 5 accounts
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - e758ed88-c377-492a-b7c4-7e555425f06d] MSAL MSAL.Desktop with assembly version '4.39.0.0'. CorrelationId(
e758ed88-c377-492a-b7c4-7e555425f06d)
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - e758ed88-c377-492a-b7c4-7e555425f06d] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - e758ed88-c377-492a-b7c4-7e555425f06d] LoginHint provided: False
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - e758ed88-c377-492a-b7c4-7e555425f06d] Account provided: True
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - e758ed88-c377-492a-b7c4-7e555425f06d] ForceRefresh: False
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - e758ed88-c377-492a-b7c4-7e555425f06d] 
=== Request Data ===
Authority Provided? - True
Scopes - https://vault.azure.net/.default
Extra Query Params Keys (space separated) - 
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - e758ed88-c377-492a-b7c4-7e555425f06d
UserAssertion set: False
LongRunningOboCacheKey set: False

DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - e758ed88-c377-492a-b7c4-7e555425f06d] === Token Acquisition (SilentRequest) started:
	 Scopes: https://vault.azure.net/.default
	Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - e758ed88-c377-492a-b7c4-7e555425f06d] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - e758ed88-c377-492a-b7c4-7e555425f06d] Access token is not expired. Returning the found cache entry. [Cur
rent time (09/20/2022 23:20:18) - Expiration Time (09/21/2022 00:32:45 +00:00) - Extended Expiration Time (09/21/2022 00:32:45 +00:00)]
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - e758ed88-c377-492a-b7c4-7e555425f06d] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - e758ed88-c377-492a-b7c4-7e555425f06d] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - e758ed88-c377-492a-b7c4-7e555425f06d] Fetched access token from host login.microsoftonline.com. 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - e758ed88-c377-492a-b7c4-7e555425f06d] 
	=== Token Acquisition finished successfully:
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:18.23 - e758ed88-c377-492a-b7c4-7e555425f06d]  AT expiration time: 21/09/2022 12:32:45 AM +00:00, scopes https:/
/vault.azure.net/user_impersonation https://vault.azure.net/.default source Cache from login.microsoftonline.com appHashCode 44880374
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://vault.azure.net/.default ] ParentRequestId:  ExpiresOn: 2022-09-21T00:32:45.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: '943e6074-9b1a-46fs-9h61-6ccbf404ebr1', UserId: '[email protected]'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://mykvt01.vault.azure.net//certificates/contacts?api-version=7.0

Headers:
x-ms-client-request-id        : 05635e96-057b-47a7-aj30-5dd35g0lc9dc
accept-language               : en-US

Body:



DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Forbidden

Headers:
Pragma                        : no-cache
x-ms-keyvault-region          : Australia East
x-ms-client-request-id        : 05635e96-057b-47a7-aj30-5dd35g0lc9dc
x-ms-request-id               : 6019c7c7-88c4-49f9-ac43-bc7bj7j2c243
x-ms-keyvault-service-version : 1.9.538.1
x-ms-keyvault-network-info    : conn_type=Ipv4;addr=10.10.10.10;act_addr_fam=InterNetwork;
X-Content-Type-Options        : nosniff
Strict-Transport-Security     : max-age=31536000;includeSubDomains
Cache-Control                 : no-cache
Date                          : Tue, 20 Sep 2022 23:20:18 GMT

Body:
{
  "error": {
    "code": "Forbidden",
    "message": "The user, group or application 'appid=1950a258-227b-4e31-a9cf-717495945fc2;oid=f960e666-c8ba-44f9-807f-cbab773b9047;numgroups=10;iss=https://sts.windows.net/943e6074-9b1a-4623-9
f91-6ccbf959ebd1/' does not have certificates managecontacts permission on key vault 'mykvt01;location=AustraliaEast'. For help resolving this issue, please see https://go.microsoft.com/f
wlink/?linkid=2125287",
    "innererror": {
      "code": "AccessDenied"
    }
  }
}


DEBUG: 9:20:18 AM - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
Get-AzKeyVaultCertificateContact : Object reference not set to an instance of an object.
At line:1 char:1
+ Get-AzKeyVaultCertificateContact -VaultName mykvt01
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Get-AzKeyVaultCertificateContact], NullReferenceException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.GetAzureKeyVaultCertificateContact
 
DEBUG: 9:20:18 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent: Module: Az.KeyVault:4.7.0; CommandName: Get-AzKeyVaultCertificateContact; PSVersion: 5.1.19041.1682; IsSuccess: False; Duration: 00:00:00.2130717; Exception: Object refere
nce not set to an instance of an object.;
DEBUG: Finish sending metric.
DEBUG: 9:20:18 AM - GetAzureKeyVaultCertificateContact end processing.

PS C:\Users\david> Remove-AzKeyVaultCertificateContact -VaultName mykvt01 -EmailAddress cloudops@mydomain.com
DEBUG: 9:20:23 AM - RemoveAzureKeyVaultCertificateContact begin processing with ParameterSet 'ByName'.
DEBUG: 9:20:23 AM - using account id '[email protected]'...
DEBUG: 9:20:23 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: [Common.Authentication]: Authenticating using Account: '[email protected]', environment: 'AzureCloud', tenant: '943e6074-9b1a-46fs-9h61-6ccbf404ebr1'
DEBUG: 9:20:23 AM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'943e6074-9b1a-46fs-9h61-6ccbf404ebr1', Scopes:'https://vault.azure.net/.default', Authorit
yHost:'https://login.microsoftonline.com/', UserId:'[email protected]'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - debe4087-2d1e-4f97-b4ab-0238ad3a7a1e] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - debe4087-2d1e-4f97-b4ab-0238ad3a7a1e] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - debe4087-2d1e-4f97-b4ab-0238ad3a7a1e] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - debe4087-2d1e-4f97-b4ab-0238ad3a7a1e] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - debe4087-2d1e-4f97-b4ab-0238ad3a7a1e] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - debe4087-2d1e-4f97-b4ab-0238ad3a7a1e] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - debe4087-2d1e-4f97-b4ab-0238ad3a7a1e] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - debe4087-2d1e-4f97-b4ab-0238ad3a7a1e] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - debe4087-2d1e-4f97-b4ab-0238ad3a7a1e] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48] Found 5 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48] Returning 5 accounts
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - 23b9190b-2909-4224-8dfb-c738237fdd97] MSAL MSAL.Desktop with assembly version '4.39.0.0'. CorrelationId(
23b9190b-2909-4224-8dfb-c738237fdd97)
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - 23b9190b-2909-4224-8dfb-c738237fdd97] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - 23b9190b-2909-4224-8dfb-c738237fdd97] LoginHint provided: False
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - 23b9190b-2909-4224-8dfb-c738237fdd97] Account provided: True
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - 23b9190b-2909-4224-8dfb-c738237fdd97] ForceRefresh: False
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - 23b9190b-2909-4224-8dfb-c738237fdd97] 
=== Request Data ===
Authority Provided? - True
Scopes - https://vault.azure.net/.default
Extra Query Params Keys (space separated) - 
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 23b9190b-2909-4224-8dfb-c738237fdd97
UserAssertion set: False
LongRunningOboCacheKey set: False

DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.48 - 23b9190b-2909-4224-8dfb-c738237fdd97] === Token Acquisition (SilentRequest) started:
	 Scopes: https://vault.azure.net/.default
	Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.49 - 23b9190b-2909-4224-8dfb-c738237fdd97] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.49 - 23b9190b-2909-4224-8dfb-c738237fdd97] Access token is not expired. Returning the found cache entry. [Cur
rent time (09/20/2022 23:20:23) - Expiration Time (09/21/2022 00:32:45 +00:00) - Extended Expiration Time (09/21/2022 00:32:45 +00:00)]
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.49 - 23b9190b-2909-4224-8dfb-c738237fdd97] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.49 - 23b9190b-2909-4224-8dfb-c738237fdd97] [Region discovery] Not using a regional authority. 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.49 - 23b9190b-2909-4224-8dfb-c738237fdd97] Fetched access token from host login.microsoftonline.com. 
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.49 - 23b9190b-2909-4224-8dfb-c738237fdd97] 
	=== Token Acquisition finished successfully:
DEBUG: False MSAL 4.39.0.0 MSAL.Desktop 4.8 or later Windows 10 Pro [09/20 23:20:23.49 - 23b9190b-2909-4224-8dfb-c738237fdd97]  AT expiration time: 21/09/2022 12:32:45 AM +00:00, scopes https:/
/vault.azure.net/user_impersonation https://vault.azure.net/.default source Cache from login.microsoftonline.com appHashCode 7836102
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://vault.azure.net/.default ] ParentRequestId:  ExpiresOn: 2022-09-21T00:32:45.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: '943e6074-9b1a-46fs-9h61-6ccbf404ebr1', UserId: '[email protected]'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://mykvt01.vault.azure.net//certificates/contacts?api-version=7.0

Headers:
x-ms-client-request-id        : ae4cc7a0-8a60-4e99-bdcc-14279b7fb95a
accept-language               : en-US

Body:



DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Forbidden

Headers:
Pragma                        : no-cache
x-ms-keyvault-region          : Australia East
x-ms-client-request-id        : ae4cc7a0-8a60-4e99-bdcc-14279b7fb95a
x-ms-request-id               : 25158a45-6f0f-4c95-aaac-b35256c56d4d
x-ms-keyvault-service-version : 1.9.538.1
x-ms-keyvault-network-info    : conn_type=Ipv4;addr=10.10.10.10;act_addr_fam=InterNetwork;
X-Content-Type-Options        : nosniff
Strict-Transport-Security     : max-age=31536000;includeSubDomains
Cache-Control                 : no-cache
Date                          : Tue, 20 Sep 2022 23:20:23 GMT

Body:
{
  "error": {
    "code": "Forbidden",
    "message": "The user, group or application 'appid=1950a258-227b-4e31-a9cf-717495945fc2;oid=f960e666-c8ba-44f9-807f-cbab773b9047;numgroups=10;iss=https://sts.windows.net/943e6074-9b1a-4623-9
f91-6ccbf959ebd1/' does not have certificates managecontacts permission on key vault 'mykvt01;location=AustraliaEast'. For help resolving this issue, please see https://go.microsoft.com/f
wlink/?linkid=2125287",
    "innererror": {
      "code": "AccessDenied"
    }
  }
}


DEBUG: 9:20:23 AM - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
Remove-AzKeyVaultCertificateContact : Object reference not set to an instance of an object.
At line:1 char:1
+ Remove-AzKeyVaultCertificateContact -VaultName mykvt01 -EmailAd ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Remove-AzKeyVaultCertificateContact], NullReferenceException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.RemoveAzureKeyVaultCertificateContact
 
DEBUG: 9:20:23 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent: Module: Az.KeyVault:4.7.0; CommandName: Remove-AzKeyVaultCertificateContact; PSVersion: 5.1.19041.1682; IsSuccess: False; Duration: 00:00:00.1453243; Exception: Object ref
erence not set to an instance of an object.;
DEBUG: Finish sending metric.
DEBUG: 9:20:23 AM - RemoveAzureKeyVaultCertificateContact end processing.

Environment data

PS C:\Users\david> $PSVersionTable

Name                           Value                                                                                                                                                            
----                           -----                                                                                                                                                            
PSVersion                      5.1.19041.1682                                                                                                                                                   
PSEdition                      Desktop                                                                                                                                                          
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                          
BuildVersion                   10.0.19041.1682                                                                                                                                                  
CLRVersion                     4.0.30319.42000                                                                                                                                                  
WSManStackVersion              3.0                                                                                                                                                              
PSRemotingProtocolVersion      2.3                                                                                                                                                              
SerializationVersion           1.1.0.1

Module versions

PS C:\Users\david> Get-Module Az*

ModuleType Version    Name                                ExportedCommands                                                                                                                      
---------- -------    ----                                ----------------                                                                                                                      
Script     2.10.0     Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault...}                                                              
Script     4.7.0      Az.KeyVault                         {Add-AzKeyVaultCertificate, Add-AzKeyVaultCertificateContact, Add-AzKeyVaultKey, Add-AzKeyVaultManagedStorageAccount...}

Error output

PS C:\Users\david> Resolve-AzError
DEBUG: 9:22:00 AM - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 9:22:00 AM - using account id '[email protected]'...
DEBUG: 9:22:00 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
WARNING: Upcoming breaking changes in the cmdlet 'Resolve-AzError' :
The `Resolve-Error` alias will be removed in a future release.  Please change any scripts that use this alias to use `Resolve-AzError` instead.
Note : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.


   HistoryId: 10


Message        : Object reference not set to an instance of an object.
StackTrace     :    at Microsoft.Azure.Commands.KeyVault.RemoveAzureKeyVaultCertificateContact.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception      : System.NullReferenceException
InvocationInfo : {Remove-AzKeyVaultCertificateContact}
Line           : Remove-AzKeyVaultCertificateContact -VaultName mykvt01 -EmailAddress cloudops@tas.business
Position       : At line:1 char:1
                 + Remove-AzKeyVaultCertificateContact -VaultName mykvt01 -EmailAd ...
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 10



   HistoryId: 9


Message        : Object reference not set to an instance of an object.
StackTrace     :    at Microsoft.Azure.Commands.KeyVault.GetAzureKeyVaultCertificateContact.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception      : System.NullReferenceException
InvocationInfo : {Get-AzKeyVaultCertificateContact}
Line           : Get-AzKeyVaultCertificateContact -VaultName mykvt01
Position       : At line:1 char:1
                 + Get-AzKeyVaultCertificateContact -VaultName mykvt01
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 9



   HistoryId: 8


Message        : Object reference not set to an instance of an object.
StackTrace     :    at Microsoft.Azure.Commands.KeyVault.AddAzureKeyVaultCertificateContact.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception      : System.NullReferenceException
InvocationInfo : {Add-AzKeyVaultCertificateContact}
Line           : Add-AzKeyVaultCertificateContact -VaultName mykvt01
Position       : At line:1 char:1
                 + Add-AzKeyVaultCertificateContact -VaultName mykvt01
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 8



   HistoryId: 4


Message        : Object reference not set to an instance of an object.
StackTrace     :    at Microsoft.Azure.Commands.KeyVault.RemoveAzureKeyVaultCertificateContact.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception      : System.NullReferenceException
InvocationInfo : {Remove-AzKeyVaultCertificateContact}
Line           : Remove-AzKeyVaultCertificateContact -VaultName mykvt01 -EmailAddress cloudops@mydomain.com
Position       : At line:1 char:1
                 + Remove-AzKeyVaultCertificateContact -VaultName mykvt01 -EmailAd ...
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 4



   HistoryId: 3


Message        : Object reference not set to an instance of an object.
StackTrace     :    at Microsoft.Azure.Commands.KeyVault.GetAzureKeyVaultCertificateContact.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception      : System.NullReferenceException
InvocationInfo : {Get-AzKeyVaultCertificateContact}
Line           : Get-AzKeyVaultCertificateContact -VaultName mykvt01
Position       : At line:1 char:1
                 + Get-AzKeyVaultCertificateContact -VaultName mykvt01
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 3



   HistoryId: 2


Message        : Object reference not set to an instance of an object.
StackTrace     :    at Microsoft.Azure.Commands.KeyVault.AddAzureKeyVaultCertificateContact.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception      : System.NullReferenceException
InvocationInfo : {Add-AzKeyVaultCertificateContact}
Line           : Add-AzKeyVaultCertificateContact -VaultName mykvt01
Position       : At line:1 char:1
                 + Add-AzKeyVaultCertificateContact -VaultName mykvt01
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 2


The Azure PowerShell team is listening, please let us know how we are doing: https://aka.ms/azpssurvey?Q_CHL=ERROR.

DEBUG: 9:22:00 AM - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
DEBUG: AzureQoSEvent: Module: Az.Accounts:2.10.0; CommandName: Resolve-AzError; PSVersion: 5.1.19041.1682; IsSuccess: True; Duration: 00:00:00.1197280
DEBUG: Finish sending metric.
DEBUG: 9:22:01 AM - ResolveError end processing.
@B0na5 B0na5 added bug This issue requires a change to an existing behavior in the product in order to be resolved. needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Sep 20, 2022
@ghost ghost added customer-reported and removed needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Sep 20, 2022
@dingmeng-xue
Copy link
Member

@BethanyZhou , please look into this issue.

@dingmeng-xue
Copy link
Member

According to service return, current user doesn't have sufficient permission to manage contact. However, we need to ensure the error message shows up on console rather than showing null reference error.

@BethanyZhou
Copy link
Contributor

Hi @B0na5 , @dingmeng-xue is right, according to the error message from response

"message": "The user, group or application 'appid=1950a258-227b-4e31-a9cf-717495945fc2;oid=f960e666-c8ba-44f9-807f-cbab773b9047;numgroups=10;iss=https://sts.windows.net/943e6074-9b1a-4623-9
f91-6ccbf959ebd1/' does not have certificates managecontacts permission on key vault 'mykvt01;location=AustraliaEast

please add permission Manage Contact for the user, group or application 'appid=1950a258-227b-4e31-a9cf-717495945fc2;oid=f960e666-c8ba-44f9-807f-cbab773b9047 by Set-AzKeyVaultAccessPolicy -PermissionsToCertificates managecontacts -VaultName mykvt01 -ResourceGroupName <rgName> -...

Will investigate a more friend way to show error message in the next step.

@BethanyZhou BethanyZhou linked a pull request Sep 22, 2022 that will close this issue
[KeyVault] Fix bug when exception.Response is null #19558
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@BethanyZhou BethanyZhou

Labels
bug This issue requires a change to an existing behavior in the product in order to be resolved. customer-reported KeyVault
Projects
None yet
Milestone
October 2022 (2022-10-12)❗ Breaking c...
Development

Successfully merging a pull request may close this issue.

[KeyVault] Fix bug when exception.Response is null BethanyZhou/azure-powershell
3 participants
@B0na5 @BethanyZhou @dingmeng-xue