azure-cli
azure-cli copied to clipboard
Azure
Unable to list KeyVault Certificates - Bearer token authentication is not permitted for non-TLS protected (non-https) URLs
Describe the bug
On Az CLI version 2.59: trying to list certificates using the Id of the KeyVault results in an error message
Related command
az keyvault certificate list --id /subscriptions/{SubScriptionId/resourceGroups/{resourceGroup}/providers/Microsoft.KeyVault/vaults/{vaultName}
Errors
Bearer token authentication is not permitted for non-TLS protected (non-https) URLs.
Issue script & Debug output
cli.knack.cli: Command arguments: ['keyvault', 'certificate', 'list', '--id', '/subscriptions/aa5a955c-bfd6-43a4-8136-58586adce400/resourceGroups/ls-prod/providers/Microsoft.KeyVault/vaults/lsprod', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x00000270C115B880>, <function OutputProducer.on_global_arguments at 0x00000270C12E6020>, <function CLIQuery.on_global_arguments at 0x00000270C1313BA0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'keyvault': ['azure.cli.command_modules.keyvault']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: keyvault 0.007 20 113
cli.azure.cli.core: Total (1) 0.007 20 113
cli.azure.cli.core: Loaded 20 groups, 113 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : keyvault certificate list
cli.azure.cli.core: Command table: keyvault certificate list
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x00000270C423EE80>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\MatthewSteeples\.azure\commands\2024-04-04.08-43-53.keyvault_certificate_list.16196.log'.
az_command_data_logger: command args: keyvault certificate list --id {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x00000270C424B4C0>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x00000270C4289440>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x00000270C4289580>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x00000270C12E60C0>, <function CLIQuery.handle_query_parameter at 0x00000270C1313C40>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x00000270C42894E0>]
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\\Users\\MatthewSteeples\\.azure\\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\MatthewSteeples\.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/{tenantId}/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/{tenantId}/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/{tenantId}/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? True
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_command_type.py", line 113, in keyvault_command_handler
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_transformers.py", line 12, in _multi_transformers
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_transformers.py", line 259, in transform_certificate_list
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_transformers.py", line 259, in <listcomp>
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/paging.py", line 123, in __next__
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/paging.py", line 75, in __next__
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/keyvault/certificates/_generated/v7_4/operations/_key_vault_client_operations.py", line 795, in get_next
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/_base.py", line 213, in run
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/_base.py", line 70, in send
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/_base.py", line 70, in send
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/_base.py", line 70, in send
[Previous line repeated 2 more times]
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/policies/_redirect.py", line 181, in send
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/policies/_retry.py", line 489, in send
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/policies/_retry.py", line 467, in send
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/pipeline/policies/_authentication.py", line 113, in send
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/keyvault/certificates/_shared/challenge_auth_policy.py", line 67, in on_request
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/keyvault/certificates/_shared/challenge_auth_policy.py", line 40, in _enforce_tls
azure.core.exceptions.ServiceRequestError: Bearer token authentication is not permitted for non-TLS protected (non-https) URLs.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 664, in execute
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 731, in _run_jobs_serially
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 701, in _run_job
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 334, in __call__
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_command_type.py", line 135, in keyvault_command_handler
File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/keyvault/_command_type.py", line 49, in keyvault_exception_handler
knack.util.CLIError: Bearer token authentication is not permitted for non-TLS protected (non-https) URLs.
cli.azure.cli.core.azclierror: Bearer token authentication is not permitted for non-TLS protected (non-https) URLs.
az_command_data_logger: Bearer token authentication is not permitted for non-TLS protected (non-https) URLs.
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x00000270C423F100>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 5.399 seconds (init: 0.254, invoke: 5.144)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3709 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry\__init__.pyc C:\Users\MatthewSteeples\.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.
Expected behavior
Certificates to be output
Environment Summary
{
"azure-cli": "2.59.0",
"azure-cli-core": "2.59.0",
"azure-cli-telemetry": "1.1.0",
"extensions": {}
}
Additional context
az keyvault certificate list --vault-name {vaultName} works fine on the same device
Hi, I saw the same behaviour today when I was trying to list the secrets of a KeyVault.
az keyvault secret list --id /subscriptions/${subscriptionId}/resourceGroups/${resourceGroup}/providers/Microsoft.KeyVault/vaults/${keyVault}
This results in
ERROR: Bearer token authentication is not permitted for non-TLS protected (non-https) URLs.
I was running this command in an Azure DevOps pipeline after loggin in with a ServicePrincipal, but it also occured when executing the command locally and being authenticated with Azure.
Environment information
{
"azure-cli": "2.62.0",
"azure-cli-core": "2.62.0",
"azure-cli-telemetry": "1.1.0",
"extensions": {
"aks-preview": "0.5.121",
"azure-devops": "0.26.0",
"bastion": "0.3.0",
"ssh": "2.0.2"
}
}
@rcomanne Please use az keyvault secret/certificate list with --vault-name as a workaround. The auth issue with --id is under investigation.
I received the same error when running the following:
az keyvault role assignment create \
--role "Key Vault Administrator" \
--scope "/" \
--assignee "$OBJECT_ID" \
--name "$NAME" \
--id "/subscriptions/$SUBS/resourceGroups/$RG/Microsoft.KeyVault/vaults/$KV"
Also tried with --id "https://$KV.vault.azure.net", but got another error, this time HTTP 404:
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - File or directory not found.</h2>
<h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
</fieldset></div>
</div>
Hello,
Same issue here using the Windows version.
If we try from azure cloud shell it works.
@rcomanne Please use
az keyvault secret/certificate listwith--vault-nameas a workaround. The auth issue with--idis under investigation.
Regarding az keyvault role assignment create which appears to suffer from the same issue, --vault-name is not a valid value:
ERROR: unrecognized arguments: --vault-name
--hsm-name seems related, but if you use that one you get:
ERROR: <urllib3.connection.HTTPSConnection object at 0x7f5d6e869760>: Failed to establish a new connection: [Errno -2] Name or service not known
Experiencing this as still when running: az keyvault secret list --id "..." or az keyvault secret list-deleted --id "..."
az cli environment:
{
"azure-cli": "2.64.0",
"azure-cli-core": "2.64.0",
"azure-cli-telemetry": "1.1.0",
"extensions": {
"dataprotection": "1.5.2",
"front-door": "1.2.0"
}
}
I have the same problem when running az keyvault role assignment create ... or az keyvault role assignment list --id ...
az cli environment:
{
"azure-cli": "2.68.0",
"azure-cli-core": "2.68.0",
"azure-cli-telemetry": "1.1.0",
"extensions": {
"application-insights": "1.2.2",
"azure-devops": "1.0.1",
"managementpartner": "1.0.0"
}
}
Hi, any updates to this issue? I am getting the same problem using az cli 2.74 and also with upgraded version 2.75. How should we assign the role to the user assigned managed identity through DevOps pipeline?
Same error. Happens with a simple list keys: az keyvault key list --id /subscriptions/<suppressed>/resourceGroups/<suppressed>-<suppressed>/providers/Microsoft.KeyVault/vaults/kv-<suppressed>-<suppressed> --debug
cli.knack.cli: Command arguments: ['keyvault', 'key', 'list', '--id', '/subscriptions/<suppressed>/resourceGroups/<suppressed>-<suppressed>/providers/Microsoft.KeyVault/vaults/kv-<suppressed>-<suppressed>', '--debug']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x1008a3380>, <function OutputProducer.on_global_arguments at 0x100dac400>, <function CLIQuery.on_global_arguments at 0x100dcdbc0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'keyvault': ['azure.cli.command_modules.keyvault']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: keyvault 0.004 20 114
cli.azure.cli.core: Total (1) 0.004 20 114
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: Total (0) 0.000 0 0
cli.azure.cli.core: Loaded 20 groups, 114 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : keyvault key list
cli.azure.cli.core: Command table: keyvault key list
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x102b7bc40>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/Users/<suppressed>/.azure/commands/2025-07-29.11-38-42.keyvault_key_list.90912.log'.
az_command_data_logger: command args: keyvault key list --id {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x102bd0860>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x102bd3100>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x102bd3240>, <function register_upcoming_breaking_change_info.<locals>.update_breaking_change_info at 0x102bd32e0>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x100dac4a0>, <function CLIQuery.handle_query_parameter at 0x100dcdc60>, <function register_ids_argument.<locals>.parse_ids_arguments at 0x102bd31a0>]
cli.azure.cli.core.auth.persistence: build_persistence: location='/Users/<suppressed>/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /Users/<suppressed>/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/<suppressed>
msal.authority: openid_config("https://login.microsoftonline.com/<suppressed>/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/<suppressed>/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/<suppressed>/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/<suppressed>/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/<suppressed>/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/<suppressed>/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/<suppressed>/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/<suppressed>/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "/opt/homebrew/Cellar/azure-cli/2.75.0/libexec/lib/python3.12/site-packages/azure/cli/command_modules/keyvault/_command_type.py", line 109, in keyvault_command_handler
result = op(**command_args)
^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/azure-cli/2.75.0/libexec/lib/python3.12/site-packages/azure/cli/command_modules/keyvault/custom.py", line 1062, in list_keys
return [_ for _ in result if not getattr(_, 'managed')] if result else result
^^^^^^
File "/opt/homebrew/Cellar/azure-cli/2.75.0/libexec/lib/python3.12/site-packages/azure/core/paging.py", line 123, in __next__
return next(self._page_iterator)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/azure-cli/2.75.0/libexec/lib/python3.12/site-packages/azure/core/paging.py", line 75, in __next__
self._response = self._get_next(self.continuation_token)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/azure-cli/2.75.0/libexec/lib/python3.12/site-packages/azure/keyvault/keys/_generated/_operations/_operations.py", line 1591, in get_next
pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/azure-cli/2.75.0/libexec/lib/python3.12/site-packages/azure/core/pipeline/_base.py", line 229, in run
return first_node.send(pipeline_request)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/azure-cli/2.75.0/libexec/lib/python3.12/site-packages/azure/core/pipeline/_base.py", line 86, in send
response = self.next.send(request)
^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/azure-cli/2.75.0/libexec/lib/python3.12/site-packages/azure/core/pipeline/_base.py", line 86, in send
response = self.next.send(request)
^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/azure-cli/2.75.0/libexec/lib/python3.12/site-packages/azure/core/pipeline/_base.py", line 86, in send
response = self.next.send(request)
^^^^^^^^^^^^^^^^^^^^^^^
[Previous line repeated 2 more times]
File "/opt/homebrew/Cellar/azure-cli/2.75.0/libexec/lib/python3.12/site-packages/azure/core/pipeline/policies/_redirect.py", line 197, in send
response = self.next.send(request)
^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/azure-cli/2.75.0/libexec/lib/python3.12/site-packages/azure/core/pipeline/policies/_retry.py", line 554, in send
raise err
File "/opt/homebrew/Cellar/azure-cli/2.75.0/libexec/lib/python3.12/site-packages/azure/core/pipeline/policies/_retry.py", line 532, in send
response = self.next.send(request)
^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/azure-cli/2.75.0/libexec/lib/python3.12/site-packages/azure/keyvault/keys/_shared/challenge_auth_policy.py", line 111, in send
self.on_request(request)
File "/opt/homebrew/Cellar/azure-cli/2.75.0/libexec/lib/python3.12/site-packages/azure/keyvault/keys/_shared/challenge_auth_policy.py", line 170, in on_request
_enforce_tls(request)
File "/opt/homebrew/Cellar/azure-cli/2.75.0/libexec/lib/python3.12/site-packages/azure/keyvault/keys/_shared/challenge_auth_policy.py", line 41, in _enforce_tls
raise ServiceRequestError(
azure.core.exceptions.ServiceRequestError: Bearer token authentication is not permitted for non-TLS protected (non-https) URLs.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/homebrew/Cellar/azure-cli/2.75.0/libexec/lib/python3.12/site-packages/knack/cli.py", line 233, in invoke
cmd_result = self.invocation.execute(args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/azure-cli/2.75.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 666, in execute
raise ex
File "/opt/homebrew/Cellar/azure-cli/2.75.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 734, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/azure-cli/2.75.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 703, in _run_job
result = cmd_copy(params)
^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/azure-cli/2.75.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 336, in __call__
return self.handler(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/azure-cli/2.75.0/libexec/lib/python3.12/site-packages/azure/cli/command_modules/keyvault/_command_type.py", line 135, in keyvault_command_handler
return keyvault_exception_handler(ex)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/azure-cli/2.75.0/libexec/lib/python3.12/site-packages/azure/cli/command_modules/keyvault/_command_type.py", line 49, in keyvault_exception_handler
raise CLIError(ex)
knack.util.CLIError: Bearer token authentication is not permitted for non-TLS protected (non-https) URLs.
cli.azure.cli.core.azclierror: Bearer token authentication is not permitted for non-TLS protected (non-https) URLs.
az_command_data_logger: Bearer token authentication is not permitted for non-TLS protected (non-https) URLs.
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x102b7bec0>]
az_command_data_logger: exit code: 1
cli.__main__: Command ran in 5.044 seconds (init: 0.068, invoke: 4.976)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4056 in cache file under /Users/<suppressed>/.azure/telemetry/20250729113847729
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/opt/homebrew/Cellar/azure-cli/2.75.0/libexec/bin/python /opt/homebrew/Cellar/azure-cli/2.75.0/libexec/lib/python3.12/site-packages/azure/cli/telemetry/__init__.py /Users/<suppressed>/.azure /Users/<suppressed>/.azure/telemetry/20250729113847729"
telemetry.process: Return from creating process 91015
telemetry.main: Finish creating telemetry upload process.
Hello,
Same issue here using the Windows version.
If we try from azure cloud shell it works.
@d13g0s0uz4 @RoFz
for me the --id parameter doesn't work on Windows, Linux, or Azure Cloud Shell either. I've tested with both azure-cli 2.71.0 and 2.78.0 (current stable).
az keyvault secret list --id $KV_ID
# Bearer token authentication is not permitted for non-TLS protected (non-https) URLs.
It only works when specifying name and resource group, which is redundant if you have the Id already:
az keyvault secret list --vault-name $KV_NAME --resource-group $RG_NAME
PS.
It works if you provide --id with the full keyvault url afterwards, e.g.:
az keyvault secret list --id "https://${KV_NAME}.vault.azure.net/"
@evelyn-ys
perhaps the --id parameter could be renamed/aliased to --uri/--url to clarify it doesn't expect a resourceId?
