azure-powershell
azure-powershell copied to clipboard
Azure
Set-AzKeyVaultAccessPolicy -PermissionsToCertificates is removing other permissions from the GUI
Description
When applying the Key vault access policy -PermissionsToSecrets and -PermissionsToKeys the GUI adds and displays them correctly. Once I add the -PermissionsToCertificates, the GUI appears to add all permissions if I look at the Access policy overview page it says "All" but when clicking into the users access all the tick boxes are empty. It looks like nothing is applied. It only does this once I add the -PermissionsToCertificates.
I also noticed that if I have 2 records in the Access policy area. I can only see 1 of them because the other is hidden under the drop down group name. If i search for the other user, they show up ok.
Issue script & Debug output
Ive put the code here for testing. The output has too much personal information to remove.
$objectid = "dcaffe3c-YOUR-ID-HERE"
$PermissionsToSecrets = "get,list,set,delete,backup,restore,recover,purge"
$PermissionsToKeys = "decrypt,encrypt,unwrapKey,wrapKey,verify,sign,get,list,update,create,import,delete,backup,restore,recover,purge"
$PermissionsToCertificates = "Get,list,Update,Create,Import,Delete,Recover,Backup,Restore,ManageContacts,ManageIssuers,GetIssuers,ListIssuers,SetIssuers,DeleteIssuers"
Set-AzKeyVaultAccessPolicy `
-VaultName scupaea1kvt01 `
-ObjectId $objectid `
-PermissionsToSecrets ($PermissionsToSecrets.split(",")) `
-PermissionsToKeys ($PermissionsToKeys.split(",")) `
-BypassObjectIdValidation -PassThru
Set-AzKeyVaultAccessPolicy `
-VaultName scupaea1kvt01 `
-ObjectId $objectid `
-PermissionsToSecrets ($PermissionsToSecrets.split(",")) `
-PermissionsToKeys ($PermissionsToKeys.split(",")) `
-PermissionsToCertificates ($PermissionsToCertificates.split(",")) `
-BypassObjectIdValidation -PassThru
Environment data
PS C:\Users\david> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.19041.1682
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.19041.1682
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Module versions
PS C:\Users\david> get-module Az*
ModuleType Version Name ExportedCommands
---------- ------- ---- ----------------
Script 2.10.0 Az.Accounts {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault...}
Script 4.7.0 Az.KeyVault {Add-AzKeyVaultCertificate, Add-AzKeyVaultCertificateContact, Add-AzKeyVaultKey, Add-AzKeyVaultManagedStorageAccount...}
Error output
nothing
Hi @B0na5 , I did reproduce this issue sometimes. But other permissions are not removed in fact. You can find all permissions are set accordingly if you refresh the page few minutes later. I think it may be caused by latency between service side and Portal page. Please have a try and let me know if you hit any issue.
Hi @BethanyZhou, I can see from the refresh that the permissions do show up. But the 2nd CSP group user was still hidden under the drop-down section. Apart from that it looks like it was a refresh/latency issue on the portal page.
If you look at the screenshots you will see 1 of 2 users. A 23*** user and a dc**** user. When the page load I can only see the 23*** user. The only way I can see the dc*** user is if i search for it in the search box.
I also noticed when i click the select all box and delete them all it leaves the dc*** user as it doesnt get selected.
I'm sorry these issues you mentioned are out-of-scope for Azure PowerShell team. I'd like to suggest to send these issues to Portal team to get supported. Thanks for reaching out to us.
Hi, we're sending this friendly reminder because we haven't heard back from you in a while. We need more information about this issue to help address it. Please be sure to give us your input within the next 7 days. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!
