Skip to content

Invalid VNet rule in keyvault create call #27516

Description

@git001

Describe the bug

I tried to create a key vault with --network-acls and got the following error.

Invalid VNet rule: /subscriptions/MY_SUBS/resourceGroups/rg-01/spoke-01/snet-01.
Format: {vnet_name}/{subnet_name} or {subnet_id}

But even the help shows that the syntax should be /subscriptions/MY_SUBS/resourceGroups/rg-01/spoke-01/snet-01

az keyvault create -h
....
Create a key vault with network ACLs specified (use --network-acls-vnets to specify VNet rules).

az keyvault create --location westus2 --name MyKeyVault --resource-group MyResourceGroup
--network-acls-vnets vnet_name_2/subnet_name_2 vnet_name_3/subnet_name_3 /subscriptions/0000
00-0000-
0000/resourceGroups/MyResourceGroup/providers/Microsoft.Network/virtualNetworks/vnet_name_4/
subnets/subnet_name_4


Create a key vault with network ACLs specified (use --network-acls, --network-acls-ips and
--network-acls-vnets together, redundant rules will be removed, finally there will be 4 IP rules
and 3 VNet rules).

az keyvault create --location westus2 --name MyKeyVault --resource-group MyResourceGroup
--network-acls "{\"ip\": [\"1.2.3.4\", \"2.3.4.0/24\"], \"vnet\":
[\"vnet_name_1/subnet_name1\", \"vnet_name_2/subnet_name2\"]}" --network-acls-ips 3.4.5.0/24
4.5.6.0/24 --network-acls-vnets vnet_name_2/subnet_name_2 vnet_name_3/subnet_name_3 /subscri
ptions/000000-0000-
0000/resourceGroups/MyResourceGroup/providers/Microsoft.Network/virtualNetworks/vnet_name_4/
subnets/subnet_name_4
....

Is this a misusing from my site or a doc bug?
Can I put a vnet from another RG into the --network-acls json?

Related command

az keyvault create --name kv-$NAME-Dev03 --resource-group rg-$KV_RG --location germanywestcentral --enable-rbac-authorization false --public-network-access Enabled --sku premium --default-action Deny --network-acls "{\"vnet\": [\"/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-master-$NAME-Dev03\",\"/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-node-$NAME-Dev03\"]}" --subscription $MY_SUBS

Errors

Invalid VNet rule: /subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-master-$NAME-Dev03.
Format: {vnet_name}/{subnet_name} or {subnet_id}

Issue script & Debug output

az --debug keyvault create --name kv-$KV_NAME-Dev03 --resource-group rg-$KV_NAME --location germanywestcentral --enable-rbac-authorization false --public-network-access Enabled --sku premium --default-action Deny --network-acls "{\"vnet\": [\"/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-master-$NAME-Dev03\",\"/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-node-$NAME-Dev03\"]}" --subscription $MY_SUBS
cli.knack.cli: Command arguments: ['--debug', 'keyvault', 'create', '--name', 'kv-$KV_NAME-Dev03', '--resource-group', 'rg-$KV_NAME', '--location', 'germanywestcentral', '--enable-rbac-authorization', 'false', '--public-network-access', 'Enabled', '--sku', 'premium', '--default-action', 'Deny', '--network-acls', '{"vnet": ["/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-master-$NAME-Dev03","/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-node-$NAME-Dev03"]}', '--subscription', '$MY_SUBS']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7f99f998d360>, <function OutputProducer.on_global_arguments at 0x7f99f98f0280>, <function CLIQuery.on_global_arguments at 0x7f99f9715480>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: No module found from index for '['--debug', 'keyvault', 'create', '--name', 'kv-$KV_NAME-Dev03', '--resource-group', 'rg-$KV_NAME', '--location', 'germanywestcentral', '--enable-rbac-authorization', 'false', '--public-network-access', 'Enabled', '--sku', 'premium', '--default-action', 'Deny', '--network-acls', '{"vnet": ["/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-master-$NAME-Dev03","/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-node-$NAME-Dev03"]}', '--subscription','$MY_SUBS']'
cli.azure.cli.core: Loading all modules and extensions
cli.azure.cli.core: Discovered command modules: ['acr', 'acs', 'advisor', 'ams', 'apim', 'appconfig', 'appservice', 'aro', 'backup', 'batch', 'batchai', 'billing', 'botservice', 'cdn', 'cloud', 'cognitiveservices', 'config', 'configure', 'consumption', 'container', 'containerapp', 'cosmosdb', 'databoxedge', 'dla', 'dls', 'dms', 'eventgrid', 'eventhubs', 'extension', 'feedback', 'find', 'hdinsight', 'identity', 'interactive', 'iot', 'keyvault', 'kusto', 'lab', 'managedservices', 'maps', 'marketplaceordering', 'monitor', 'mysql', 'netappfiles', 'network', 'policyinsights', 'privatedns', 'profile', 'rdbms', 'redis', 'relay', 'resource', 'role', 'search', 'security', 'servicebus', 'serviceconnector', 'servicefabric', 'signalr', 'sql', 'sqlvm', 'storage', 'synapse', 'util', 'vm']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name                  Load Time    Groups  Commands
cli.azure.cli.core: acr                       0.066        34       144
cli.azure.cli.core: acs                       0.008         7        54
cli.azure.cli.core: advisor                   0.001         3         6
cli.azure.cli.core: ams                       0.003        22       100
cli.azure.cli.core: apim                      0.002        14        68
cli.azure.cli.core: appconfig                 0.001         9        47
cli.azure.cli.core: appservice                0.032        73       260
cli.azure.cli.core: aro                       0.004         1        10
cli.azure.cli.core: backup                    0.002        16        59
cli.azure.cli.core: batch                     0.012        34       102
cli.azure.cli.core: batchai                   0.001        10        30
cli.azure.cli.core: billing                   0.003        19        52
cli.azure.cli.core: botservice                0.002        12        42
cli.azure.cli.core: cdn                       0.004        39       133
cli.azure.cli.core: cloud                     0.001         1         7
cli.azure.cli.core: cognitiveservices         0.001        10        33
cli.azure.cli.core: config                    0.001         2         7
cli.azure.cli.core: configure                 0.000         2         5
cli.azure.cli.core: consumption               0.007         8         9
cli.azure.cli.core: container                 0.003         1        11
cli.azure.cli.core: containerapp              0.044        36       115
cli.azure.cli.core: cosmosdb                  0.007        58       192
cli.azure.cli.core: databoxedge               0.002         5        27
cli.azure.cli.core: dla                       0.001        23        62
cli.azure.cli.core: dls                       0.002         7        41
cli.azure.cli.core: dms                       0.001         3        22
cli.azure.cli.core: eventgrid                 0.002        25        96
cli.azure.cli.core: eventhubs                 0.004        12        19
cli.azure.cli.core: extension                 0.000         1         7
cli.azure.cli.core: feedback                  0.000         1         2
cli.azure.cli.core: find                      0.000         1         1
cli.azure.cli.core: hdinsight                 0.002         8        39
cli.azure.cli.core: identity                  0.001         2        11
cli.azure.cli.core: interactive               0.000         1         1
cli.azure.cli.core: iot                       0.041        19        82
cli.azure.cli.core: keyvault                  0.005        22       133
cli.azure.cli.core: kusto                     0.001         3        14
cli.azure.cli.core: lab                       0.001        11        34
cli.azure.cli.core: managedservices           0.001         3         8
cli.azure.cli.core: maps                      0.001         5        13
cli.azure.cli.core: marketplaceordering       0.001         1         2
cli.azure.cli.core: monitor                   0.173        20        67
cli.azure.cli.core: mysql                     0.067        14        49
cli.azure.cli.core: netappfiles               0.003        17        96
cli.azure.cli.core: network                   0.053       103       336
cli.azure.cli.core: policyinsights            0.004         9        17
cli.azure.cli.core: privatedns                0.007        14        60
cli.azure.cli.core: profile                   0.001         2         8
cli.azure.cli.core: rdbms                     0.007        44       185
cli.azure.cli.core: redis                     0.001         5        27
cli.azure.cli.core: relay                     0.008         7         8
cli.azure.cli.core: resource                  0.006        51       227
cli.azure.cli.core: role                      0.001        17        61
cli.azure.cli.core: search                    0.001         7        22
cli.azure.cli.core: security                  0.002        48       104
cli.azure.cli.core: servicebus                0.007        12        17
cli.azure.cli.core: serviceconnector          0.022        12       182
cli.azure.cli.core: servicefabric             0.005        27        76
cli.azure.cli.core: signalr                   0.001         8        30
cli.azure.cli.core: sql                       0.007        56       215
cli.azure.cli.core: sqlvm                     0.049         4        20
cli.azure.cli.core: storage                   0.023        58       272
cli.azure.cli.core: synapse                   0.007        54       246
cli.azure.cli.core: util                      0.001         3         7
cli.azure.cli.core: vm                        0.024        57       230
cli.azure.cli.core: Total (65)                0.751      1213      4662
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name                  Load Time    Groups  Commands  Directory
cli.azure.cli.core: connectedk8s              0.008         1        10  /home/alex/.azure/cliextensions/connectedk8s
cli.azure.cli.core: k8s-extension             0.003         2         9  /home/alex/.azure/cliextensions/k8s-extension
cli.azure.cli.core: Total (2)                 0.011         3        19
cli.azure.cli.core: Loaded 1204 groups, 4681 commands.
cli.azure.cli.core: Updated command index in 0.002 seconds.
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7f99f89a6dd0>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/alex/.azure/commands/2023-10-03.17-48-30.unknown_command.150115.log'.
az_command_data_logger: command args: --debug {} {} --name {} --resource-group {} --location {} --enable-rbac-authorization {} --public-network-access {} --sku {} --default-action {} --network-acls {} --subscription {} --tags {} {}
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x7f99f89e3a30>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x7f99f8a01750>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x7f99f8a01870>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [<function _documentdb_deprecate at 0x7f99f73da0e0>]
cli.azure.cli.core.command_recommender: "--name" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--resource-group" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--location" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--enable-rbac-authorization" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--public-network-access" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--sku" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--default-action" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--network-acls" is an invalid parameter for command "keyvault create".
urllib3.connectionpool: Starting new HTTPS connection (1): app.aladdin.microsoft.com:443
urllib3.connectionpool: https://app.aladdin.microsoft.com:443 "GET /api/v1.0/suggestions?query=%7B%22command%22%3A+%22keyvault+create%22%2C+%22parameters%22%3A+%22%22%7D&clientType=AzureCli&context=%7B%22versionNumber%22%3A+%222.53.0%22%2C+%22errorType%22%3A+%22UnrecognizedArguments%22%2C+%22correlationId%22%3A+%227e63fff3-e687-496c-bc47-9e5ded8b8392%22%2C+%22subscriptionId%22%3A+%22$MY_SUBS%22%2C+%22eventId%22%3A+%2272e8f878-6f4c-4645-8387-f95087c3e365%22%7D HTTP/1.1" 200 None
cli.azure.cli.core.command_recommender: "--name" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--resource-group" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--location" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--enable-rbac-authorization" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--public-network-access" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--sku" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--default-action" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--network-acls" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--location" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--name" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--resource-group" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--location" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--name" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--resource-group" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--network-acls" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.azclierror: NoneType: None

cli.azure.cli.core.azclierror: unrecognized arguments: --name kv-$KV_NAME-Dev03 --resource-group rg-$KV_NAME --location germanywestcentral --enable-rbac-authorization false --public-network-access Enabled --sku premium --default-action Deny --network-acls {"vnet": ["/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-master-$NAME-Dev03","/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-node-$NAME-Dev03"]}
az_command_data_logger: unrecognized arguments: --name kv-$KV_NAME-Dev03 --resource-group rg-$KV_NAME --location germanywestcentral --enable-rbac-authorization false --public-network-access Enabled --sku premium --default-action Deny --network-acls {"vnet": ["/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-master-$NAME-Dev03","/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-node-$NAME-Dev03"]}

Examples from AI knowledge base:
az keyvault create --location westus2 --name MyKeyVault --resource-group MyResourceGroup
Create a key vault. (autogenerated)

az keyvault create --location westus2 --name MyKeyVault --resource-group MyResourceGroup --network-acls "{\"ip\": [\"1.2.3.4\", \"2.3.4.0/24\"], \"vnet\": [\"vnet_name_1/subnet_name1\", \"vnet_name_2/subnet_name2\", \"/subscriptions/000000-0000-0000/resourceGroups/MyResourceGroup/providers/Microsoft.Network/virtualNetworks/MyVNet/subnets/MySubnet\"]}"
Create a key vault with network ACLs specified (use --network-acls to specify IP and VNet rules by using a JSON string).

https://docs.microsoft.com/en-US/cli/azure/keyvault#az_keyvault_create
Read more about the command in reference docs
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f99f89a7010>]
az_command_data_logger: exit code: 2
cli.__main__: Command ran in 1.461 seconds (init: 0.110, invoke: 1.351)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4604 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/usr/bin/../../opt/az/bin/python3 /opt/az/lib/python3.10/site-packages/azure/cli/telemetry/__init__.py /home/alex/.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

Expected behavior

I would expect that the vnets are configured in the keyvault network settings.

Environment Summary

azure-cli                         2.53.0

core                              2.53.0
telemetry                          1.1.0

Extensions:
connectedk8s                       1.4.0
k8s-extension                      1.4.5

Dependencies:
msal                            1.24.0b2
azure-mgmt-resource             23.1.0b2

Python location '/opt/az/bin/python3'
Extensions directory '/home/alex/.azure/cliextensions'

Python (Linux) 3.10.10 (main, Sep 20 2023, 06:07:38) [GCC 11.4.0]

Legal docs and information: aka.ms/AzureCliLegal


Your CLI is up-to-date.

Additional context

No response

Metadata

Metadata

Assignees

Labels

Auto-AssignAuto assign by botAuto-ResolveAuto resolve by botKeyVaultaz keyvaultPossible-SolutionService AttentionThis issue is responsible by Azure service team.Similar-Issueact-identity-squadcustomer-reportedIssues that are reported by GitHub users external to the Azure organization.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type
No fields configured for issues without a type.

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions