"Invalid value was provided for 'accessPolicies'" when no value was provided

[freeone3000]

I'd expect an error from Azure or Azure CLI client. Instead, I get this error that doesn't tell me what went wrong.

This is autogenerated. Please review and update as needed.

Describe the bug

Command Name
az keyvault set-policy

Errors:

An invalid value was provided for 'accessPolicies'.

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

• Put any pre-requisite steps here...
• az keyvault set-policy --name {} --object-id {} --secret-permissions list --debug

Expected Behavior

Environment Summary

Linux-4.18.0-16-generic-x86_64-with-debian-buster-sid
Python 3.6.5
Shell: bash

azure-cli 2.0.66 *

Extensions:
azure-devops 0.8.0

Additional Context

[ross-p-smith]

Just come across this too on azure-cli 2.0.69

[rfink]

Same - version 2.0.69

[mikedrumgcom]

Same - version 2.0.71

[norbitrial]

Same - version 2.0.72

[jiasli]

This command works fine on a Linux (debian 9.11) Azure VM

az keyvault set-policy --name xxx --object-id xxx --secret-permissins list

Please share the complete command that results in the error. Also, please share the --output result. You may paste it here or send to my email address.

[hoangpx]

Same
azure-cli 2.0.76
command-modules-nspkg 2.0.3
core 2.0.76
nspkg 3.0.4
telemetry 1.0.4

Python location '/usr/bin/python2.7'
Extensions directory '/home/jenkins/.azure/cliextensions'

Python (Linux) 2.7.5 (default, May 20 2019, 12:21:26)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]

[bim-msft]

I have reproduced the issue by specifiying an invalid GUID as object-id.
My command: az keyvault set-policy -n {vault-name} --object-id 123 --key-permissions get list
The error message is not clear enough.

[bim-msft]

Hi service team, could you please refine this error message?

[brunomartinspro]

Same issue here... If the code is open source tomorrow i will debug it..

msrest.http_logger : Response status: 400
msrest.http_logger : Response headers:
msrest.http_logger :     'Cache-Control': 'no-cache'
msrest.http_logger :     'Pragma': 'no-cache'
msrest.http_logger :     'Content-Length': '95'
msrest.http_logger :     'Content-Type': 'application/json; charset=utf-8'
msrest.http_logger :     'Expires': '-1'
msrest.http_logger :     'x-ms-keyvault-service-version': '1.1.0.276'
msrest.http_logger :     'x-ms-request-id': 'asd34-d4f2-4b80-sdf32-6ac908cc967f'
msrest.http_logger :     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
msrest.http_logger :     'X-Content-Type-Options': 'nosniff'
msrest.http_logger :     'Server': 'Microsoft-IIS/10.0'
msrest.http_logger :     'X-AspNet-Version': '4.0.30319'
msrest.http_logger :     'X-Powered-By': 'ASP.NET'
msrest.http_logger :     'x-ms-ratelimit-remaining-subscription-writes': '1199'
msrest.http_logger :     'x-ms-correlation-request-id': 'ddfsdf3-20c4-4db4-8245-qqweqwe2'
msrest.http_logger :     'x-ms-routing-request-id': 'WESTEUROPE:20200331T182750Z:f7dfdf35cf3-20c4-asdasd-8245-aaasd2'
msrest.http_logger :     'Date': 'Tue, 31 Mar 2020 18:27:50 GMT'
msrest.http_logger : Response content:
msrest.http_logger : {"error":{"code":"BadRequest","message":"An invalid value was provided for 'accessPolicies'."}}
msrest.exceptions : An invalid value was provided for 'accessPolicies'.

[brunomartinspro]

Same issue here... If the code is open source tomorrow i will debug it..

msrest.http_logger : Response status: 400
msrest.http_logger : Response headers:
msrest.http_logger :     'Cache-Control': 'no-cache'
msrest.http_logger :     'Pragma': 'no-cache'
msrest.http_logger :     'Content-Length': '95'
msrest.http_logger :     'Content-Type': 'application/json; charset=utf-8'
msrest.http_logger :     'Expires': '-1'
msrest.http_logger :     'x-ms-keyvault-service-version': '1.1.0.276'
msrest.http_logger :     'x-ms-request-id': 'asd34-d4f2-4b80-sdf32-6ac908cc967f'
msrest.http_logger :     'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
msrest.http_logger :     'X-Content-Type-Options': 'nosniff'
msrest.http_logger :     'Server': 'Microsoft-IIS/10.0'
msrest.http_logger :     'X-AspNet-Version': '4.0.30319'
msrest.http_logger :     'X-Powered-By': 'ASP.NET'
msrest.http_logger :     'x-ms-ratelimit-remaining-subscription-writes': '1199'
msrest.http_logger :     'x-ms-correlation-request-id': 'ddfsdf3-20c4-4db4-8245-qqweqwe2'
msrest.http_logger :     'x-ms-routing-request-id': 'WESTEUROPE:20200331T182750Z:f7dfdf35cf3-20c4-asdasd-8245-aaasd2'
msrest.http_logger :     'Date': 'Tue, 31 Mar 2020 18:27:50 GMT'
msrest.http_logger : Response content:
msrest.http_logger : {"error":{"code":"BadRequest","message":"An invalid value was provided for 'accessPolicies'."}}
msrest.exceptions : An invalid value was provided for 'accessPolicies'.

Somehow my problem was cache.. After restarting the self-host agent it started working..

[wolesolana]

@brunomartinspro I'm running into the same issue as well. What self-host agent did you restart? We have an Azure subscription running in the cloud.

[brunomartinspro]

@brunomartinspro I'm running into the same issue as well. What self-host agent did you restart? We have an Azure subscription running in the cloud.

Based on other answers here I used the --objectId of a Azure AD app registration I wanted to register in Key Vault so it could have permissions to purge everything when soft delete was active.

az --% keyvault set-policy --name “Dracula-Vault” --object-id AZADAPP_OBJECTID --key-permissions get create list purge  --certificate-permissions get create list purge --secret-permissions get list purge

I registered self hosted agents in the cloud, running on docker with Kubernetes. https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/docker

I spent hours looking into the source code, trying multiple solutions and had no success until I restarted the self hosted agent. After restarting all the steps worked on azure DevOps, I assume it’s cache because when I destroy the Kubernetes Deployment and run a new instance of the agent from scratch it still works. I’m still puzzled.

Btw i also made a tutorial for setting up the docker agents on kubernetes if you want to set it up.
Azure Pipelines Self-Hosted Agents Running in Docker on Azure Kubernetes Service

[sebansal]

ping @bim-msft

[sebansal]

This was a product bug and has been fixed.

[akshaymathur3]

Please reopen, as it seems to be not fixed
cmd: az keyvault set-policy -n mykvt --secret-permissions get --object-id e2c1c414-a9c3-11eb-bcbc-0242ac130002 --resource-group mygrp

Error:
(BadRequest) An invalid value was provided for 'accessPolicies'.

[edwardsp]

I had the same error here from this command:

az keyvault set-policy --name $keyvault --object-id "$sp_oid" --secret-permissions get list

It turned out that my previous command to get the sp_oid was actually returning two values

[arindam0310018]

Hello @freeone3000 @ross-p-smith @rfink @mikedrumgcom @jiasli @yugangw-msft @norbitrial @hoangpx @yonzhan @brunomartinspro @bim-msft @wolesolana @sebansal @akshaymathur3

I am aware that the issue thread is closed but I recently encountered the same issue and I could resolve using Microsoft Support. Hence thought of putting it here with as much details as possible, if in case someone stumbles into this thread, while looking for a resolution.

Let me explain my issue use case:-

• In the Same Subscription, I had more than 1 Key Vault in different Resource Groups.
• Only 1 KV exhibited the issue "Invalid value was provided for 'accessPolicies" while changing from Firewall Settings "Allow public access from specific virtual networks and IP addresses" to "Allow public access from all networks", Rest all worked perfectly fine

What all I did:-

• I elevated my user account as the owner of the Subscription and tried changing the Firewall Settings, still the same issue.
• I then added my user account RBAC = Key Vault Administrator and tried changing the Firewall Settings, still the same issue.
• I tried to add my user account in the access policy with all permission (Keys, Secrets, Certificates). I could not add. it gave the same error.
• I tried to add my user account in the access policy with all permission (Keys, Secrets, Certificates) using az cli. I could not add. it gave the same error.

I then raise an support request.
Support Team informed the below:-
There used to be a bug in the Azure Key Vault service that allowed customers to add access policies via PS/CLI with '{}' in the ObjectId of an access policy. Once it was fixed, customers that had policies in the unexpected format (with {}) started to receive a BadRequest 400 error because the service notices the wrong formatted access policies and rejected any change.

Running below Powershell script fixed all the wrongly formatted access policy entries on the Key Vault to the expected format and updates the resource properties at ARM-layer.

$id = "/subscriptions/XXXXX-SUBSCRIPTION-ID-XXXXX>/resourceGroups/XXXXX-RESOURCE-GROUP-NAME-XXXXX>/providers/Microsoft.KeyVault/vaults/<KEY-VAULT-NAME>"

$vault = Get-AzResource -ResourceId $id

Check what the current policies are:-

$vault.Properties.accessPolicies

Fix invalid GUIDs:-

$vault.Properties.accessPolicies | %{$_.objectId = [Guid]::Parse($_.objectId).ToString("D")}

Check the new policies:-

$vault.Properties.accessPolicies

Update the vault in ARM:-

Set-AzResource -ResourceId $vault.Id -Properties $vault.Properties -Tags $vault.Tags

It worked!!!

Post running the Script, I could add my account in Key Vault Access policy and also could change Key Vault Firewall Settings.

Hope this helps.

Many Thanks
Regards, Arindam Mitra