Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get-AzKeyVaultCertificate -InRemovedState doesn't return soft deleted certificate specific information like serialnumber anymore from Az.KeyVault Module version 4.11.0 #24333

Closed
cjagodics opened this issue Mar 11, 2024 · 3 comments · Fixed by #24365
Closed

Get-AzKeyVaultCertificate -InRemovedState doesn't return soft deleted certificate specific information like serialnumber anymore from Az.KeyVault Module version 4.11.0 #24333

cjagodics opened this issue Mar 11, 2024 · 3 comments · Fixed by #24365
Labels
Azure PS Team bug This issue requires a change to an existing behavior in the product in order to be resolved. customer-reported KeyVault Tracking We will track status and follow internally
Milestone
Az 11.5.0 (2024-0...

Comments

@cjagodics
Copy link

cjagodics commented Mar 11, 2024
edited
Loading

Description

Starting from Az.KeyVault version 4.11.0 until latest version 5.2.1 the command
-> Get-AzKeyVaultCertificate -VaultName -Name -InRemovedState
only return basic information about the soft deleted KeyVault certificate but no specific information like subject or serialnumber anymore.
All older versions up to 4.10.2 give back the expected result.
In the release notes for version 4.11.0 I could not find any hint that this information has been removed intentionally or was replaced by another mechanism.
Also the current help example for showing InRemovedState KV certificate shows specific certificate information output.
Therefore I assume it wasn't removed on purpose.

This behavior is not specific to PS 5.1 or 7.x.

Output before version 4.11.0:
Certificate : [Subject]
CN=...

                 [Issuer]
                   CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US

                 [Serial Number]
                   ...

                 [Not Before]
                   6/11/2023 2:00:00 AM

                 [Not After]
                   6/12/2024 1:59:59 AM

                 [Thumbprint]
                   ...

KeyId : https://kv-....vault.azure.net:443/keys/.../2084c9
...
SecretId : https://kv-....vault.azure.net:443/secrets/.../208
...
Thumbprint : ...
RecoveryLevel : CustomizedRecoverable+Purgeable
ScheduledPurgeDate : 3/14/2024 10:23:19 AM
DeletedDate : 3/7/2024 10:23:19 AM
Enabled : True
Expires : 6/11/2024 11:59:59 PM
NotBefore : 6/11/2023 12:00:00 AM
Created : 6/11/2023 1:30:07 AM
Updated : 6/11/2023 1:30:07 AM
Tags :
VaultName : kv-...
Name : ...
Version : 2084c...
Id : https://kv-....vault.azure.net:443/certificates/...
/2084c...

Output from version 4.11.0:
Name : ...
Vault Name : kv-...
Version : 2084...
Id : https://kv-....vault.azure.net:443/certificates/.../2084c9
...
Enabled : True
Expires : 6/11/2024 11:59:59 PM
Not Before : 6/11/2023 12:00:00 AM
Created : 6/11/2023 1:30:07 AM
Updated : 6/11/2023 1:30:07 AM
Tags :

This is really valuable information missing currently. I workaround this issue by using module version 4.10.2 for the moment but would really appreciate to have the information back in the later versions as well.

Issue script & Debug output

Get-AzKeyVaultCertificate -VaultName kv-... -Name ... -InRemovedState
DEBUG: 10:59:32 AM - GetAzureKeyVaultCertificate begin processing with ParameterSet 'ByName'.
DEBUG: 10:59:32 AM - using account id '[email protected]'...
DEBUG: 10:59:32 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: [Common.Authentication]: Authenticating using Account: '[email protected]', environment: 'AzureCloud', tenant: '...'
DEBUG: 10:59:32 AM - [ConfigManager] Got nothing from [EnableLoginByWam], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: 10:59:32 AM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'...', Scopes:'https://vault.azure.net/.default', AuthorityHost:'https://login.microsoftonline.com/', UserId:'[email protected]'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId:
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.1 Microsoft Windows 10.0.22631 [2024-03-11 09:59:32Z - 22dd505d-...] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.1 Microsoft Windows 10.0.22631 [2024-03-11 09:59:32Z - 22dd505d-...] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.1 Microsoft Windows 10.0.22631 [2024-03-11 09:59:32Z - 22dd505d-...] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.1 Microsoft Windows 10.0.22631 [2024-03-11 09:59:32Z - 22dd505d-...] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.1 Microsoft Windows 10.0.22631 [2024-03-11 09:59:32Z - 22dd505d-...] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.1 Microsoft Windows 10.0.22631 [2024-03-11 09:59:32Z - 22dd505d-...] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.1 Microsoft Windows 10.0.22631 [2024-03-11 09:59:32Z - 22dd505d-...] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.1 Microsoft Windows 10.0.22631 [2024-03-11 09:59:32Z - 22dd505d-...] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.1 Microsoft Windows 10.0.22631 [2024-03-11 09:59:32Z - 22dd505d-...] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.1 Microsoft Windows 10.0.22631 [2024-03-11 09:59:32Z] Found 5 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.1 Microsoft Windows 10.0.22631 [2024-03-11 09:59:32Z] Returning 5 accounts
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.1 Microsoft Windows 10.0.22631 [2024-03-11 09:59:32Z - 3a697755-...] MSAL MSAL.CoreCLR with assembly version '4.56.0.0'. CorrelationId(3a697755-...)
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.1 Microsoft Windows 10.0.22631 [2024-03-11 09:59:32Z - 3a697755-...] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.1 Microsoft Windows 10.0.22631 [2024-03-11 09:59:32Z - 3a697755-...] LoginHint provided: False
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.1 Microsoft Windows 10.0.22631 [2024-03-11 09:59:32Z - 3a697755-...] Account provided: True
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.1 Microsoft Windows 10.0.22631 [2024-03-11 09:59:32Z - 3a697755-...] ForceRefresh: False
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.1 Microsoft Windows 10.0.22631 [2024-03-11 09:59:32Z - 3a697755-...]
=== Request Data ===
Authority Provided? - True
Scopes - https://vault.azure.net/.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 3a697755-...
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:

DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.1 Microsoft Windows 10.0.22631 [2024-03-11 09:59:32Z - 3a697755-...] === Token Acquisition (SilentRequest) started:
         Scopes: https://vault.azure.net/.default
        Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.1 Microsoft Windows 10.0.22631 [2024-03-11 09:59:32Z - 3a697755-...] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.1 Microsoft Windows 10.0.22631 [2024-03-11 09:59:32Z - 3a697755-...] Access token is not expired. Returning the found cache entry. [Current time (03/11/2024 09:59:32) - Expiration Time (03/11/2024 11:18:33 +00:00) - Extended Expiration Time (03/11/2024 11:18:33 +00:00)]
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.1 Microsoft Windows 10.0.22631 [2024-03-11 09:59:32Z - 3a697755-...] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.1 Microsoft Windows 10.0.22631 [2024-03-11 09:59:32Z - 3a697755-...] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.1 Microsoft Windows 10.0.22631 [2024-03-11 09:59:32Z - 3a697755-...]
        === Token Acquisition finished successfully:
DEBUG: False MSAL 4.56.0.0 MSAL.CoreCLR .NET 8.0.1 Microsoft Windows 10.0.22631 [2024-03-11 09:59:32Z - 3a697755-...]  AT expiration time: 3/11/2024 11:18:33 AM +00:00, scopes: https://vault.azure.net/user_impersonation https://vault.azure.net/.default. source: Cache
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://vault.azure.net/.default ] ParentRequestId:  ExpiresOn: 2024-03-11T11:18:33.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: '...', UserId: '[email protected]'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://kv-....vault.azure.net//deletedcertificates/...?api-version=7.0

Headers:
Accept-Language               : en-US
x-ms-client-request-id        : 56aa7de7-...

Body:



DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
x-ms-keyvault-region          : westeurope
x-ms-client-request-id        : 56aa7de7-...
x-ms-request-id               : e8e0da6f-...
x-ms-keyvault-service-version : 1.9.1300.1
x-ms-keyvault-network-info    : conn_type=Ipv4;addr=xx.xx.xx.xx;act_addr_fam=InterNetwork;
x-ms-keyvault-rbac-assignment-id: ...
X-Content-Type-Options        : nosniff
Strict-Transport-Security     : max-age=31536000;includeSubDomains
Date                          : Mon, 11 Mar 2024 09:59:32 GMT

Body:
{
  "recoveryId": "https://kv-....vault.azure.net/deletedcertificates/...",
  "deletedDate": 1709806999,
  "scheduledPurgeDate": 1710411799,
  "id": "https://kv-....vault.azure.net/certificates/.../2084c91...",
  "kid": "https://kv-....vault.azure.net/keys/.../2084c91...",
  "sid": "https://kv-....vault.azure.net/secrets/.../2084c91733...",
  "x5t": "...",
  "cer": "MIIHCzCCBfOgAwIBA...",
  "attributes": {
    "enabled": true,
    "nbf": 1686441600,
    "exp": 1718150399,
    "created": 1686447007,
    "updated": 1686447007,
    "recoveryLevel": "CustomizedRecoverable+Purgeable"
  },
  "policy": {
    "id": "https://kv-....vault.azure.net/certificates/.../policy",
    "key_props": {
      "exportable": true,
      "kty": "RSA",
      "key_size": 2048,
      "reuse_key": false
    },
    "secret_props": {
      "contentType": "application/x-pkcs12"
    },
    "x509_props": {
      "subject": "CN=...",
      "ekus": [
        "1.3.6.1.5.5.7.3.1",
        "1.3.6.1.5.5.7.3.2"
      ],
      "key_usage": [
        "digitalSignature",
        "keyEncipherment"
      ],
      "validity_months": 12,
      "basic_constraints": {
        "ca": false
      }
    },
    "lifetime_actions": [
      {
        "trigger": {
          "lifetime_percentage": 80
        },
        "action": {
          "action_type": "AutoRenew"
        }
      }
    ],
    "issuer": {
      "name": "..."
    },
    "attributes": {
      "enabled": true,
      "created": 1635958351,
      "updated": 1635958351
    }
  },
  "pending": {
    "id": "https://kv-....vault.azure.net/certificates/.../pending"
  }
}


DEBUG: 10:59:33 AM - [ConfigManager] Got nothing from [DisplaySecretsWarning], Module = [], Cmdlet = []. Returning default value [False].

Name       : ...
Vault Name : kv-...
Version    : 2084c9...
Id         : https://kv-....vault.azure.net:443/certificates/.../2084c9
             ...
Enabled    : True
Expires    : 6/11/2024 11:59:59 PM
Not Before : 6/11/2023 12:00:00 AM
Created    : 6/11/2023 1:30:07 AM
Updated    : 6/11/2023 1:30:07 AM
Tags       :

DEBUG: 10:59:33 AM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 10:59:33 AM - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.KeyVault:5.2.1; CommandName: Get-AzKeyVaultCertificate; PSVersion: 7.4.1; IsSuccess: True; Duration: 00:00:00.3586203
DEBUG: 10:59:33 AM - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 10:59:33 AM - GetAzureKeyVaultCertificate end processing.

Environment data

$PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.4.1
PSEdition                      Core
GitCommitId                    7.4.1
OS                             Microsoft Windows 10.0.22631
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

get-module az.keyvault -listavailable

    Directory: C:\Users\...

ModuleType Version    PreRelease Name                                PSEdition ExportedCommands
---------- -------    ---------- ----                                --------- ----------------
Script     5.2.1                 Az.KeyVault                         Core,Desk {Add-AzKeyVaultCertif…
Script     4.11.0                Az.KeyVault                         Core,Desk {Add-AzKeyVaultCertif…
Script     4.10.2                Az.KeyVault                         Core,Desk {Add-AzKeyVaultCertif…
Script     4.10.1                Az.KeyVault                         Core,Desk {Add-AzKeyVaultCertif…
Script     4.10.0                Az.KeyVault                         Core,Desk {Add-AzKeyVaultCertif…
Script     4.9.3                 Az.KeyVault                         Core,Desk {Add-AzKeyVaultCertif…
Script     4.9.2                 Az.KeyVault                         Core,Desk {Add-AzKeyVaultCertif…
Script     4.9.1                 Az.KeyVault                         Core,Desk {Add-AzKeyVaultCertif…
Script     3.4.5                 Az.KeyVault                         Core,Desk {Add-AzKeyVaultCertif

Error output

no error output
@cjagodics cjagodics added bug This issue requires a change to an existing behavior in the product in order to be resolved. needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Mar 11, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added customer-reported and removed needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Mar 11, 2024
@isra-fel
Copy link
Member

@BethanyZhou can you think of anything that could happen between 4.10.2 and 4.11.0 that could lead to these properties missing? I don't think the API version was updated.

@BethanyZhou
Copy link
Contributor

BethanyZhou commented Mar 14, 2024
edited
Loading

These properties are not removed, it's hidden by format control in #22580. Unfortunately, the returned object is mapped to the format control of its base object.

@cjagodics please use Get-AzKeyVaultCertificate -VaultName test-kv -Name "TestCert01" -InRemovedState | Format-List -Property * to work around this issue if you want to scan them visually for the time being. These properties are still able to use by $cert.Issuer or sth like that. Will display these properties back.

@BethanyZhou BethanyZhou added the Tracking We will track status and follow internally label Mar 14, 2024
@BethanyZhou BethanyZhou linked a pull request Mar 14, 2024 that will close this issue
Update KeyVault.format.ps1xml #24365
Merged
6 tasks
@cjagodics
Copy link
Author

thank you for looking into this and the workaround @BethanyZhou - greatly appreciated!

@xuzhang3 xuzhang3 added this to the Az 11.5.0 (2024-04-02) milestone Mar 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Azure PS Team bug This issue requires a change to an existing behavior in the product in order to be resolved. customer-reported KeyVault Tracking We will track status and follow internally
Projects
None yet
Milestone
Az 11.5.0 (2024-04-02)
Development

Successfully merging a pull request may close this issue.

Update KeyVault.format.ps1xml Azure/azure-powershell
4 participants
@isra-fel @BethanyZhou @xuzhang3 @cjagodics