Invalid VNet rule in keyvault create call #27516
Description
Describe the bug
I tried to create a key vault with --network-acls and got the following error.
Invalid VNet rule: /subscriptions/MY_SUBS/resourceGroups/rg-01/spoke-01/snet-01.
Format: {vnet_name}/{subnet_name} or {subnet_id}
But even the help shows that the syntax should be /subscriptions/MY_SUBS/resourceGroups/rg-01/spoke-01/snet-01
az keyvault create -h
....
Create a key vault with network ACLs specified (use --network-acls-vnets to specify VNet rules).
az keyvault create --location westus2 --name MyKeyVault --resource-group MyResourceGroup
--network-acls-vnets vnet_name_2/subnet_name_2 vnet_name_3/subnet_name_3 /subscriptions/0000
00-0000-
0000/resourceGroups/MyResourceGroup/providers/Microsoft.Network/virtualNetworks/vnet_name_4/
subnets/subnet_name_4
Create a key vault with network ACLs specified (use --network-acls, --network-acls-ips and
--network-acls-vnets together, redundant rules will be removed, finally there will be 4 IP rules
and 3 VNet rules).
az keyvault create --location westus2 --name MyKeyVault --resource-group MyResourceGroup
--network-acls "{\"ip\": [\"1.2.3.4\", \"2.3.4.0/24\"], \"vnet\":
[\"vnet_name_1/subnet_name1\", \"vnet_name_2/subnet_name2\"]}" --network-acls-ips 3.4.5.0/24
4.5.6.0/24 --network-acls-vnets vnet_name_2/subnet_name_2 vnet_name_3/subnet_name_3 /subscri
ptions/000000-0000-
0000/resourceGroups/MyResourceGroup/providers/Microsoft.Network/virtualNetworks/vnet_name_4/
subnets/subnet_name_4
....
Is this a misusing from my site or a doc bug?
Can I put a vnet from another RG into the --network-acls json?
Related command
az keyvault create --name kv-$NAME-Dev03 --resource-group rg-$KV_RG --location germanywestcentral --enable-rbac-authorization false --public-network-access Enabled --sku premium --default-action Deny --network-acls "{\"vnet\": [\"/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-master-$NAME-Dev03\",\"/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-node-$NAME-Dev03\"]}" --subscription $MY_SUBS
Errors
Invalid VNet rule: /subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-master-$NAME-Dev03.
Format: {vnet_name}/{subnet_name} or {subnet_id}
Issue script & Debug output
az --debug keyvault create --name kv-$KV_NAME-Dev03 --resource-group rg-$KV_NAME --location germanywestcentral --enable-rbac-authorization false --public-network-access Enabled --sku premium --default-action Deny --network-acls "{\"vnet\": [\"/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-master-$NAME-Dev03\",\"/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-node-$NAME-Dev03\"]}" --subscription $MY_SUBS
cli.knack.cli: Command arguments: ['--debug', 'keyvault', 'create', '--name', 'kv-$KV_NAME-Dev03', '--resource-group', 'rg-$KV_NAME', '--location', 'germanywestcentral', '--enable-rbac-authorization', 'false', '--public-network-access', 'Enabled', '--sku', 'premium', '--default-action', 'Deny', '--network-acls', '{"vnet": ["/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-master-$NAME-Dev03","/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-node-$NAME-Dev03"]}', '--subscription', '$MY_SUBS']
cli.knack.cli: __init__ debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7f99f998d360>, <function OutputProducer.on_global_arguments at 0x7f99f98f0280>, <function CLIQuery.on_global_arguments at 0x7f99f9715480>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: No module found from index for '['--debug', 'keyvault', 'create', '--name', 'kv-$KV_NAME-Dev03', '--resource-group', 'rg-$KV_NAME', '--location', 'germanywestcentral', '--enable-rbac-authorization', 'false', '--public-network-access', 'Enabled', '--sku', 'premium', '--default-action', 'Deny', '--network-acls', '{"vnet": ["/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-master-$NAME-Dev03","/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-node-$NAME-Dev03"]}', '--subscription','$MY_SUBS']'
cli.azure.cli.core: Loading all modules and extensions
cli.azure.cli.core: Discovered command modules: ['acr', 'acs', 'advisor', 'ams', 'apim', 'appconfig', 'appservice', 'aro', 'backup', 'batch', 'batchai', 'billing', 'botservice', 'cdn', 'cloud', 'cognitiveservices', 'config', 'configure', 'consumption', 'container', 'containerapp', 'cosmosdb', 'databoxedge', 'dla', 'dls', 'dms', 'eventgrid', 'eventhubs', 'extension', 'feedback', 'find', 'hdinsight', 'identity', 'interactive', 'iot', 'keyvault', 'kusto', 'lab', 'managedservices', 'maps', 'marketplaceordering', 'monitor', 'mysql', 'netappfiles', 'network', 'policyinsights', 'privatedns', 'profile', 'rdbms', 'redis', 'relay', 'resource', 'role', 'search', 'security', 'servicebus', 'serviceconnector', 'servicefabric', 'signalr', 'sql', 'sqlvm', 'storage', 'synapse', 'util', 'vm']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: acr 0.066 34 144
cli.azure.cli.core: acs 0.008 7 54
cli.azure.cli.core: advisor 0.001 3 6
cli.azure.cli.core: ams 0.003 22 100
cli.azure.cli.core: apim 0.002 14 68
cli.azure.cli.core: appconfig 0.001 9 47
cli.azure.cli.core: appservice 0.032 73 260
cli.azure.cli.core: aro 0.004 1 10
cli.azure.cli.core: backup 0.002 16 59
cli.azure.cli.core: batch 0.012 34 102
cli.azure.cli.core: batchai 0.001 10 30
cli.azure.cli.core: billing 0.003 19 52
cli.azure.cli.core: botservice 0.002 12 42
cli.azure.cli.core: cdn 0.004 39 133
cli.azure.cli.core: cloud 0.001 1 7
cli.azure.cli.core: cognitiveservices 0.001 10 33
cli.azure.cli.core: config 0.001 2 7
cli.azure.cli.core: configure 0.000 2 5
cli.azure.cli.core: consumption 0.007 8 9
cli.azure.cli.core: container 0.003 1 11
cli.azure.cli.core: containerapp 0.044 36 115
cli.azure.cli.core: cosmosdb 0.007 58 192
cli.azure.cli.core: databoxedge 0.002 5 27
cli.azure.cli.core: dla 0.001 23 62
cli.azure.cli.core: dls 0.002 7 41
cli.azure.cli.core: dms 0.001 3 22
cli.azure.cli.core: eventgrid 0.002 25 96
cli.azure.cli.core: eventhubs 0.004 12 19
cli.azure.cli.core: extension 0.000 1 7
cli.azure.cli.core: feedback 0.000 1 2
cli.azure.cli.core: find 0.000 1 1
cli.azure.cli.core: hdinsight 0.002 8 39
cli.azure.cli.core: identity 0.001 2 11
cli.azure.cli.core: interactive 0.000 1 1
cli.azure.cli.core: iot 0.041 19 82
cli.azure.cli.core: keyvault 0.005 22 133
cli.azure.cli.core: kusto 0.001 3 14
cli.azure.cli.core: lab 0.001 11 34
cli.azure.cli.core: managedservices 0.001 3 8
cli.azure.cli.core: maps 0.001 5 13
cli.azure.cli.core: marketplaceordering 0.001 1 2
cli.azure.cli.core: monitor 0.173 20 67
cli.azure.cli.core: mysql 0.067 14 49
cli.azure.cli.core: netappfiles 0.003 17 96
cli.azure.cli.core: network 0.053 103 336
cli.azure.cli.core: policyinsights 0.004 9 17
cli.azure.cli.core: privatedns 0.007 14 60
cli.azure.cli.core: profile 0.001 2 8
cli.azure.cli.core: rdbms 0.007 44 185
cli.azure.cli.core: redis 0.001 5 27
cli.azure.cli.core: relay 0.008 7 8
cli.azure.cli.core: resource 0.006 51 227
cli.azure.cli.core: role 0.001 17 61
cli.azure.cli.core: search 0.001 7 22
cli.azure.cli.core: security 0.002 48 104
cli.azure.cli.core: servicebus 0.007 12 17
cli.azure.cli.core: serviceconnector 0.022 12 182
cli.azure.cli.core: servicefabric 0.005 27 76
cli.azure.cli.core: signalr 0.001 8 30
cli.azure.cli.core: sql 0.007 56 215
cli.azure.cli.core: sqlvm 0.049 4 20
cli.azure.cli.core: storage 0.023 58 272
cli.azure.cli.core: synapse 0.007 54 246
cli.azure.cli.core: util 0.001 3 7
cli.azure.cli.core: vm 0.024 57 230
cli.azure.cli.core: Total (65) 0.751 1213 4662
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: connectedk8s 0.008 1 10 /home/alex/.azure/cliextensions/connectedk8s
cli.azure.cli.core: k8s-extension 0.003 2 9 /home/alex/.azure/cliextensions/k8s-extension
cli.azure.cli.core: Total (2) 0.011 3 19
cli.azure.cli.core: Loaded 1204 groups, 4681 commands.
cli.azure.cli.core: Updated command index in 0.002 seconds.
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7f99f89a6dd0>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/alex/.azure/commands/2023-10-03.17-48-30.unknown_command.150115.log'.
az_command_data_logger: command args: --debug {} {} --name {} --resource-group {} --location {} --enable-rbac-authorization {} --public-network-access {} --sku {} --default-action {} --network-acls {} --subscription {} --tags {} {}
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument.<locals>.add_subscription_parameter at 0x7f99f89e3a30>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument.<locals>.add_ids_arguments at 0x7f99f8a01750>, <function register_cache_arguments.<locals>.add_cache_arguments at 0x7f99f8a01870>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [<function _documentdb_deprecate at 0x7f99f73da0e0>]
cli.azure.cli.core.command_recommender: "--name" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--resource-group" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--location" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--enable-rbac-authorization" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--public-network-access" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--sku" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--default-action" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--network-acls" is an invalid parameter for command "keyvault create".
urllib3.connectionpool: Starting new HTTPS connection (1): app.aladdin.microsoft.com:443
urllib3.connectionpool: https://app.aladdin.microsoft.com:443 "GET /api/v1.0/suggestions?query=%7B%22command%22%3A+%22keyvault+create%22%2C+%22parameters%22%3A+%22%22%7D&clientType=AzureCli&context=%7B%22versionNumber%22%3A+%222.53.0%22%2C+%22errorType%22%3A+%22UnrecognizedArguments%22%2C+%22correlationId%22%3A+%227e63fff3-e687-496c-bc47-9e5ded8b8392%22%2C+%22subscriptionId%22%3A+%22$MY_SUBS%22%2C+%22eventId%22%3A+%2272e8f878-6f4c-4645-8387-f95087c3e365%22%7D HTTP/1.1" 200 None
cli.azure.cli.core.command_recommender: "--name" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--resource-group" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--location" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--enable-rbac-authorization" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--public-network-access" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--sku" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--default-action" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--network-acls" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--location" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--name" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--resource-group" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--location" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--name" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--resource-group" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.command_recommender: "--network-acls" is an invalid parameter for command "keyvault create".
cli.azure.cli.core.azclierror: NoneType: None
cli.azure.cli.core.azclierror: unrecognized arguments: --name kv-$KV_NAME-Dev03 --resource-group rg-$KV_NAME --location germanywestcentral --enable-rbac-authorization false --public-network-access Enabled --sku premium --default-action Deny --network-acls {"vnet": ["/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-master-$NAME-Dev03","/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-node-$NAME-Dev03"]}
az_command_data_logger: unrecognized arguments: --name kv-$KV_NAME-Dev03 --resource-group rg-$KV_NAME --location germanywestcentral --enable-rbac-authorization false --public-network-access Enabled --sku premium --default-action Deny --network-acls {"vnet": ["/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-master-$NAME-Dev03","/subscriptions/$MY_SUBS/resourceGroups/rg-$NAME/spoke-$NAME-Dev03/snet-node-$NAME-Dev03"]}
Examples from AI knowledge base:
az keyvault create --location westus2 --name MyKeyVault --resource-group MyResourceGroup
Create a key vault. (autogenerated)
az keyvault create --location westus2 --name MyKeyVault --resource-group MyResourceGroup --network-acls "{\"ip\": [\"1.2.3.4\", \"2.3.4.0/24\"], \"vnet\": [\"vnet_name_1/subnet_name1\", \"vnet_name_2/subnet_name2\", \"/subscriptions/000000-0000-0000/resourceGroups/MyResourceGroup/providers/Microsoft.Network/virtualNetworks/MyVNet/subnets/MySubnet\"]}"
Create a key vault with network ACLs specified (use --network-acls to specify IP and VNet rules by using a JSON string).
https://docs.microsoft.com/en-US/cli/azure/keyvault#az_keyvault_create
Read more about the command in reference docs
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f99f89a7010>]
az_command_data_logger: exit code: 2
cli.__main__: Command ran in 1.461 seconds (init: 0.110, invoke: 1.351)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4604 in cache
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/usr/bin/../../opt/az/bin/python3 /opt/az/lib/python3.10/site-packages/azure/cli/telemetry/__init__.py /home/alex/.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.
Expected behavior
I would expect that the vnets are configured in the keyvault network settings.
Environment Summary
azure-cli 2.53.0
core 2.53.0
telemetry 1.1.0
Extensions:
connectedk8s 1.4.0
k8s-extension 1.4.5
Dependencies:
msal 1.24.0b2
azure-mgmt-resource 23.1.0b2
Python location '/opt/az/bin/python3'
Extensions directory '/home/alex/.azure/cliextensions'
Python (Linux) 3.10.10 (main, Sep 20 2023, 06:07:38) [GCC 11.4.0]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.
Additional context
No response