az cli command to create service principal doesn't create certificate in keyvault
I'm running the below lines of my script:
Write-Host "Creating KeyVault..."
az keyvault create --name mykeyvault --resource-group myrg --location polandcentral
Write-Host "Creating service principal..."
az ad sp create-for-rbac --name mysp --role contributor --scopes "/subscriptions/subscriptionid/resourceGroups/myrg" --create-cert --cert mycert --keyvault mykeyvault
But the effect is that a Keyvault is created as well as service principal. However those last three options of az ad sp create-for-rbac command doesn't seem to do anything, because:
When I browse my Keyvault in the portal, I can see it's empty
The output from the sp creation command is (and I would expect something different, since I'm making it use certificate created in KV):
{ "appId": "...", "displayName": "mysp", "password": "...", "tenant": "..." }
What is it that I'm doing wrong here?
EDIT
The az ad sp create-for-rbac command returns this output:
Found an existing application instance: (id) <here goes the guid>. We will patch it.
Creating 'contributor' role assignment under scope '/subscriptions/<sub_guid>'
Role assignment already exists.
Note that, the certificates created in key vault via CLI is only visible to the user who created it by signing in via
az login.
In my case, I connected to Azure via CLI using below command by signing in with Sri user:
az login --only-show-errors
Response:
When I ran your code in my environment, certificate created successfully in key vault along with service principal as below:
Write-Host "Creating KeyVault..."
az keyvault create --name srikeyvault06 --resource-group Sri --location polandcentral
Write-Host "Creating service principal..."
az ad sp create-for-rbac --name srisp06 --role contributor --scopes "/subscriptions/subId/resourceGroups/Sri" --create-cert --cert mycert06 --keyvault srikeyvault06
Response:
To confirm that, you can also run below CLI command that retrieves certificates present in specific key vault:
az keyvault certificate list --vault-name srikeyvault06
Response:
You cannot see that certificate if you are trying to access the key vault from different user account and missed adding key vault access policy with
Listpermission to that user.
When I tried to check the same from different user account, I got below screen with no certificates:
To resolve this, you need to add new access policy in key vault by enabling List access for certificates to other user too like this:
When I tried to check the same from that user account again, I can find the certificate successfully in key vault as below:
- Azure Function Blob Storage Monitor
- I want to fetch Azure SQL table data from ADF to use as input in copy activity
- How to access code of my Azure website?
- Run JMeter script in AzureDevOps - Bearer Access Token generation
- Azure Function - HTTP trigger request length exceeded
- How and where to define an environment variable on Azure
- Can not read blobs through BlobContainerClient for blobs with empty folder prefixes
- Stream Analytics doesn't output the data to SQL but does to a blob storage
- Cannot log in to Visual Studio Account in VS 2022
- SchemaColumnConvertNotSupportedException: column: [Col_Name], physicalType: INT64, logicalType: string
- create Azure Keyvault secret without exposing values
- Can you create 'User Flows' in Azure with a pay-as-you-go account
- Deploy ARM template at management group scope with Azure DevOps Pipeline
- How to make an azure function that deploys my bicep script from Azure Storage Account
- Basic SQL commands in Terraform
- Can we Deploy Web Application in Azure OpenAI of Production Level
- Get-MgGroupMember by display name instead of userID
- Azure DevOps REST API parent relation link to existing work item error
- How to get list of users from CSV file whose LastSignInDate column has a date that is before 90 days from current date or is empty?
- Terraform and Azure: Problems with association between NetworkSecurityGroups and Subnets
- connecting Azure DevOps organisation with Azure creates resource groups in Azure
- How to find a driveItem ID given only a document URL?
- Is it possible to scale Azure app services programmatically
- How Does Setting AZCOPY_JOB_PLAN_LOCATION and AZCOPY_LOG_LOCATION Improve Disk Usage?
- AADB2C90068: The provided application with ID is not valid against this service. Please use an application created via the B2C portal and try again
- Limit users allowed with Entra and Accounts in any organizational account and personal Microsoft accounts
- Can't create support request in Asure, despite correct subscription
- Deploy Container App from Bitbucket to Azure
- How to upload large files to Onedrive using python
- How to query Azure DevOps Work Items using client_id and client_secret