azureazure-keyvaultazure-cliazure-service-principal

az cli command to create service principal doesn't create certificate in keyvault


I'm running the below lines of my script:

Write-Host "Creating KeyVault..."

az keyvault create --name mykeyvault --resource-group myrg --location polandcentral

Write-Host "Creating service principal..."

az ad sp create-for-rbac --name mysp --role contributor --scopes "/subscriptions/subscriptionid/resourceGroups/myrg" --create-cert --cert mycert --keyvault mykeyvault

But the effect is that a Keyvault is created as well as service principal. However those last three options of az ad sp create-for-rbac command doesn't seem to do anything, because:

  1. When I browse my Keyvault in the portal, I can see it's empty

  2. The output from the sp creation command is (and I would expect something different, since I'm making it use certificate created in KV):

    { "appId": "...", "displayName": "mysp", "password": "...", "tenant": "..." }

What is it that I'm doing wrong here?

EDIT

The az ad sp create-for-rbac command returns this output:

Found an existing application instance: (id) <here goes the guid>. We will patch it.
Creating 'contributor' role assignment under scope '/subscriptions/<sub_guid>'
  Role assignment already exists.

Solution

  • Note that, the certificates created in key vault via CLI is only visible to the user who created it by signing in via az login.

    In my case, I connected to Azure via CLI using below command by signing in with Sri user:

    az login --only-show-errors
    

    Response:

    enter image description here

    When I ran your code in my environment, certificate created successfully in key vault along with service principal as below:

    Write-Host "Creating KeyVault..."
    az keyvault create --name srikeyvault06 --resource-group Sri --location polandcentral
    
    Write-Host "Creating service principal..."
    az ad sp create-for-rbac --name srisp06 --role contributor --scopes "/subscriptions/subId/resourceGroups/Sri" --create-cert --cert mycert06 --keyvault srikeyvault06
    

    Response:

    enter image description here

    To confirm that, you can also run below CLI command that retrieves certificates present in specific key vault:

    az keyvault certificate list --vault-name srikeyvault06
    

    Response:

    enter image description here

    You cannot see that certificate if you are trying to access the key vault from different user account and missed adding key vault access policy with List permission to that user.

    When I tried to check the same from different user account, I got below screen with no certificates:

    enter image description here

    To resolve this, you need to add new access policy in key vault by enabling List access for certificates to other user too like this:

    enter image description here

    When I tried to check the same from that user account again, I can find the certificate successfully in key vault as below:

    enter image description here