azureazure-keyvaultazure-automationazure-managed-identityazure-runbook
Unable to retrieve key vault certificates in azure runbook
I am trying to access key vault certificates inside of Azure runbook, in a new Runtime environment experience. But for some reason, it is not allowing me to list the same.
This is the command that is returning null.
$AzureContext = (Connect-AzAccount -Identity -Verbose).context
$certficate = Get-AzKeyVaultCertificate -VaultName $vaultName -Name $certificateName
But running the same command using local or cloud powershell, I am able to access the key vault certificate.
Runbook environment used has following specs:
Powershell Version: 5.1
Modules Attached: Az, ExchangeOnlineManagement
I have tried both RBAC access and access policy approach for key vault. Using access policy approach, I have given read and list certificate permission to managed identity for automation account. And using RBAC approach, I have assigned automation account, both Key Vault Certificates Officer and Key Vault Reader role. I even tried using user assigned identity for automation account with key vault reader permission.
It doesn't throw any error too, like some permission is missing or incorrect configs, just null value for certificate.
If anyone has experience with this or suggestions on what might be going wrong, I'd appreciate your help.
EDIT
The following is a screenshot of the dependencies of the runtime environment with their respective versions.
Additional Note: The UI of this page is also broken, preventing direct access to the package details due to issues with inline CSS. I have temporarily modified the browser’s CSS to view it. If anyone knows the proper channel to report this UI issue, that would be helpful. To recreate, just click on any azure runtime environment, you won't be able to see any dependency. I was planning on reporting it as well but am currently focused on resolving the main issue mentioned above.
The debug log for the execution of Get-AzKeyVaultCertificate is attached below (no errors or anything out of ordinary is displayed). I hope it helps someone familiar with its internal workings to identify the root cause.
Loading module from path 'C:\usr\src\PSModules\Az.KeyVault\KeyVault.Autorest\bin\Az.KeyVault.private.dll'.
Importing cmdlet 'Export-CmdletSurface'.
Importing cmdlet 'Export-ExampleStub'.
Importing cmdlet 'Export-FormatPs1xml'.
Importing cmdlet 'Export-HelpMarkdown'.
Importing cmdlet 'Export-ModelSurface'.
Importing cmdlet 'Export-ProxyCmdlet'.
Importing cmdlet 'Export-Psd1'.
Importing cmdlet 'Export-TestStub'.
Importing cmdlet 'Get-CommonParameter'.
Importing cmdlet 'Get-ModuleGuid'.
Importing cmdlet 'Get-ScriptCmdlet'.
Importing cmdlet 'Get-ParameterForRegion'.
Importing cmdlet 'Get-AzKeyVaultManagedHsmRegion_List'.
Importing cmdlet 'Get-AzKeyVaultManagedHsm_Get'.
Importing cmdlet 'Get-AzKeyVaultManagedHsm_GetViaIdentity'.
Importing cmdlet 'Get-AzKeyVaultManagedHsm_List'.
Importing cmdlet 'Get-AzKeyVaultManagedHsm_List1'.
Importing cmdlet 'Test-AzKeyVaultManagedHsmNameAvailability_CheckExpanded'.
Importing cmdlet 'Test-AzKeyVaultManagedHsmNameAvailability_CheckViaJsonFilePath'.
Importing cmdlet 'Test-AzKeyVaultManagedHsmNameAvailability_CheckViaJsonString'.
Importing cmdlet 'Test-AzKeyVaultNameAvailability_CheckExpanded'.
Importing cmdlet 'Test-AzKeyVaultNameAvailability_CheckViaJsonFilePath'.
Importing cmdlet 'Test-AzKeyVaultNameAvailability_CheckViaJsonString'.
Importing cmdlet 'Update-AzKeyVaultManagedHsm_Update'.
Importing cmdlet 'Update-AzKeyVaultManagedHsm_UpdateExpanded'.
Importing cmdlet 'Update-AzKeyVaultManagedHsm_UpdateViaIdentity'.
Importing cmdlet 'Update-AzKeyVaultManagedHsm_UpdateViaIdentityExpanded'.
Importing cmdlet 'Update-AzKeyVaultManagedHsm_UpdateViaJsonFilePath'.
Importing cmdlet 'Update-AzKeyVaultManagedHsm_UpdateViaJsonString'.
Loading module from path 'C:\usr\src\PSModules\Az.KeyVault\KeyVault.Autorest\custom\Az.KeyVault.custom.psm1'.
Importing cmdlet 'Export-CmdletSurface'.
Importing cmdlet 'Export-ExampleStub'.
Importing cmdlet 'Export-FormatPs1xml'.
Importing cmdlet 'Export-HelpMarkdown'.
Importing cmdlet 'Export-ModelSurface'.
Importing cmdlet 'Export-ProxyCmdlet'.
Importing cmdlet 'Export-Psd1'.
Importing cmdlet 'Export-TestStub'.
Importing cmdlet 'Get-CommonParameter'.
Importing cmdlet 'Get-ModuleGuid'.
Importing cmdlet 'Get-ScriptCmdlet'.
Importing cmdlet 'Get-ParameterForRegion'.
Importing cmdlet 'Get-AzKeyVaultManagedHsmRegion_List'.
Importing cmdlet 'Get-AzKeyVaultManagedHsm_Get'.
Importing cmdlet 'Get-AzKeyVaultManagedHsm_GetViaIdentity'.
Importing cmdlet 'Get-AzKeyVaultManagedHsm_List'.
Importing cmdlet 'Get-AzKeyVaultManagedHsm_List1'.
Importing cmdlet 'Test-AzKeyVaultManagedHsmNameAvailability_CheckExpanded'.
Importing cmdlet 'Test-AzKeyVaultManagedHsmNameAvailability_CheckViaJsonFilePath'.
Importing cmdlet 'Test-AzKeyVaultManagedHsmNameAvailability_CheckViaJsonString'.
Importing cmdlet 'Test-AzKeyVaultNameAvailability_CheckExpanded'.
Importing cmdlet 'Test-AzKeyVaultNameAvailability_CheckViaJsonFilePath'.
Importing cmdlet 'Test-AzKeyVaultNameAvailability_CheckViaJsonString'.
Importing cmdlet 'Update-AzKeyVaultManagedHsm_Update'.
Importing cmdlet 'Update-AzKeyVaultManagedHsm_UpdateExpanded'.
Importing cmdlet 'Update-AzKeyVaultManagedHsm_UpdateViaIdentity'.
Importing cmdlet 'Update-AzKeyVaultManagedHsm_UpdateViaIdentityExpanded'.
Importing cmdlet 'Update-AzKeyVaultManagedHsm_UpdateViaJsonFilePath'.
Importing cmdlet 'Update-AzKeyVaultManagedHsm_UpdateViaJsonString'.
Loading module from path 'C:\usr\src\PSModules\Az.KeyVault\KeyVault.Autorest\internal\Az.KeyVault.internal.psm1'.
Importing cmdlet 'Export-CmdletSurface'.
Importing cmdlet 'Export-ExampleStub'.
Importing cmdlet 'Export-FormatPs1xml'.
Importing cmdlet 'Export-HelpMarkdown'.
Importing cmdlet 'Export-ModelSurface'.
Importing cmdlet 'Export-ProxyCmdlet'.
Importing cmdlet 'Export-Psd1'.
Importing cmdlet 'Export-TestStub'.
Importing cmdlet 'Get-CommonParameter'.
Importing cmdlet 'Get-ModuleGuid'.
Importing cmdlet 'Get-ScriptCmdlet'.
Importing cmdlet 'Get-ParameterForRegion'.
Importing cmdlet 'Get-AzKeyVaultManagedHsmRegion_List'.
Importing cmdlet 'Get-AzKeyVaultManagedHsm_Get'.
Importing cmdlet 'Get-AzKeyVaultManagedHsm_GetViaIdentity'.
Importing cmdlet 'Get-AzKeyVaultManagedHsm_List'.
Importing cmdlet 'Get-AzKeyVaultManagedHsm_List1'.
Importing cmdlet 'Test-AzKeyVaultManagedHsmNameAvailability_CheckExpanded'.
Importing cmdlet 'Test-AzKeyVaultManagedHsmNameAvailability_CheckViaJsonFilePath'.
Importing cmdlet 'Test-AzKeyVaultManagedHsmNameAvailability_CheckViaJsonString'.
Importing cmdlet 'Test-AzKeyVaultNameAvailability_CheckExpanded'.
Importing cmdlet 'Test-AzKeyVaultNameAvailability_CheckViaJsonFilePath'.
Importing cmdlet 'Test-AzKeyVaultNameAvailability_CheckViaJsonString'.
Importing cmdlet 'Update-AzKeyVaultManagedHsm_Update'.
Importing cmdlet 'Update-AzKeyVaultManagedHsm_UpdateExpanded'.
Importing cmdlet 'Update-AzKeyVaultManagedHsm_UpdateViaIdentity'.
Importing cmdlet 'Update-AzKeyVaultManagedHsm_UpdateViaIdentityExpanded'.
Importing cmdlet 'Update-AzKeyVaultManagedHsm_UpdateViaJsonFilePath'.
Importing cmdlet 'Update-AzKeyVaultManagedHsm_UpdateViaJsonString'.
Exporting function 'Get-AzKeyVaultManagedHsm'.
Exporting function 'Get-ParameterForRegion'.
Exporting function 'Update-AzKeyVaultManagedHsm'.
Importing function 'Get-AzKeyVaultManagedHsm'.
Importing function 'Get-ParameterForRegion'.
Importing function 'Update-AzKeyVaultManagedHsm'.
Exporting function 'Add-AzKeyVaultManagedHsmRegion'.
Exporting function 'Remove-AzKeyVaultManagedHsmRegion'.
Importing function 'Add-AzKeyVaultManagedHsmRegion'.
Importing function 'Remove-AzKeyVaultManagedHsmRegion'.
Exporting function 'Add-AzKeyVaultManagedHsmRegion'.
Exporting function 'Remove-AzKeyVaultManagedHsmRegion'.
Exporting function 'Get-AzKeyVaultManagedHsmRegion'.
Exporting function 'Test-AzKeyVaultManagedHsmNameAvailability'.
Exporting function 'Test-AzKeyVaultNameAvailability'.
Loading module from path 'C:\usr\src\PSModules\Az.KeyVault\Microsoft.Azure.PowerShell.Cmdlets.KeyVault.dll'.
Importing cmdlet 'Add-AzKeyVaultCertificate'.
Importing cmdlet 'Backup-AzKeyVaultCertificate'.
Importing cmdlet 'Add-AzKeyVaultCertificateContact'.
Importing cmdlet 'Get-AzKeyVaultCertificateContact'.
Importing cmdlet 'Remove-AzKeyVaultCertificateContact'.
Importing cmdlet 'Get-AzKeyVaultCertificate'.
Importing cmdlet 'Get-AzKeyVaultCertificateOperation'.
Importing cmdlet 'Import-AzKeyVaultCertificate'.
Importing cmdlet 'Get-AzKeyVaultCertificateIssuer'.
Importing cmdlet 'Remove-AzKeyVaultCertificateIssuer'.
Importing cmdlet 'Set-AzKeyVaultCertificateIssuer'.
Importing cmdlet 'New-AzKeyVaultCertificatePolicy'.
Importing cmdlet 'Set-AzKeyVaultCertificatePolicy'.
Importing cmdlet 'Remove-AzKeyVaultCertificate'.
Importing cmdlet 'Remove-AzKeyVaultCertificateOperation'.
Importing cmdlet 'Restore-AzKeyVaultCertificate'.
Importing cmdlet 'Stop-AzKeyVaultCertificateOperation'.
Importing cmdlet 'Undo-AzKeyVaultCertificateRemoval'.
Importing cmdlet 'Update-AzKeyVaultCertificate'.
Importing cmdlet 'Get-AzKeyVault'.
Importing cmdlet 'New-AzKeyVault'.
Importing cmdlet 'Remove-AzKeyVault'.
Importing cmdlet 'Undo-AzKeyVaultRemoval'.
Importing cmdlet 'Update-AzKeyVault'.
Importing cmdlet 'Add-AzKeyVaultKey'.
Importing cmdlet 'Backup-AzKeyVaultKey'.
Importing cmdlet 'Get-AzKeyVaultKey'.
Importing cmdlet 'Remove-AzKeyVaultKey'.
Importing cmdlet 'Restore-AzKeyVaultKey'.
Importing cmdlet 'Undo-AzKeyVaultKeyRemoval'.
Importing cmdlet 'Update-AzKeyVaultKey'.
Importing cmdlet 'Remove-AzKeyVaultManagedHsm'.
Importing cmdlet 'Undo-AzKeyVaultManagedHsmRemoval'.
Importing cmdlet 'Add-AzKeyVaultManagedStorageAccount'.
Importing cmdlet 'Backup-AzKeyVaultManagedStorageAccount'.
Importing cmdlet 'Get-AzKeyVaultManagedStorageAccount'.
Importing cmdlet 'Get-AzKeyVaultManagedStorageSasDefinition'.
Importing cmdlet 'Remove-AzKeyVaultManagedStorageAccount'.
Importing cmdlet 'Remove-AzKeyVaultManagedStorageSasDefinition'.
Importing cmdlet 'Restore-AzKeyVaultManagedStorageAccount'.
Importing cmdlet 'Set-AzKeyVaultManagedStorageSasDefinition'.
Importing cmdlet 'Undo-AzKeyVaultManagedStorageAccountRemoval'.
Importing cmdlet 'Undo-AzKeyVaultManagedStorageSasDefinitionRemoval'.
Importing cmdlet 'Update-AzKeyVaultManagedStorageAccount'.
Importing cmdlet 'Update-AzKeyVaultManagedStorageAccountKey'.
Importing cmdlet 'Remove-AzKeyVaultAccessPolicy'.
Importing cmdlet 'Backup-AzKeyVaultSecret'.
Importing cmdlet 'Get-AzKeyVaultSecret'.
Importing cmdlet 'Remove-AzKeyVaultSecret'.
Importing cmdlet 'Restore-AzKeyVaultSecret'.
Importing cmdlet 'Set-AzKeyVaultSecret'.
Importing cmdlet 'Undo-AzKeyVaultSecretRemoval'.
Importing cmdlet 'Update-AzKeyVaultSecret'.
Importing cmdlet 'Set-AzKeyVaultAccessPolicy'.
Importing cmdlet 'Add-AzKeyVaultNetworkRule'.
Importing cmdlet 'New-AzKeyVaultNetworkRuleSetObject'.
Importing cmdlet 'Remove-AzKeyVaultNetworkRule'.
Importing cmdlet 'Update-AzKeyVaultNetworkRuleSet'.
Importing cmdlet 'Export-AzKeyVaultSecurityDomain'.
Importing cmdlet 'Import-AzKeyVaultSecurityDomain'.
Importing cmdlet 'New-AzKeyVaultCertificateAdministratorDetail'.
Importing cmdlet 'New-AzKeyVaultCertificateOrganizationDetail'.
Importing cmdlet 'Get-AzKeyVaultCertificatePolicy'.
Importing cmdlet 'Backup-AzKeyVault'.
Importing cmdlet 'Restore-AzKeyVault'.
Importing cmdlet 'Get-AzKeyVaultManagedHsm'.
Importing cmdlet 'New-AzKeyVaultManagedHsm'.
Importing cmdlet 'Update-AzKeyVaultManagedHsm'.
Importing cmdlet 'Get-AzKeyVaultRoleAssignment'.
Importing cmdlet 'Get-AzKeyVaultRoleDefinition'.
Importing cmdlet 'New-AzKeyVaultRoleDefinition'.
Importing cmdlet 'New-AzKeyVaultRoleAssignment'.
Importing cmdlet 'Remove-AzKeyVaultRoleAssignment'.
Importing cmdlet 'Remove-AzKeyVaultRoleDefinition'.
Importing cmdlet 'Get-AzKeyVaultSetting'.
Importing cmdlet 'Update-AzKeyVaultSetting'.
Importing cmdlet 'Get-AzKeyVaultRandomNumber'.
Importing cmdlet 'Invoke-AzKeyVaultKeyOperation'.
Importing cmdlet 'Get-AzKeyVaultKeyRotationPolicy'.
Importing cmdlet 'Set-AzKeyVaultKeyRotationPolicy'.
Importing cmdlet 'Invoke-AzKeyVaultKeyRotation'.
Importing alias 'Set-AzKeyVaultCertificateAttribute'.
Importing alias 'Set-AzKeyVaultKey'.
Importing alias 'Set-AzKeyVaultKeyAttribute'.
Importing alias 'Set-AzKeyVaultSecretAttribute'.
Importing alias 'Set-AzKeyVaultRoleDefinition'.
Solution
PowerShell 5.1 is an older version that doesn't fully support the features and changes introduced in newer Az module versions (8.x and above).
In your case, the error occurred as there is incompatibility of PowerShell 5.1 with Az module above v8. To resolve the error, try downgrading the Az module to earlier version like version 6.5.0.
I have one Azure Key Vault with certificate named sricert0310 in it as below:
To retrieve these details in Azure runbook, I assigned same roles as you to managed identity under Key Vault like this:
When I ran the below PowerShell script with runbook having Az modules of compatible versions, I got the response successfully:
$vaultName = "kvname"
$certificateName = "certname"
$AzureContext = (Connect-AzAccount -Identity -Verbose).context
$certificate = Get-AzKeyVaultCertificate -VaultName $vaultName -Name $certificateName
$certificate
Response:
- WebJob is stopping due to website shutting down
- Is it possible to change the day returned from startofweek() and endofweek()?
- Handling Audio blobs sent through mediarecorder in JS through python server script for azure service
- Export app registrations with expiring secrets and certificates and send alert in teams
- SQL Azure import slow, hangs, but local import takes 3 minutes
- Issue with Group email address domain when create a new Microsoft 365 Group
- What is the URL for New Page in Azure DevOps Wiki? / How to bookmark New Page?
- Is there a dynamic way to get variables from Variable Group? Even secret ones? and insert in Azure Key Vault
- How do I configure my Bicep scripts to allow a container app to pull an image from an ACR using managed identity across subscriptions
- Azure DevOps. Can't trigger a pipeline in Repo A when a commit is done in repo B
- How to change the default Azure AI Search scoring to be increased when the whole search term is found exactly?
- List and download files in a folder in a blob with blob level SAS token
- How to change the Lease state of Azure Blob to Available
- unable to delete or move first step from logic app?
- Azure Terraform - Encrypt VM OS Disk
- How to temporary stop Azure API Management Service
- Unable to retrieve key vault certificates in azure runbook
- C#: 'A change set cannot include changes to more than '1' source resources' when adding a user To Group using Azure Graph API 2.0
- Set size limt to direct upload to azure blob storage via SAS URL
- Using AddAzureKeyVault makes my application 10 seconds slower
- PostGreSQL pg_dump psql and pg_restore errors with Azure Flexible SQL Server
- How to check signature of a token coming from Azure SSO
- How can I get error details from an if condition activity in Azure Data Factory?
- Getting a 404 for GET /robots933456.txt
- Given an Applications Insight Instrumentation key, get the name of the service in Azure
- How to specify rewrite url for query string parameters in Azure API Management
- Can a normal Azure Function and a Durable Azure Function coexist in the same Function App?
- TenantGuidNotFound when trying to send email using Microsfot GraphAPI
- Can't signin into microsoft account
- Azure Function App Kudu Functions API with empty response