0

I have a bash script vault.sh

az login
Source_Kv_Name="myKeyVault2020"
SECRETS+=($(az keyvault secret list --vault-name $Source_Kv_Name --query "[].id" -o tsv))

If I run it as bash vault.sh it fails to connect to vault (authenticate)

If I run the same commands from terminal, not the script, it works fine. Why is happening, and how do I authenticate bash script to run the same?

Wojtas.Zet
  • 636
  • 2
  • 10
  • 30

2 Answers2

0

What is the error? Can you share the output? I can say that for a bash script usually you need to "hard code users password" on the script, or use SPN authentication. If your script is running from Azure Automation, you can use the Identity Managment on the Azure Automation and give access to the automation account to the component and use that access. Example:

$azContext = (Connect-AzAccount -Identity).context
Alfredo Fernandez
  • 3
  • 2
  • az login is successful from the script and yields the usual json (same as without script). but then there is error: `ERROR: Max retries exceeded attempting to connect to Vault. The Vault may not exist or you may need to flush your DNS cache and try again later.` It obviously exist because running command just from terminal `az keyvault secret list --vault-name $Source_Kv_Name --query "[].id" -o tsv` yields list of secrets. I must add I run the az login on my local machine with ubuntu – Wojtas.Zet Nov 22 '22 at 12:47
  • So the script works perfectly fine from interactive cloud shell (browser azure portal shell). must be the issue with having separate VM. – Wojtas.Zet Nov 24 '22 at 13:02
0

I tried to reproduce the same in my environment and got the result successfully.

In my bash I login with az login like below:

enter image description here

And copy the Https://microsoft.com/devicelogin in browser and enter the code -> continue and close the tab like below:

enter image description here

Now, when I create a file vi vault.sh with same script like below.

az login
Source_Kv_Name="khankeyvault "
az keyvault secret list --vault-name $Source_Kv_Name --query "[].id" -o tsv

enter image description here

When I run bash vault.sh I got authenticate login as same and got the result successfully like below:

enter image description here

Imran
  • 3,875
  • 2
  • 3
  • 12
  • Hi Imran, thanks for elaborate answer. I must add I run the az login on my local machine with ubuntu. I get az login as success, but still the script is giving permission denied to the vault itself. I cannot list the secrets. I wonder if it is somehow tied with the security policy of my organization in azure – Wojtas.Zet Nov 22 '22 at 12:37
  • the error after getting the json with login information is: `ERROR: Max retries exceeded attempting to connect to Vault. The Vault may not exist or you may need to flush your DNS cache and try again later.` – Wojtas.Zet Nov 22 '22 at 12:46
  • this Max Retires error if you don't include a quoted `$sourceVaultName` when trying to **show** the secrets try you use script like this ![image](https://i.imgur.com/6n3NKry.png) $secrets = $secretNames | % { $secret = az keyvault secret show --name $_ --vault-name $sourceVaultName -o json | ConvertFrom-Json [PSCustomObject]@{ name = $_; value = $secret.value; } } And [refer](https://github.com/Azure/azure-cli/issues/13952) this – Imran Nov 22 '22 at 13:10
  • I wish. If I hardcode name instead of variable it is the same. with quoutes, without quotes. copy pasted command works fine as single command from terminal. it yields list of secrets. I think it must be some difference between running script and command, but what would it be? – Wojtas.Zet Nov 22 '22 at 13:36
  • 1
    So the script works perfectly fine from interactive cloud shell (browser azure portal shell). must be the issue with having separate VM. – Wojtas.Zet Nov 24 '22 at 13:01