Unable to set a SAS definition in Key Vault

[simonetino]

Azure CLI fails at setting a SAS definition in Key Vault as part of a setup to create a manages storage account.

Related command

az keyvault storage sas-definition create --vault-name <YourKeyVaultName> --account-name <YourStorageAccountName> -n <YourSASDefinitionName> --validity-period PT5M --sas-type account --template-uri "sv=2018-03-28&ss=b&srt=sco&sp=rwdlactfx&spr=https"

Describe the bug

The bug occurs when setting a SAS definition in a KeyVault as part of a setup where a Storage Account is managed by such Key Vault:
https://docs.microsoft.com/en-us/azure/key-vault/secrets/overview-storage-keys

To Reproduce

Create a Storage Account that is managed by a KeyVault by following the steps described in the following documentation page:
https://docs.microsoft.com/en-us/azure/key-vault/secrets/overview-storage-keys

The error occurs when setting the SAS definition in the KeyVault.
The command fails with the following error message:

signedServicesshould be specified

'ss' is not recognized as an internal or external command,
operable program or batch file.
'srt' is not recognized as an internal or external command,
operable program or batch file.
'st' is not recognized as an internal or external command,
operable program or batch file.
'se' is not recognized as an internal or external command,
operable program or batch file.
'sp' is not recognized as an internal or external command,
operable program or batch file.
'sig' is not recognized as an internal or external command,
operable program or batch file.

Expected behavior

The command should create a SAS definition in Key Vault.
As an example, it should create an object that looks like the following one:

{
  "attributes": {
    "created": "<date-of-creation>",
    "enabled": true,
    "recoveryLevel": "Recoverable+Purgeable",
    "updated": "<date-of-update>"
  },
  "id": "https://<my-key-vault-name>.vault.azure.net/storage/<my-managed-storage-account-name>/sas/<my-sas-definition-name>",
  "sasType": "account",
  "secretId": "https://<my-keyvault-name>.vault.azure.net/secrets/<my-managed-storage-account-name>-<my-sas-definition-name>",
  "tags": null,
  "templateUri": "sv=2018-03-28&ss=b&srt=sco&sp=rwdlactfx&spr=https",
  "validityPeriod": "PT5M"
}

Environment summary

Running in PowerShell 7.2.4, the command az version returns:

{
  "azure-cli": "2.37.0",
  "azure-cli-core": "2.37.0",
  "azure-cli-telemetry": "1.0.6",
  "extensions": {}
}

Existing workaround

This errors occurs only with Azure CLI, but it completes successfully using the Azure PowerShell commands, i.e. the following command works correctly and the SAS definition is created correctly:

Set-AzKeyVaultManagedStorageSasDefinition -AccountName $storageAccountName -VaultName $keyVaultName -Name <YourSASDefinitionName> -TemplateUri $sasTemplate -SasType 'account' -ValidityPeriod ([System.Timespan]::FromMinutes(5))

Once the SAS definition is created using Azure PowerShell, then Azure CLI can successfully verify the SAS definition creation through the following command:

az keyvault storage sas-definition show --id https://<YourKeyVaultName>.vault.azure.net/storage/<YourStorageAccountName>/sas/<YourSASDefinitionName>

[yonzhan]

keyvault

[evelyn-ys]

This is powershell quoting issue tracked at #15529
You can see explanation and workarounds in https://github.com/Azure/azure-cli/blob/dev/doc/quoting-issues-with-powershell.md#ampersand--is-interpreted-by-command-prompt

In short, you can use """ to wrap your sas token in powershell:
"""sv=2018-03-28&ss=b&srt=sco&sp=rwdlactfx&spr=https"""

[simonetino]

@evelyn-ys I confirm this workaround works for me, thanks.