Set-AzKeyVaultAccessPolicy PermissionsToKeys does not accept "Rotate" as a valid permission #17970
Description
Description
You can assign "Rotate" Key permissions in a Key Vault Access Control Policy.
When you retrieve the existing PermissionToKeys "Rotate" is retrieved as a value.
When you try to assign "Rotate" permission using Set-AzKeyVaultAccessPolicy, an exception is thrown with following notice:
The argument "Rotate" does not belong to the set "all,decrypt,encrypt,unwrapKey,wrapKey,verify,sign,get,list,update,create,import,delete,backup,restore,recover,purge" specified by the ValidateSet attribute.
The expected result is "Rotate" permission being valid.
Issue script & Debug output
PS D:\Duray\kbweb\keyVault> $vaultName = "an existing vault with Rotate Permissions assigned"
PS D:\Duray\kbweb\keyVault> $vault = Get-AzKeyVault -Name $KeyVaultName
PS D:\Duray\kbweb\keyVault> $policy = $vault.AccessPolicies[8]
PS D:\Duray\kbweb\keyVault> $policy.PermissionsToKeys
Get
List
Update
Create
Import
Delete
Recover
Backup
Restore
Decrypt
Encrypt
UnwrapKey
WrapKey
Verify
Sign
Purge
Rotate
GetRotationPolicy
SetRotationPolicy
PS D:\Duray\kbweb\keyVault> $vaultName = "kb-dev"
PS D:\Duray\kbweb\keyVault> Set-AzKeyVaultAccessPolicy -VaultName $vaultName -ObjectId $policy.objectId `
>> -PermissionsToKeys $policy.permissionsToKeys `
>> -PermissionsToSecrets $policy.permissionsToSecrets `
>> -permissionsToCertificates $policy.permissionsToCertificates -Verbose -Debug
Set-AzKeyVaultAccessPolicy:
Line |
2 | -PermissionsToKeys $policy.permissionsToKeys `
| ~~~~~~~~~~~~~~~~~~~~~~~~~
| Cannot validate argument on parameter 'PermissionsToKeys'. The argument "Rotate" does not belong to the set "all,decrypt,encrypt,unwrapKey,wrapKey,verify,sign,get,list,update,create,import,delete,backup,restore,recover,purge" specified by the ValidateSet attribute. Supply an argument that is in the set and then try the command again.Environment data
Name Value
---- -----
PSVersion 7.2.2
PSEdition Core
GitCommitId 7.2.2
OS Microsoft Windows 10.0.19044
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0Module versions
ModuleType Version PreRelease Name ExportedCommands
---------- ------- ---------- ---- ----------------
Script 2.4.0 Az.Accounts {Add-AzEnvironment, Clear-AzContext, Clear-AzDe…
Script 3.4.2 Az.KeyVault {Add-AzKeyVaultCertificate, Add-AzKeyVaultCerti…Error output
DEBUG: 10:32:21 AM - ResolveError begin processing with ParameterSet 'AnyErrorParameterSet'.
DEBUG: 10:32:21 AM - using account id '[email protected]'...
WARNING: Upcoming breaking changes in the cmdlet 'Resolve-AzError' :
The `Resolve-Error` alias will be removed in a future release. Please change any scripts that use this alias to use `Resolve-AzError` instead.
Note : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.
HistoryId: 23
Message : Cannot validate argument on parameter 'PermissionsToKeys'. The argument "Rotate" does not belong to
the set "all,decrypt,encrypt,unwrapKey,wrapKey,verify,sign,get,list,update,create,import,delete,back
up,restore,recover,purge" specified by the ValidateSet attribute. Supply an argument that is in the
set and then try the command again.
StackTrace : at System.Management.Automation.ParameterBinderBase.BindParameter(CommandParameterInternal
parameter, CompiledCommandParameter parameterMetadata, ParameterBindingFlags flags)
at
System.Management.Automation.CmdletParameterBinderController.BindParameter(CommandParameterInternal
argument, MergedCompiledCommandParameter parameter, ParameterBindingFlags flags)
at System.Management.Automation.CmdletParameterBinderController.BindParameter(UInt32
parameterSets, CommandParameterInternal argument, MergedCompiledCommandParameter parameter,
ParameterBindingFlags flags)
at System.Management.Automation.CmdletParameterBinderController.BindNamedParameter(UInt32
parameterSets, CommandParameterInternal argument, MergedCompiledCommandParameter parameter)
at System.Management.Automation.ParameterBinderController.BindNamedParameters(UInt32
parameterSets, Collection`1 arguments)
at System.Management.Automation.CmdletParameterBinderController.BindCommandLineParametersNoValida
tion(Collection`1 arguments)
at
System.Management.Automation.CmdletParameterBinderController.BindCommandLineParameters(Collection`1
arguments)
at System.Management.Automation.CommandProcessor.BindCommandLineParameters()
at System.Management.Automation.CommandProcessor.Prepare(IDictionary psDefaultParameterValues)
at System.Management.Automation.CommandProcessorBase.DoPrepare(IDictionary
psDefaultParameterValues)
at System.Management.Automation.Internal.PipelineProcessor.Start(Boolean incomingStream)
at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(Object
input)
--- End of stack trace from previous location ---
at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(Object
input)
at System.Management.Automation.PipelineOps.InvokePipeline(Object input, Boolean ignoreInput,
CommandParameterInternal[][] pipeElements, CommandBaseAst[] pipeElementAsts, CommandRedirection[][]
commandRedirections, FunctionContext funcContext)
at System.Management.Automation.Interpreter.ActionCallInstruction`6.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame
frame)
Exception : System.Management.Automation.ParameterBindingValidationException
InvocationInfo : {Set-AzKeyVaultAccessPolicy}
Line : -PermissionsToKeys $policy.permissionsToKeys `
Position : At line:2 char:36
+ -PermissionsToKeys $policy.permissionsToKeys `
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId : 23