No way to remove Key Vault access policy

[chriskuech]

This is autogenerated. Please review and update as needed.

Describe the bug

Command Name
az keyvault set-policy

Errors:

ValidationError: specify at least one: --key-permissions, --secret-permissions, --certificate-permissions --storage-permissions

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

• az keyvault set-policy --name {} --object-id {} (no --certificate-permissions present)
• az keyvault set-policy --name {} --object-id {} --certificate-permissions (--certificate-permissions present with no value)
• az keyvault set-policy --name {} --object-id {} --certificate-permissions (--certificate-permissions "" present with empty value)

Expected Behavior

One of these commands clears the certificate permissions for given user and vault.

Environment Summary

Windows-10-10.0.19041-SP0
Python 3.6.8
Installer: MSI

azure-cli 2.16.0 *

Extensions:
azure-devops 0.17.0

Additional Context

Looking at the available commands for az keyvault, it does not seem possible to remove access that has previously been granted with az keyvault set-policy. This seems like a critical feature because it is very easy to add many access policies with az keyvault set-policy but not easy to clean up, and thus causing manual effort to comply with compliance requirements.

[fengzhou-msft]

@houk-ms can you take a look?

[middleagedman]

I've just found this issue as well.. Writing some azcli code for my coworkers and need to have it clean up afterwards. You can do this with the az powershell modules, but I'd rather write it in az cli.

Set-AzKeyVaultAccessPolicy -VaultName $VaultName -UserPrincipalName $User -PermissionsToCertificates @()

[kaylumah]

any update on this?