KeyVault create key with rotation policy errors with AKV.SKR.1005: Non-exportable keys must not have release policy

[arthurderyckere-newday]

Describe the bug

The portal allows me to create an RSA key on a standard SKU KeyVault with a rotation policy of 1 year.

The CLI seems to error whilst trying to create a key with a rotation policy.

Role assignment Key Vault Crypto Officer

Related command

az keyvault key create --name test-tenant-key-3 --vault-name kv-private-cmk --policy '{"lifetimeActions":[{"trigger":{"timeAfterCreate":"P1Y","timeBeforeExpiry":null},"action":{"type":"Rotate"}},{"trigger":{"timeBeforeExpiry":"P30D"},"action":{"type":"Notify"}}],"attributes":{"expiryTime":"P2Y"}}'

or

az keyvault key rotation-policy update -n test-tenant-key-2 --vault-name kv-private-cmk --value policy.json

with policy.json contents

{"lifetimeActions":[{"trigger":{"timeAfterCreate":"P1Y","timeBeforeExpiry":null},"action":{"type":"Rotate"}},{"trigger":{"timeBeforeExpiry":"P30D"},"action":{"type":"Notify"}}],"attributes":{"expiryTime":"P2Y"}}

Errors

AKV.SKR.1005: Non-exportable keys must not have release policy

Issue script & Debug output

cli.knack.cli: Command arguments: ['keyvault', 'key', 'rotation-policy', 'update', '-n', 'test-tenant-key-2', '--vault-name', 'kv-private-cmk', '--value', 'policy.json', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x02098C40>, <function OutputProducer.on_global_arguments at 0x0225D580>, <function CLIQuery.on_global_arguments at 0x0227C1D8>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'keyvault': ['azure.cli.command_modules.keyvault']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: keyvault 0.012 20 122
cli.azure.cli.core: Total (1) 0.012 20 122
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: Total (0) 0.000 0 0
cli.azure.cli.core: Loaded 20 groups, 122 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : keyvault key rotation-policy update
cli.azure.cli.core: Command table: keyvault key rotation-policy update
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x0454C100>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\XXXXX.azure\commands\2024-02-01.17-07-45.keyvault_key_rotation-policy_update.26756.log'.
az_command_data_logger: command args: keyvault key rotation-policy update -n {} --vault-name {} --value {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x044EDC88>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x044EDD18>, <function register_cache_arguments..add_cache_arguments at 0x0459D2B0>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x0225D5C8>, <function CLIQuery.handle_query_parameter at 0x0227C220>, <function register_ids_argument..parse_ids_arguments at 0x0459D268>]
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\XXXXX\.azure\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\XXXXXX.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = {'token_endpoint': 'https://login.microsoftonline.com/tenantGuid/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/tenantGuid/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/tenantGuid/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/tenantGuid/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/tenantGuid/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/tenantGuid/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/tenantGuid/kerberos', 'tenant_region_scope': 'EU', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
cli.azure.cli.core.util: attempting to read file policy.json as utf-8-sig
urllib3.connectionpool: Starting new HTTPS connection (1): kv-private-cmk.vault.azure.net:443
urllib3.connectionpool: https://kv-name.vault.azure.net:443 "PUT /keys/test-tenant-key-2/rotationpolicy?api-version=7.3 HTTP/1.1" 401 97
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://vault.azure.net/.default',), kwargs={'tenant_id': 'tenantGuid'}
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://vault.azure.net/.default',), kwargs={}
msal.application: Cache hit an AT
msal.telemetry: Generate or reuse correlation_id: 87d3fbc3-1512-42da-98db-bdd050d92d67
urllib3.connectionpool: https://kv-name.vault.azure.net:443 "PUT /keys/test-tenant-key-2/rotationpolicy?api-version=7.3 HTTP/1.1" 200 294
cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x044ED100>, <function x509_from_base64_to_hex_transform at 0x044ED148>]
cli.knack.cli: Event: CommandInvoker.OnFilterResult []
{
"createdOn": "2024-02-01T14:44:35+00:00",
"expiresIn": null,
"id": "https://kv-private-cmk.vault.azure.net/keys/test-tenant-key-2/rotationpolicy",
"lifetimeActions": [
{
"action": "Rotate",
"timeAfterCreate": "P1Y",
"timeBeforeExpiry": null
},
{
"action": "Notify",
"timeAfterCreate": null,
"timeBeforeExpiry": "P30D"
}
],
"updatedOn": "2024-02-01T16:01:37+00:00"
}
cli.knack.cli: Event: Cli.SuccessfulExecute []
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x0454C220>]
az_command_data_logger: exit code: 0
cli.main: Command ran in 1.513 seconds (init: 0.372, invoke: 1.141)
telemetry.save: Save telemetry record of length 2981 in cache
telemetry.check: Returns Positive.
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure\cli\telemetry_init.pyc C:\Users\XXXXXX.azure"
telemetry.process: Return from creating process
telemetry.main: Finish creating telemetry upload process.

Expected behavior

RSA key is created with rotation policy of 1 year.

Environment Summary

azure-cli 2.36.0 *

core 2.36.0 *
telemetry 1.0.6 *

Extensions:
ssh 1.0.1

Dependencies:
msal 1.17.0
azure-mgmt-resource 20.0.0

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\S01626.azure\cliextensions'

Python (Windows) 3.10.4 (tags/v3.10.4:9d38120, Mar 23 2022, 22:57:10) [MSC v.1929 32 bit (Intel)]

and on:

azure-cli 2.56.0

core 2.56.0
telemetry 1.1.0

Dependencies:
msal 1.24.0b2
azure-mgmt-resource 23.1.0b2

Python location '/opt/az/bin/python3'
Extensions directory '/root/.azure/cliextensions'

Python (Linux) 3.11.5 (main, Jan 8 2024, 09:08:13) [GCC 11.4.0]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[evelyn-ys]

Please add --exportable true while creating keys with rotation policy

[arthurderyckere-newday]

Please add --exportable true while creating keys with rotation policy

Returns error AKV.SKR.1006: Key can only set exportable to true when kty is RSA-HSM or EC-HSM but value is 'RSA'. Code: BadParameter Message: AKV.SKR.1006: Key can only set exportable to true when kty is RSA-HSM or EC-HSM but value is 'RSA'.

[arthurderyckere-newday]

@evelyn-ys @yonzhan any update on this?

[arthurderyckere-newday]

Microsoft Support came back with an answer.
The --policy argument in the az keyvault key create can't be used to create a rotation policy rather describes "rules under which the key can be exported".
To create a rotation policy, first create the key then run the az keyvault key rotation-policy update command to add a rotation policy.