Unable to use variable to submit multiple IP Addresses to az keyvault network-rule add --ip-address

[kalarous]

Describe the bug

From the Command line I can successfully submit the command az keyvault network-rule add --ip-address 1.2.3.4/32 2.3.4.5/24 7.8.9.10 (Space separated and mix of CIDR and IpV4 Addresses), without a problem as a list. Replace example ips above with any real public IPv4 addresses and the command will happily add all of the IP addresses in the list using a single command call. However, if I set a variable (Lets Call it $AllowedIps) with the same values, I get an error. Specific Error text is "Invalid value found at properties.networkAcls.ipRules[150].value: Value does not respect CIDR notation: my list of IPs in the variable $AllowedIps. I have confirmed that the variable is a System.String variable and the contents of the variable is most definitely a space separated list of CIDR notation IP addresses. I have attempted to try this with a comma separated list with no joy as well.

It makes no sense that I can submit multiple IP addresses from the command line as space separated, but am unable to assign a variable with the same values and use that.

Where this would be REALLY helpful is in cases where there are large #'s of Azure Service Ips that need to be allowed access to a keyvault that has IP restrictions enabled. I can easily get the IPs for a given service from the ginormous Azure Service IPs list into a variable that I would then like to pass on to the network-rule add option in az keyvault command.

Ideally I'd like this fixed so that either a space or comma delimited list of IPs could be submitted to the az keyvault network-rule add command.

Thanks.

Related command

az keyvault network-rule add --ip-address 1.2.3.4 2.3.4.5/24 5.6.7.8/27 -n {keyvault_name} Works like a champ

$AllowedIps = "1.2.3.4 2.3.4.5/24 5.6.7.8/27"
az keyvault network-rule add --ip-address $AllowedIps -n {keyvault_name} fails with "Invalid value found at properties.networkAcls.ipRules[150].value: Value does not respect CIDR notation: {My list of Allowed IPs IN CIDR notation}

Where the example IPs above are replaced with actual public IPs or Ranges & {keyvault_name} is replaced with an actual keyvault name.

Errors

"Invalid value found at properties.networkAcls.ipRules[150].value: Value does not respect CIDR notation: {My list of Allowed IPs IN CIDR notation}

Issue script & Debug output

$AllowedIps="1.2.3.4 2.3.4.5/24 3.4.5.6/27"
az keyvault network-rule add --ip-address $AllowedIps -n {keyvault_name}

Expected behavior

One should be able to set a variable using proper CIDR notation and submit that variable in place of an actual list of CIDR notated IPs to the az keyvault network-rule add --ip-address command.

Environment Summary

azure-cli 2.70.0

core 2.70.0
telemetry 1.1.0

Extensions:
account 0.2.5
ad 0.1.0
ai-examples 0.2.5

Dependencies:
msal 1.31.2b1
azure-mgmt-resource 23.1.1

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Config directory 'C:\Users\lil_b.azure'
Extensions directory 'C:\Users\lil_b.azure\cliextensions'

Python (Windows) 3.12.8 (tags/v3.12.8:2dc476b, Dec 3 2024, 19:30:04) [MSC v.1942 64 bit (AMD64)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

What else would you like to know?

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• IPV4 or CIDR for Storage, event hub etc #21098
• Cannot create network-rule for storage account Values for request parameters are invalid: networkAcls.ipRule[*].value #13828
• az cdn endpoint rule add does not parse match-values correctly #21386

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

CLI's collection property like --match-values use the space as the separator. You command should go like:

az cdn endpoint rule add -g bzhan-poc -n cachekeytest --profile-name msft-test --order 1 --rule-name iprestriction --match-variable RemoteAddress --operator IPMatch --negate-condition true --match-values 1.2.3.4/32 5.6.7.8/32 --action-name UrlRedirect --redirect-type PermanentRedirect --custom-path /403 --debug

The commands works as expected per my test:

Reference:

• az cdn endpoint rule add does not parse match-values correctly #21386 (comment)

Powered by issue-sentinel

[yonzhan]

keyvault