Saturday 27 July 2019

Resolving 'NoneType' object has no attribute 'azure_services' While Setting a Network Rule to Azure Key Vault

As infrastructure automation is vital aspect of DevOps, you might want to setup an Azure Key Vault to use a Subnet in a vnet, programmatically. For this you can use Azure Command Line Interface (CLI) and you may run into an error 'NoneType' object has no attribute 'azure_services'. Let’s have a look at how to get this issue resolved.

We can create an Azure Key Vault using the CLI command below.
az keyvault create -n keyvaultName -g resourceGroupName -l azureDataCenterRegion `
             --sku keyvaultSKU
Assuming you already have a resource group and a vnet and subnet setup in your resource group we can follow the step below to add the network rule.
az keyvault network-rule add -n keyvaultName -g resourceGroupName --subnet vnetDefaultSubnetName --vnet-name vnetName
However, you may run into below issue if you have not set the Key Vault to use selected networks in the Firewall and Network rules.
ERROR: 'NoneType' object has no attribute 'azure_services'
This GitHub issue discusses the error in detail.
But, if you are using AzureRM PowerShell module this issue does not occur. While setting up the Key Vault or updating it with CLI you can set the two parameters –defualt-action to deny and allowed value (AzureServices, None) for –bypass, to make the Key Vault to set as Selected Network in firewall and network rules.
az keyvault update -n keyvaultName -g $resourceGroupName `
             --default-action Deny --bypass AzureServices
The network rule is getting applied for the Key Vault.

No comments:

Popular Posts