Caution: Az CLI Querying for values omitting quotes

As a heads up to save potentially hours of troubleshooting, remember to query values with the –output tsv in you command in order to not have double quotes (“) around your returned value and passing to a variable.

In this example, I want to query for the clientId for an existing user assigned managed identity

Rather you should include –output tsv in your command

This is especially important when you want to assign to a variable and use it to set key vault policy to grant permissions the user assigned managed identity.

The error you would get if the variable value included the double quotes would look like:

You can see that in the object-id in the debugging the value has double quotes surrounding it and therefore an invalid value. I thought the double quotes was just part of output formatting and would be appropriately handled in the az keyvault command.

The proper end to end script execution when assigning a variable is as follows:

~/aks-demos$ export identityClientId=$(az identity show -g $rgName -n $aks2kvUserassignedidentityname --query clientId --output tsv)

~/aks-demos$ echo $identityClientId

~/aks-demos$ az keyvault set-policy -g $keyVaultRG -n $keyVaultName --secret-permissions get --spn $identityClientId
  "id": "/subscriptions/<redact>/resourceGroups/aks-solution/providers/Microsoft.KeyVault/vaults/rkapp-kv",
  "location": "canadacentral",
  "name": "rkapp-kv",
  "properties": {
        "applicationId": null,
        "objectId": "abd322fa-a34a-4406-94f3-2cb68c999dd8",
        "permissions": {
          "certificates": null,
          "keys": null,
          "secrets": [

In conclusion, hope you find this helpful as a tip of awareness.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s