Attribute error attempting to return secret data with az keyvault secret show (or list)

[jpsebasti]

Describe the bug

I am using
$ az version
{
"azure-cli": "2.68.0",
"azure-cli-core": "2.68.0",
"azure-cli-telemetry": "1.1.0",
"extensions": {}
}

I've logged in and now I'm trying to retrieve a secret in my Key Vault. This code has worked for years however now I'm receiving errors.
$ az keyvault secret show --vault-name vaultnamehere --name secretnamehere --query value -o tsv
(", AttributeError: 'str' object has no attribute 'get'", 'Unable to deserialize to object: type', AttributeError("'str' object has no attribute 'get'"))

Related command

az keyvault secret show --vault-name vaultnamehere --name secretnamehere --query value -o tsv

Errors

(", AttributeError: 'str' object has no attribute 'get'", 'Unable to deserialize to object: type', AttributeError("'str' object has no attribute 'get'"))

Issue script & Debug output

$ az keyvault secret show --vault-name vaultnamehere --name secretnamehere --query value -o tsv --debug
cli.knack.cli: Command arguments: ['keyvault', 'secret', 'show', '--vault-name', 'nwm-cm-key-vault', '--name', 'cm-client-secret', '--query', 'value', '-o', 'tsv', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x10663aa20>, <function OutputProducer.on_global_arguments at 0x10682f2e0>, <function CLIQuery.on_global_arguments at 0x106870ae0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'keyvault': ['azure.cli.command_modules.keyvault']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: keyvault 0.008 20 113
cli.azure.cli.core: Total (1) 0.008 20 113
cli.azure.cli.core: Loaded 20 groups, 113 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : keyvault secret show
cli.azure.cli.core: Command table: keyvault secret show
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x107b58040>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/Users/jsebast/.azure/commands/2025-01-23.13-29-11.keyvault_secret_show.8539.log'.
az_command_data_logger: command args: keyvault secret show --vault-name {} --name {} --query {} -o {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x107bb54e0>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x107bb79c0>, <function register_cache_arguments..add_cache_arguments at 0x107bb7b00>, <function register_upcoming_breaking_change_info..update_breaking_change_info at 0x107bb7ba0>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x10682f380>, <function CLIQuery.handle_query_parameter at 0x106870b80>, <function register_ids_argument..parse_ids_arguments at 0x107bb7a60>]
cli.azure.cli.core.auth.persistence: build_persistence: location='/Users/jsebast/.azure/msal_token_cache.json', encrypt=False
cli.azure.cli.core.auth.binary_cache: load: /Users/jsebast/.azure/msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: Initializing with Entra authority: https://login.microsoftonline.com/1b544066-1920-44c1-80c9-405d504ec412
msal.authority: openid_config("https://login.microsoftonline.com/1b544066-1920-44c1-80c9-405d504ec412/v2.0/.well-known/openid-configuration") = {'token_endpoint': 'https://login.microsoftonline.com/1b544066-1920-44c1-80c9-405d504ec412/oauth2/v2.0/token', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'private_key_jwt', 'client_secret_basic'], 'jwks_uri': 'https://login.microsoftonline.com/1b544066-1920-44c1-80c9-405d504ec412/discovery/v2.0/keys', 'response_modes_supported': ['query', 'fragment', 'form_post'], 'subject_types_supported': ['pairwise'], 'id_token_signing_alg_values_supported': ['RS256'], 'response_types_supported': ['code', 'id_token', 'code id_token', 'id_token token'], 'scopes_supported': ['openid', 'profile', 'email', 'offline_access'], 'issuer': 'https://login.microsoftonline.com/1b544066-1920-44c1-80c9-405d504ec412/v2.0', 'request_uri_parameter_supported': False, 'userinfo_endpoint': 'https://graph.microsoft.com/oidc/userinfo', 'authorization_endpoint': 'https://login.microsoftonline.com/1b544066-1920-44c1-80c9-405d504ec412/oauth2/v2.0/authorize', 'device_authorization_endpoint': 'https://login.microsoftonline.com/1b544066-1920-44c1-80c9-405d504ec412/oauth2/v2.0/devicecode', 'http_logout_supported': True, 'frontchannel_logout_supported': True, 'end_session_endpoint': 'https://login.microsoftonline.com/1b544066-1920-44c1-80c9-405d504ec412/oauth2/v2.0/logout', 'claims_supported': ['sub', 'iss', 'cloud_instance_name', 'cloud_instance_host_name', 'cloud_graph_host_name', 'msgraph_host', 'aud', 'exp', 'iat', 'auth_time', 'acr', 'nonce', 'preferred_username', 'name', 'tid', 'ver', 'at_hash', 'c_hash', 'email'], 'kerberos_endpoint': 'https://login.microsoftonline.com/1b544066-1920-44c1-80c9-405d504ec412/kerberos', 'tenant_region_scope': 'NA', 'tenant_region_sub_scope': 'GCC', 'cloud_instance_name': 'microsoftonline.com', 'cloud_graph_host_name': 'graph.windows.net', 'msgraph_host': 'graph.microsoft.com', 'rbac_url': 'https://pas.windows.net'}
msal.application: Broker enabled? None
cli.azure.cli.core.sdk.policies: Request URL: 'https://nwm-cm-key-vault.vault.azure.net/secrets/cm-client-secret/?api-version=7.4'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': 'b468b26a-d9c8-11ef-97e6-acde48001122'
cli.azure.cli.core.sdk.policies: 'CommandName': 'keyvault secret show'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--vault-name --name --query -o --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.68.0 (HOMEBREW) azsdk-python-core/1.31.0 Python/3.12.8 (macOS-15.2-x86_64-i386-64bit)'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): nwm-cm-key-vault.vault.azure.net:443
urllib3.connectionpool: https://nwm-cm-key-vault.vault.azure.net:443 "GET /secrets/cm-client-secret/?api-version=7.4 HTTP/1.1" 200 1564
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Server': 'BigIP'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'text/html; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Accept-Ranges': 'bytes'
cli.azure.cli.core.sdk.policies: 'Connection': 'close'
cli.azure.cli.core.sdk.policies: 'Date': 'Thu, 23 Jan 2025 20:29:12 GMT'
cli.azure.cli.core.sdk.policies: 'Age': '3871'
cli.azure.cli.core.sdk.policies: 'Content-Length': '1564'
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache, no-store'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Expires': '0'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies:

<title>BIG-IP Per Request Policy Resource blocked page</title> <style> body, html { padding: 0; margin: 0; height: 100%; } table, td, th, div { border: 0; padding: 0; margin: 0; } body, table, td, th, div, input, h1, h2, h3, h4, h5, h6 { font-family : Calibri, Tahoma, Verdana, Arial, Helvetica, Sans-Serif; color: #000000; text-align: center; } body, table, td, th, div, input { font-size : 14px; } h1, h2, h3, h4, h5, h6 { font-size : 18px; text-decoration: none; margin-bottom: 0px; } body { background-color: #FFFFFF; } table#page_header { width: 100%; height: 80px; background-color: #FFFFFF; background-repeat: repeat-x; } table#main_table { width:100%; } </style> <script language="javascript"> function OnLoad() { var category = "Information Technology"; var categoryDiv = document.getElementById('display_category'); if (category === "") { categoryDiv.style.visibility = 'hidden'; } else { categoryDiv.style.visibility = 'visible'; categoryDiv.innerHTML += '' + "The category reference is:" + ' ' + category + ''; } } </script>

Transparent proxy access blocked. Please verify your proxy setting are correct. Contact CCHD if you need assistance.

cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "/usr/local/Cellar/azure-cli/2.68.0/libexec/lib/python3.12/site-packages/azure/keyvault/secrets/_generated/_serialization.py", line 1461, in _deserialize
found_value = key_extractor(attr, attr_desc, data)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/Cellar/azure-cli/2.68.0/libexec/lib/python3.12/site-packages/azure/keyvault/secrets/_generated/_serialization.py", line 1208, in rest_key_extractor
return working_data.get(key)
^^^^^^^^^^^^^^^^
AttributeError: 'str' object has no attribute 'get'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/Cellar/azure-cli/2.68.0/libexec/lib/python3.12/site-packages/azure/cli/command_modules/keyvault/_command_type.py", line 132, in keyvault_command_handler
show_exception_handler(ex)
File "/usr/local/Cellar/azure-cli/2.68.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/arm.py", line 432, in show_exception_handler
raise ex
File "/usr/local/Cellar/azure-cli/2.68.0/libexec/lib/python3.12/site-packages/azure/cli/command_modules/keyvault/_command_type.py", line 109, in keyvault_command_handler
result = op(**command_args)
^^^^^^^^^^^^^^^^^^
File "/usr/local/Cellar/azure-cli/2.68.0/libexec/lib/python3.12/site-packages/azure/core/tracing/decorator.py", line 94, in wrapper_use_tracer
return func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/Cellar/azure-cli/2.68.0/libexec/lib/python3.12/site-packages/azure/keyvault/secrets/_client.py", line 72, in get_secret
bundle = self._client.get_secret(
^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/Cellar/azure-cli/2.68.0/libexec/lib/python3.12/site-packages/azure/keyvault/secrets/_generated/_operations_mixin.py", line 1640, in get_secret
return mixin_instance.get_secret(vault_base_url, secret_name, secret_version, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/Cellar/azure-cli/2.68.0/libexec/lib/python3.12/site-packages/azure/core/tracing/decorator.py", line 94, in wrapper_use_tracer
return func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/Cellar/azure-cli/2.68.0/libexec/lib/python3.12/site-packages/azure/keyvault/secrets/_generated/v7_4/operations/_key_vault_client_operations.py", line 771, in get_secret
deserialized = self._deserialize("SecretBundle", pipeline_response)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/Cellar/azure-cli/2.68.0/libexec/lib/python3.12/site-packages/azure/keyvault/secrets/_generated/_serialization.py", line 1406, in call
return self._deserialize(target_obj, data)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/Cellar/azure-cli/2.68.0/libexec/lib/python3.12/site-packages/azure/keyvault/secrets/_generated/_serialization.py", line 1476, in _deserialize
raise_with_traceback(DeserializationError, msg, err)
File "/usr/local/Cellar/azure-cli/2.68.0/libexec/lib/python3.12/site-packages/azure/core/exceptions.py", line 100, in raise_with_traceback
raise error.with_traceback(exc_traceback) # pylint: disable=raise-missing-from
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/Cellar/azure-cli/2.68.0/libexec/lib/python3.12/site-packages/azure/keyvault/secrets/_generated/_serialization.py", line 1461, in _deserialize
found_value = key_extractor(attr, attr_desc, data)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/Cellar/azure-cli/2.68.0/libexec/lib/python3.12/site-packages/azure/keyvault/secrets/_generated/_serialization.py", line 1208, in rest_key_extractor
return working_data.get(key)
^^^^^^^^^^^^^^^^
azure.core.exceptions.DeserializationError: (", AttributeError: 'str' object has no attribute 'get'", 'Unable to deserialize to object: type', AttributeError("'str' object has no attribute 'get'"))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/Cellar/azure-cli/2.68.0/libexec/lib/python3.12/site-packages/knack/cli.py", line 233, in invoke
cmd_result = self.invocation.execute(args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/Cellar/azure-cli/2.68.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 666, in execute
raise ex
File "/usr/local/Cellar/azure-cli/2.68.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 734, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/Cellar/azure-cli/2.68.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 703, in _run_job
result = cmd_copy(params)
^^^^^^^^^^^^^^^^
File "/usr/local/Cellar/azure-cli/2.68.0/libexec/lib/python3.12/site-packages/azure/cli/core/commands/init.py", line 336, in call
return self.handler(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/Cellar/azure-cli/2.68.0/libexec/lib/python3.12/site-packages/azure/cli/command_modules/keyvault/_command_type.py", line 135, in keyvault_command_handler
return keyvault_exception_handler(ex)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/Cellar/azure-cli/2.68.0/libexec/lib/python3.12/site-packages/azure/cli/command_modules/keyvault/_command_type.py", line 49, in keyvault_exception_handler
raise CLIError(ex)
knack.util.CLIError: (", AttributeError: 'str' object has no attribute 'get'", 'Unable to deserialize to object: type', AttributeError("'str' object has no attribute 'get'"))

cli.azure.cli.core.azclierror: (", AttributeError: 'str' object has no attribute 'get'", 'Unable to deserialize to object: type', AttributeError("'str' object has no attribute 'get'"))
az_command_data_logger: (", AttributeError: 'str' object has no attribute 'get'", 'Unable to deserialize to object: type', AttributeError("'str' object has no attribute 'get'"))
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x107b582c0>]
az_command_data_logger: exit code: 1
cli.main: Command ran in 0.997 seconds (init: 0.171, invoke: 0.826)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4073 in cache file under /Users/jsebast/.azure/telemetry/20250123132912397
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/usr/local/Cellar/azure-cli/2.68.0/libexec/bin/python /usr/local/Cellar/azure-cli/2.68.0/libexec/lib/python3.12/site-packages/azure/cli/telemetry/init.py /Users/jsebast/.azure /Users/jsebast/.azure/telemetry/20250123132912397"
telemetry.process: Return from creating process 8544
telemetry.main: Finish creating telemetry upload process.

Expected behavior

should return my secret

Environment Summary

$ az version
{
"azure-cli": "2.68.0",
"azure-cli-core": "2.68.0",
"azure-cli-telemetry": "1.1.0",
"extensions": {}
}

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[jpsebasti]

I performed a fresh install of the az cli using this command today:
brew update && brew install azure-cli

These errors AttributeError errors are since the fresh azure-cli installation.

[evelyn-ys]

This error occurs because service returns a html BIG-IP Per Request Policy Resource blocked page which can't be deserialized by Azure CLI using normal Secret model. So the root cause has been returned from server:

Transparent proxy access blocked.
Please verify your proxy setting are correct.
Contact CCHD if you need assistance.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @RandalliLama, @schaabs, @chen-karen, @chandanrr.