Working with resource IDs containing hash in Azure CLI

Question

When inspecting certificate resources during a cleanup preparation, I came across several ones whose resource ID contains a hash character (#). When I tried getting their details, Azure CLI failed.

az resource show --subscription $subs --ids `
    $(az resource list --subscription $subs --resource-group $rg `
        --resource-type Microsoft.Web/certificates --query '[].id' --output tsv)

(MissingApiVersionParameter) The api-version query parameter (?api-version=) is required for all requests.

The inner command gives this list:

/subscriptions/deadbeef-2021-4b7b-988c-abcdabcdabcd/resourceGroups/testrg/prodivers/Microsoft.Web/certificates/018B8D7BEAEB68E5A074B61434030D42CD46E3E2##West Europe#
/subscriptions/deadbeef-2021-4b7b-988c-abcdabcdabcd/resourceGroups/testrg/providers/Microsoft.Web/certificates/2B1CA607A52CBDC62716009CF13DEDFA859B72D2#testrg-WestEuropewebspace
/subscriptions/deadbeef-2021-4b7b-988c-abcdabcdabcd/resourceGroups/testrg/providers/Microsoft.Web/certificates/59BB3E72F7281D7FCACF7B8A8DDB3D23FE0BF09E##West Europe#
/subscriptions/deadbeef-2021-4b7b-988c-abcdabcdabcd/resourceGroups/testrg/providers/Microsoft.Web/certificates/81295C08FF441A0CA954B04E58A06991472468E1##West Europe#
/subscriptions/deadbeef-2021-4b7b-988c-abcdabcdabcd/resourceGroups/testrg/providers/Microsoft.Web/certificates/B9E64EDE44DC848B39CC6872BD310B6BEF070FC9-testrg-WestEuropewebspace
/subscriptions/deadbeef-2021-4b7b-988c-abcdabcdabcd/resourceGroups/testrg/providers/Microsoft.Web/certificates/some.domain.cz-003090D185A4A57C83E4F1E664EB12C7143D5CB1
/subscriptions/deadbeef-2021-4b7b-988c-abcdabcdabcd/resourceGroups/testrg/providers/Microsoft.Web/certificates/F660F6675F0943D93F2780A9F65B48147A375913-testrg-WestEuropewebspace
/subscriptions/deadbeef-2021-4b7b-988c-abcdabcdabcd/resourceGroups/testrg/providers/Microsoft.Web/certificates/some-test.domain.com-1B856146B6287E8D0D68C98E9A66B7D23A969762
/subscriptions/deadbeef-2021-4b7b-988c-abcdabcdabcd/resourceGroups/testrg/providers/Microsoft.Web/certificates/some-test.domain.com-B2FBC6E5DD564B6762FF34EA1A8C1C432A2B7510

When using the outer command separately on each one, the ones without a hash pass (details are printed) and the ones with the hash fail with the aforementioned error.

$p = '/subscriptions/deadbeef-2021-4b7b-988c-abcdabcdabcd/resourceGroups/testrg/providers/Microsoft.Web/certificates'
az resource show --subscription $subs --ids `
    "$p/018B8D7BEAEB68E5A074B61434030D42CD46E3E2##West Europe#"

Is it a bug of Azure CLI? I am using Azure CLI 2.27.2, which is the current stable version. Or are those some arcane deprecated resources that need some special treatment? How to work with them?

Don't know if it is relevant, but I suspect some of the certificates have been uploaded manually through Azure Portal and some have been created by the Let's Encrypt site extension for Azure App Service. https://github.com/sjkp/letsencrypt-siteextension — Palec, Aug 30 '21 at 16:07
I found that using Azure CLI from PowerShell scripts is quite a bad idea and Azure PS should be used instead. Recently, a colleague created a resource whose name contains Unicode characters. It breaks my scripts on Windows because Windows has lousy Unicode support. I have found no way to fix them. https://stackoverflow.com/a/49481797/2157640 https://github.com/Azure/azure-cli/issues/14426 — Palec, Apr 08 '22 at 21:30

Palec · Accepted Answer · 2021-08-30T16:39:15.790

0

By trial and error I found that escaping is the issue. When I URL-encode each component of the resource ID, it works. Seems like a bug after all.

az resource show --subscription $subs --ids `
    "$p/018B8D7BEAEB68E5A074B61434030D42CD46E3E2%23%23West%20Europe%23"

az resource show --subscription $subs --ids `
    $(az resource list --subscription $subs --resource-group $rg `
        --resource-type Microsoft.Web/certificates --query '[].id' --output tsv |
        ForEach-Object { `
            [string]::Join('/', ($_ -split '/' |
                ForEach-Object { [uri]::EscapeDataString($_) })) `
        })

edited Aug 30 '21 at 16:39

answered Aug 30 '21 at 16:28

Palec

12,743
8
69
138

A somewhat related issue: https://github.com/Azure/azure-cli/issues/12885 – Palec Sep 02 '21 at 05:52
Sometimes when a special character is at the end of the ID (e.g. a scheduled query rule `Web App Exception (500)`), it helps when a space is added at the end of the ID. I believe this is hacking some issues with passing parameters from PowerShell to external commands. – Palec Nov 08 '21 at 00:40

Working with resource IDs containing hash in Azure CLI

1 Answers1