KeyVault getting a secret out fails

Question

Here is my code, this was working a few days ago and now it throws the error when trying to fetch the secret out of the vault. I am using the latest version of Azure's Python SDK which was installed through pip.

from azure.keyvault import KeyVaultClient
from azure.mgmt.keyvault import KeyVaultManagementClient
from msrestazure.azure_active_directory import ServicePrincipalCredentials

credentials = ServicePrincipalCredentials(
    client_id = "a0824ce5-f6cf-4293-a7ad-************************",
    secret = "5jqsgHYlLPrpY+yn6+0X8lMA9mE*********************",
    tenant="fa7b1b5a-7b34-4387-**********************",
    resource='https://vault.azure.net'
)

KEY_VAULT_URI = 'https://*********t.vault.azure.net'

client = KeyVaultClient(
    credentials
)

# Create a secret
secret_bundle = client.set_secret(KEY_VAULT_URI, 'octo-prroton', '2412423424fdsadada***********')
print(client.get_secret(KEY_VAULT_URI, 'octo-prroton', 1))

Creating a secret works but getting a secret out fails with the following traceback

Traceback (most recent call last): File "driver.py", line 23, in <module> 
print(client.get_secret(KEY_VAULT_URI, 'octo-prroton', 1)) File 
"/Users/ddavtian/Code/.virtualenvs/demo-key/lib/python3.6/site-
packages/azure/keyvault/key_vault_client.py", line 1798, in get_secret raise 
models.KeyVaultErrorException(self._deserialize, response) 
azure.keyvault.models.key_vault_error.KeyVaultErrorException: Operation 
returned an invalid status code 'Bad Request'

Herr is a list of pip packages

adal (0.4.5)
asn1crypto (0.22.0)
azure (2.0.0)
azure-batch (3.0.0)
azure-common (1.1.6)
azure-datalake-store (0.0.12)
azure-graphrbac (0.30.0)
azure-keyvault (0.3.5)
azure-mgmt (1.0.0)
azure-mgmt-authorization (0.30.0)
azure-mgmt-batch (4.0.0)
azure-mgmt-cdn (0.30.3)
azure-mgmt-cognitiveservices (1.0.0)
azure-mgmt-compute (1.0.0)
azure-mgmt-containerregistry (0.2.1)
azure-mgmt-datalake-analytics (0.1.6)
azure-mgmt-datalake-nspkg (2.0.0)
azure-mgmt-datalake-store (0.1.6)
azure-mgmt-devtestlabs (2.0.0)
azure-mgmt-dns (1.0.1)
azure-mgmt-documentdb (0.1.3)
azure-mgmt-iothub (0.2.2)
azure-mgmt-keyvault (0.31.0)
azure-mgmt-logic (2.1.0)
azure-mgmt-monitor (0.2.1)
azure-mgmt-network (1.0.0)
azure-mgmt-nspkg (2.0.0)
azure-mgmt-rdbms (0.1.0)
azure-mgmt-redis (4.1.0)
azure-mgmt-resource (1.1.0)
azure-mgmt-scheduler (1.1.2)
azure-mgmt-sql (0.5.3)
azure-mgmt-storage (1.0.0)
azure-mgmt-trafficmanager (0.30.0)
azure-mgmt-web (0.32.0)
azure-nspkg (2.0.0)
azure-servicebus (0.21.1)
azure-servicefabric (5.6.130)
azure-servicemanagement-legacy (0.20.6)
azure-storage (0.34.3)
certifi (2017.4.17)
cffi (1.10.0)
chardet (3.0.4)
cryptography (1.9)
idna (2.5)
isodate (0.5.4)
keyring (10.4.0)
msrest (0.4.11)
msrestazure (0.4.9)
oauthlib (2.0.2)
pip (9.0.1)
pycparser (2.17)
PyJWT (1.5.2)
python-dateutil (2.6.0)
requests (2.18.1)
requests-oauthlib (0.8.0)
setuptools (36.0.1)
six (1.10.0)
urllib3 (1.21.1)
wheel (0.29.0)

Any help is appreciated.

Answer 1

Azure's Python SDK team came to my help, here is the GitHub bug that I had raised and the solution: https://github.com/Azure/azure-sdk-for-python/issues/1263

Answer 2

As you shared in the GitHub issue, this was due to an incorrect secret version in the get_secret call. There's now an azure-keyvault-secrets package for working with Key Vault secrets, and get_secret will fetch the latest secret version when no version is specified:

from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient

KEY_VAULT_URI = 'https://*********t.vault.azure.net'
SECRET_NAME = 'octo-prroton'

credential = DefaultAzureCredential()
client = SecretClient(KEY_VAULT_URI, credential)

secret = client.get_secret(SECRET_NAME)

There are also new packages for working with Key Vault certificates and keys. Here are links to package documentation and guides for migrating from azure-keyvault:

• azure-keyvault-certificates (Migration guide)
• azure-keyvault-keys (Migration guide)
• azure-keyvault-secrets (Migration guide)

(I work on the Azure SDK in Python)