5

I'm using KeyVaultClient from the 2.3.2 Microsoft.Azure.KeyVault NuGet. Using GetSecretAsync(,), I noticed that a KeyVaultErrorException is raised if I try to access a non-existent secret.

Unfortunately that same error is also raised when access to the keyvault is denied or the keyvault endpoint is not found.

The only distinguisher I see at the moment is the Message property. So what's the right way to detect that a secret was not found? Why would this throw an exception versus returning a null or some other 'empty' object?

Jim O'Neil
  • 23,344
  • 7
  • 42
  • 67

1 Answers1

3

Asking for nonexistent secret:

System.AggregateException occurred
  HResult=0x80131500
  Message=One or more errors occurred.
  Source=mscorlib

Inner Exception 1:
KeyVaultErrorException: Secret not found: secret22222

((Microsoft.Azure.KeyVault.Models.KeyVaultErrorException)($exception).InnerException)
    .Body.Error.Code = "SecretNotFound"
((Microsoft.Azure.KeyVault.Models.KeyVaultErrorException)($exception).InnerException)
    .Body.Error.Message = "Secret not found: secret22222"

No rights for reading secret:

System.AggregateException occurred
  HResult=0x80131500
  Message=One or more errors occurred.
  Source=mscorlib

Inner Exception 1:
KeyVaultErrorException: Access denied

((Microsoft.Azure.KeyVault.Models.KeyVaultErrorException)($exception).InnerException)
    .Body.Error.Code = "Forbidden"
((Microsoft.Azure.KeyVault.Models.KeyVaultErrorException)($exception).InnerException)
    .Body.Error.Message = "Access denied"

Trying to read a disabled secret:

System.AggregateException occurred
  HResult=0x80131500
  Message=One or more errors occurred.
  Source=mscorlib

Inner Exception 1:
KeyVaultErrorException: Operation get is not allowed on a disabled secret.

((Microsoft.Azure.KeyVault.Models.KeyVaultErrorException)($exception).InnerException)
    .Body.Error.Code = "Forbidden"
((Microsoft.Azure.KeyVault.Models.KeyVaultErrorException)($exception).InnerException)
    .Body.Error.Message = "Operation get is not allowed on a disabled secret."

Invalid vault endpoint:

System.AggregateException occurred
  HResult=0x80131500
  Message=One or more errors occurred.
  Source=mscorlib

Inner Exception 1:
HttpRequestException: An error occurred while sending the request.

Inner Exception 2:
WebException: The remote name could not be resolved: 'alicezzzzzz.vault.azure.net'

Doesn't look that bad to me. If you're expecting strong error typing, i don't think that's going to happen given the SDK is just light REST wrapper, probably (partially?) generated by AutoRest - not obviously mentioned, but still mentioned :) in the NuGet project description (Project Site).

evilSnobu
  • 24,582
  • 8
  • 41
  • 71
  • ok, at first blush this smelled: having to go three levels deep to get the cause of an exception. IMHO, Body.Error.Code should (additionally) exposed directly on the KeyVaultErrorException; Message is. Are we guaranteed that Body.Error.Code is never localized? – Jim O'Neil Aug 11 '17 at 15:06
  • It is also surfaced in `Message` on the first InnerException: `((Microsoft.Azure.KeyVault.Models.KeyVaultErrorException)($exception).InnerException).Message`, but yes i see your point. Can't speak on behalf of the KeyVault product group but since that's coming straight from the API i would highly doubt you get localization without specifically asking for it (with a header/param/something). – evilSnobu Aug 11 '17 at 15:21