5

Every dev on my team has their own personal Azure key vault linked to their local machine. We have a production Azure key vault that our production site looks at.

In the code, it looks for a specific secret from the vault. The devs won't have the secret in their personal key vaults, but the production key vault will have the secret.

So, when the devs are debugging it will catch an exception saying that the secret doesn't exist.

Is there a way to conditionally check whether or not the secret exists, or do I just have to let it catch the exception?

Uwe Keim
  • 39,551
  • 56
  • 175
  • 291
dustinos3
  • 934
  • 3
  • 17
  • 27

3 Answers3

13

There is no method to check if a secret exists in a key vault. So some creativity could be employed to do just that(skipped arguments checks for brevity):

    public asyc Task<bool> CheckIfSecretExists(string accessToken, string secretUri)
    {
        var kvClient= new KeyVaultClient(accessToken);
        try
        {
            await kvClient.GetSecretAsync(secretUri);
            return true;
        }
        catch (AggregateException ex)
        {
            if (ex.InnerException is KeyVaultErrorException exception && exception.Body.Error.Code == "SecretNotFound")
                return false;
            
            throw;
        }
    }

EDIT: Found a way to check if secret exists without relying on exception:

public async Task<bool> DoesSecretExist(string accessToken, string keyVaultBaseUrl, string secretName)
{
   var kvClient = new KeyVaultClient(accessToken);
   try
   {
      IPage<SecretItem> secretVersions = await kvClient.GetSecretVersionsAsync(keyVaultBaseUrl, secretName).ConfigureAwait(false);
      if (!secretVersions.Any())
         return false;

      return true;
   }
   catch (Exception )
   {
      throw;
   }
}
Rookian
  • 19,841
  • 28
  • 110
  • 180
fatherOfWine
  • 1,191
  • 16
  • 39
  • This answers my question if there is a method to check if the secret exists. If anyone else can think of an easier way to check feel free to add an answer. – dustinos3 Oct 29 '18 at 16:15
  • @dustinos3 looking at the documentation, there is no such method in the `KeyVaultClient` class: https://learn.microsoft.com/en-us/dotnet/api/microsoft.azure.keyvault.keyvaultclient?view=azure-dotnet – Thomas Nov 01 '18 at 00:34
1

An easier way to check if the error is a not found in the exception is from the HTTPRequest response 

 try
 {
    var secret = await this.keyVaultClient.GetSecretAsync(keyVaultUri, secretName, cancellationToken).ConfigureAwait(false);
 }             
 catch (KeyVaultErrorException ex)
 {
    if (ex.Response.StatusCode != HttpStatusCode.NotFound)
    {
    // Handle the error
    }

 }
Tommy
  • 350
  • 3
  • 11
-3

Create a new secret client using the default credential from Azure.Identity using environment variables previously set, including AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID.

var client = new SecretClient(vaultUri: new Uri(keyVaultUrl), credential: new DefaultAzureCredential());

Retrieve a secret using the secret client.

secret = client.GetSecret("secret-name");
tgallei
  • 827
  • 3
  • 13
  • 22
Swati
  • 234
  • 2
  • 10