Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[BUG] Azure.Extensions.AspNetCore.Configuration.Secrets load expired secrets in IConfiguration.
See original GitHub issueLibrary name and version
Azure.Extensions.AspNetCore.Configuration.Secrets [1.2.2]
Describe the bug
ASP Net Core document for Key Vault Configuration is misleading when it says Disabled and Expired Secrets are excluded from configuration provider. However, in reality they are included.
So, if documentation is correct and I would argument that it is correct, then then the code shown below must be fixed.
/// <summary>
/// Checks if <see cref="KeyVaultSecret"/> value should be retrieved.
/// </summary>
/// <param name="secret">The <see cref="SecretProperties"/> instance.</param>
/// <returns><code>true</code> if secrets value should be loaded, otherwise <code>false</code>.</returns>
public virtual bool Load(SecretProperties secret)
{
return true;
}
Details
Expected behavior
Let’s say I have 3 secrets in my key vault:
- SecretA - Expired
- SecretB - No Expiration Set
- SecretC - Expiring in Future.
I expected SecretB and SecretC should be loaded into IConfiguration but NOT SecretA because it has expiration date that is in past.
Actual behavior
All Secrets are loaded including expired secrets.
Reproduction Steps
Here is how I’m loading secrets in IConfiguration
configurationBuilder.AddAzureKeyVault(
new Uri("https://my-app-secrets-kv.vault.azure.net/"),
new DefaultAzureCredential(),
new AzureKeyVaultConfigurationOptions{
ReloadInterval = TimeSpan.FromSeconds(30),
}
);
However I found a work around which help me exclude expired secret.
Created KeyVaultSecertManagerSkipsExpiredSecrets.cs to override the default Load method on KeyVaultSecretManager.
public class KeyVaultSecertManagerSkipsExpiredSecrets : KeyVaultSecretManager
{
public override bool Load(SecretProperties secret)
{
return secret.ExpiresOn == null || secret.ExpiresOn >= DateTimeOffset.Now;
}
}
Then used it as follows:
configurationBuilder.AddAzureKeyVault(
new Uri("https://my-app-secrets-kv.vault.azure.net/"),
new DefaultAzureCredential(),
new AzureKeyVaultConfigurationOptions{
ReloadInterval = TimeSpan.FromSeconds(30),
Manager = new KeyVaultSecertManagerSkipsExpiredSecrets()
}
);
Please suggest if I am doing something wrong. What is expected behavior? Should the expired secrets not be excluded?
Environment
- ASP Net Core 3.1
- Service Fabric 7.2.477.9590 [This is irrelevant though]
Issue Analytics
- State:
- Created a year ago
- Comments:10 (9 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Separate properties for disabled and expired should be added. Rarely would I expect disabled secrets to be needed, but there are plenty of scenarios that may still need expired secrets. As secrets (keys, etc.) rotate, those older ones are still need in many scenarios.
If we make these changes, should update the docs referenced in dotnet/AspNetCore.Docs#26714