question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

KeyVault Secrets SDK throws AuthenticationFailedException forcing additional dependency on Azure.Identity

See original GitHub issue

Bug Description Azure.Security.KeyVault.Secrets.SecretClient throws Azure.Identity.AuthenticationFailedException in case the Azure.Core.TokenCredential passed to it could not be used. For example, when a user tries to fetch a secret from the key vault using DefaultAzureCredential but an approprite credential as described here could not be found, then Azure.Identity.AuthenticationFailedException is thrown.

Since the exception AuthenticationFailedException belongs to the Azure.Identity package, consumers of the Azure.Security.KeyVault.Secrets package are unable to handle it the right way without adding an explicit dependency on the Azure.Identity package.

Expected behavior When the input TokenCredential could not be used for authentication, Azure.Security.KeyVault.Secrets throws an exception that does not require an explicitly dependency on another package that is not one of its dependencies, so it could be handled by the consumers.

Actual behavior (include Exception or Stack Trace) When the input TokenCredential could not be used for authentication, Azure.Security.KeyVault.Secrets throws AuthenticationFailedException exception that requires a dependency on Azure.Identity package to be able to handle it the right way.

Exception

Azure.Identity.AuthenticationFailedException: The DefaultAzureCredential failed to retrieve a token from the included credentials.
EnvironmentCredential is unavailable.
Environment variables not fully configured.
AZURE_TENANT_ID and AZURE_CLIENT_ID must be set, along with either AZURE_CLIENT_SECRET or AZURE_USERNAME and AZURE_PASSWORD.
Currently set variables [  ].
ManagedIdentityCredential is unavailable No managed identity endpoint found..
SharedTokenCacheCredential is unavailable Token acquisition failed for user . To fix, re-authenticate through developer tooling supporting Azure single sign on.

Stack Trace

DefaultAzureCredential.GetTokenAsync(Boolean isAsync, TokenRequestContext requestContext, CancellationToken cancellationToken)
DefaultAzureCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
ChallengeBasedAuthenticationPolicy.AuthenticateRequestAsync(HttpMessage message, Boolean async)
ChallengeBasedAuthenticationPolicy.ProcessCoreAsync(HttpMessage message, ReadOnlyMemory pipeline, Boolean async)
RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory pipeline, Boolean async)
RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory pipeline, Boolean async)
HttpPipelineSynchronousPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory pipeline)
HttpPipelineSynchronousPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory pipeline)
HttpPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken)
KeyVaultPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken)
KeyVaultPipeline.SendRequestAsync[TResult](RequestMethod method, Func resultFactory, CancellationToken cancellationToken, String[] path)
SecretClient.GetSecretAsync(String name, String version, CancellationToken cancellationToken)

Environment: .NET Standard 2.0 Class Library Azure.Security.KeyVault.Secrets 4.0.1

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:14 (13 by maintainers)

github_iconTop GitHub Comments

2reactions
pakrymcommented, Mar 23, 2020

This is a good one, without AuthenticationFailedException being in Core library authors can’t handle authentication exceptions.

We should consider using TypeForwarding and moving the exception to azure.core

cc @KrzysztofCwalina

0reactions
pallavitcommented, Jun 20, 2023

Sounds good. I will close this as not planned for now.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Azure.RequestFailedException in Azure.Security.KeyVault. ...
In Azure, the Key Vault is accessed through a User-Assigned Managed Identity that has the appropriate permissions. The service is currently ...
Read more >
Azure Key Vault configuration provider in ASP.NET Core
This article explains how to use the Azure Key Vault configuration provider to load app configuration values from Azure Key Vault secrets.
Read more >
Connect Azure Spring Apps to Key Vault using managed ...
This article shows you how to create a managed identity for an app deployed to Azure Spring Apps and use it to access...
Read more >
Quickstart - Azure Key Vault Secret client library for Java
This quickstart is using the Azure Identity library with Azure CLI to authenticate user to Azure Services. Developers can also use Visual Studio ......
Read more >
azure python sdk Keyvault package not updating access
Hi! I am using an azure ad group to control access to my key vault. I use az cli to add a member...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found