Search code examples
pythonazure-keyvaulttry-exceptazure-sdk-python

How to catch Key Vault SecretClient errors Azure Python SDK?

I'm new to Python. I have a working monolithic program that I'd like to break into individual functions (def) using try: - except: to handle errors.

What are some methods for catching errors in the creation of a Key Vault SecretClient?

Attempt 1:

  • Nothing happens here when I put in a bad kv_name.
  • I'd expect it to log the except: message specified.
credentials = DefaultAzureCredential()

def create_kv_client(kv_name, credentials):
    try:
        kv_uri = 'https://' + kv_name + '.vault.azure.net'
        kv_client = SecretClient(vault_url=kv_uri, credential=credentials)
    except:
        logging.error('####### Failed to create Key Vault Client #######')
    return kv_client

kv_client = create_kv_client('notmykeyvaultname', credentials)

Attempt 2:

  • Nothing happens here either when I put in a bad kv_name
  • I'd expect it to raise an error.
credentials = DefaultAzureCredential()

def create_kv_client(kv_name, credentials):
    try:
        kv_uri = 'https://' + kv_name + '.vault.azure.net'
        kv_client = SecretClient(vault_url=kv_uri, credential=credentials)
    except:
        logging.error('####### Failed to create Key Vault Client #######')
    return kv_client

kv_client = create_kv_client('notmykeyvaultname', credentials)

if kv_client == None:
    raise Exception('Failed to create Key Vault Client')

Attempt 3:

  • Moving the try: - except: to the function call did not trigger the logging message either
  • I'd expect the SecretClient to fail here!?
credentials = DefaultAzureCredential()

def create_kv_client(kv_name, credentials):
    kv_uri = 'https://' + kv_name + '.vault.azure.net'
    kv_client = SecretClient(vault_url=kv_uri, credential=credentials)
    return kv_client

try:
    kv_client = create_kv_client('notmykeyvaultname', credentials)
except:
    logging.info('####### Failed to create Key Vault client #######')

Sanity check:

  • When I run the commands outside the function, the output of a failed SecretClient is not None.
  • What can I hook into here to determine if SecretClient was successfully created?
credentials = DefaultAzureCredential()

kv_uri = 'https://' + 'notmykeyvaultname' + '.vault.azure.net'

kv_client = SecretClient(vault_url=kv_uri, credential=credentials)

kv_client

`<azure.keyvault.secrets._client.SecretClient at 0x1512046b370>`
Solution

  • The constructor doesn't check whether the given vault exists, or whether you can access it, so in your attempts it succeeds: you get a SecretClient instance, no error raised.

    If the URL is that of a nonexistent vault, or a vault you aren't authorized to access, you'll see an error when you first try an operation:

    >>> vault_url = "https://nonexistentvaultdoesnotexist.vault.azure.net"
>>> client = SecretClient(vault_url, DefaultAzureCredential())
>>> client.get_secret('secret_name')
Traceback (most recent call last):
...
azure.core.exceptions.ServiceRequestError: <urllib3.connection.VerifiedHTTPSConnection object at 0x000001E313946198>: Failed to establish a new connection: [Errno 11001] getaddrinfo failed

    Failed operations raise errors defined in azure-core which you can handle as usual with try/except blocks.