Search code examples
azure-keyvaultazure-app-configuration

Azure app configuration throws exception & does not load the configuration when a disabled key vault secret is present as KV reference

I have an Azure app configuration with 2 keys. Both have key vault references as values. When one of the key-vault secrets is disabled for some reason (because expiration date has passed, not needed for now etc.,), entire configuration loading fails with KeyVault reference exception. I tried using SetSecretResolver, but it looks like if the registered KV client encounters any exception, secret resolver fallback will not be called. Is there any solution for this issue? Basically, I don't want to stop loading the config, if any or some of the KV secrets are disabled. BTW, I tried setting the "Options: true" to suppress the exception throwing, but that did not load the config.

app config Keys:-

abc:def:key1 - has a valid key vault secret
abc:def:key2 - has a disabled key vault secret.

code:-

public IConfiguration AzureAppConfig { get; set; }
public IConfigurationRefresher AzureAppConfigRefresher { get; set; }

builder.AddAzureAppConfiguration(options =>
                {
                    options.Connect(new Uri("uri"), credential)
                        .Select("abc:def:*")
                        .ConfigureKeyVault(kvOptions =>
                        {
                            kvOptions.SetCredential(credential);
                        })
                    .ConfigureRefresh(refresh =>
                    {
                        refresh.Register("abc:def:key1")
                            .SetCacheExpiration(TimeSpan.FromMinutes(30));
                    });
                    AzureAppConfigRefresher = options.GetRefresher();
                });

AzureAppConfig = builder.Build();

Thanks in advance for any help.

Solution

  • Key Vault does not allow read operations on disabled/expired secrets and throws 403 error. This is by design. App Config provider never hides the exceptions thrown by KeyVault because that would leave the application configuration in an undefined state. But if you want more control over error handling, you can implement your own secret resolver by using the SetSecretResolver API.

    I tried using SetSecretResolver, but it looks like if the registered KV client encounters any exception, secret resolver fallback will not be called.

    That is correct. SetSecretResolver doesn't handle errors thrown by registered SecretClient(s). It will only be used when no SecretClient has been registered with the same vault URI. This GitHub issue has more details about setting up your own secret resolution code: https://github.com/Azure/AppConfiguration-DotnetProvider/issues/209#issuecomment-743427521

    Link to the same discussion on GitHub: https://github.com/Azure/AppConfiguration-DotnetProvider/issues/309