Azure-sdk-for-java: [BUG] Breaking changes in azure-spring-boot-starter-keyvault-secrets' configuration

Created on 17 Sep 2020  ·  3Comments  ·  Source: Azure/azure-sdk-for-java

Describe the bug
azure-spring-boot-starter-keyvault-secrets has breaking (and wrongly documented) configuration properties.

Exception or Stack Trace
Calling this with a key vault which contains disabled secret is a good example that shows that :

  java.lang.IllegalStateException: Failed to load ApplicationContext

  Caused by: java.lang.IllegalStateException: Failed to configure KeyVault property source

  Caused by: com.azure.core.exception.ResourceModifiedException: Status code 403, "{"error":{"code":"Forbidden","message":"Operation get is not allowed on a disabled secret.","innererror":{"code":"SecretDisabled"}}}"

To Reproduce
Steps to reproduce the behavior:

  • Create a property.yaml(!) file:
    yaml azure: keyvault: allow: telemetry: false enabled: true uri: https://${KEYVAULT_NAME}.vault.azure.net/ client-id: ${AZURE_CLIENT_ID} client-key: ${KEYVAULT_CLIENT_SECRET:not-a-secret} tenant-id: ${AZURE_TENANT} secret: keys: test1
  • Create enabled secret test1 and disabled secret test2.
  • Capture HTTP traffic intended for https://dc.services.visualstudio.com/v2/track
  • Run a spring boot app which simply fethes these properties

*Setup

  • OS: Linux
  • IDE : IntelliJ
  • azure-spring-boot-starter-keyvault-secrets 2.3.3

Expected behavior
Similar behaviour as in 2.2.X (as documented):

azure.keyvault.secret.keys is a property to indicate that if application using specific secret keys, if this property is set, application will only load the keys in the property and won't load all the keys from keyvault

[...]

If you don't want to participate, just simply disable it by setting below configuration in application.properties.

azure.keyvault.allow.telemetry=false

→ Only test1 is fetched. No telemetry is sent.

Additional context

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

  • [x] Bug Description Added
  • [x] Repro Steps Added
  • [x] Setup information Added
azure-spring azure-spring-keyvault customer-reported question
Source
picture frank-fischer-by

All 3 comments

Hi, @frank-fischer-by .

Thank you for reaching out.

IMU, secret-keys is more reasonable than secret.keys. Same to allow-telemetry.
Sorry for the breaking change.

And sorry for the non-updated document.
I have created a PR to fix the document;

chenrujun picture chenrujun on 18 Sep 2020
👍1

Hi @chenrujun,
thanks for the update.

I'm fine either way - I just wondered about the inconsistency.
Now that I know what the correct values are I can just change the configuration 🙂.

Thanks for responding and acting so quickly 👍.

Regrading your PR: I think calling out the breaking change in the Changelog might help other people avoid it.

frank-fischer-by picture frank-fischer-by on 18 Sep 2020
👍1

Hi, @frank-fischer-by .

I think calling out the breaking change in the Changelog might help other people avoid it.

It make sense. Thank you very much for your suggestion. 🙇

chenrujun picture chenrujun on 18 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

christopheranderson picture christopheranderson  ·  3Comments
abhikt48 picture abhikt48  ·  3Comments
knutwannheden picture knutwannheden  ·  4Comments
Shabirmean picture Shabirmean  ·  3Comments
algra4 picture algra4  ·  4Comments