Azure-sdk-for-js: Keyvault-Secrets: Request is missing a Bearer or PoP token error after upgrading to 4.0.3

Created on 19 May 2020 · 4Comments · Source: Azure/azure-sdk-for-js

Package Name: @azure/keyvault-secrets
Package Version: 4.0.3
Operating system: node:12.15-slim docker image
[x] nodejs
- version: 12.15
[ ] browser
- name/version:
[ ] typescript
- version: 3.8.3
Is the bug related to documentation in
- [ ] README.md
- [ ] source code documentation
- [ ] SDK API docs on https://docs.microsoft.com

Describe the bug

After upgrading @azure/keyvault-secrets from 4.0.2 to 4.0.3, we started receiving the following error:

2020-05-19T10:07:16.851038769Z (node:1) UnhandledPromiseRejectionWarning: RestError: Request is missing a Bearer or PoP token.
2020-05-19T10:07:16.851097672Z     at new RestError (/usr/src/app/node_modules/@azure/core-http/dist/coreHttp.node.js:2293:28)
2020-05-19T10:07:16.851106172Z     at /usr/src/app/node_modules/@azure/core-http/dist/coreHttp.node.js:3088:25
2020-05-19T10:07:16.851110572Z     at processTicksAndRejections (internal/process/task_queues.js:94:5)
2020-05-19T10:07:16.851181175Z (node:1) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 5)
2020-05-19T10:07:16.851207476Z (node:1) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

The application is running in a docker image in Azure App Service and uses Managed Identity to access key vault.

To Reproduce
Using these dependencies:

    "@azure/identity": "^1.0.3",
    "@azure/keyvault-secrets": "^4.0.3",

We use approximately the following code to fetch secrets:

import { DefaultAzureCredential } from '@azure/identity';
import { SecretClient } from '@azure/keyvault-secrets';

const secretNames = ["secret1", "secret2"];

const credential = new DefaultAzureCredential();
const client = new SecretClient(vaultUrl, credential);
const secrets = await Promise.all(
  secretNames.map(name => client.getSecret(name)),
);

The app is running in a docker image in Linux Azure App Service with Managed Identity enabled.

Expected behavior
Code works and no error is thrown

Screenshots
-

Additional context
Reverting to 4.0.2 fixes the issue.

Client KeyVault bug customer-reported

Source

tomi

All 4 comments

@tomi Thank you so much, I will be working on this today.

sadasant on 19 May 2020

@tomi We're working on a solution for this. We appreciate your patience!

A draft of the solution can be seen here: https://github.com/Azure/azure-sdk-for-js/pull/9059

The challenge based authentication hotfix introduces a bug in which: Either when the client is not authenticated, or when the token is invalid, parallel network requests end up in a race condition where while one request is authenticating, the other ones fail immediately.

This was not a problem before the hotfix because the challenge based authentication was always re-authenticating before making a request.

While we release a new hotfix, you can try with any of the following temporary solutions:

Split the network requests into requests one by one. This can be done with an async loop, where you await for each call, or with something like BlueBird's Promise.each: http://bluebirdjs.com/docs/api/promise.each.html
It should also work to do a first request outside of the Promise.all, wait for it to finish, then do the rest with Promise.all, since by the time the second request happens, the client will have been safely authenticated.
You can consider downgrading to 4.0.2 while we release the hotfix.

Please let us know if anything comes up, we're here to help!

sadasant on 21 May 2020

@tomi The wait is finally over! We have released new packages that address this issue.

All of the following three packages should work as you were expecting:

https://www.npmjs.com/package/@azure/keyvault-keys/v/4.0.4
https://www.npmjs.com/package/@azure/keyvault-secrets/v/4.0.4
https://www.npmjs.com/package/@azure/keyvault-certificates/v/4.0.2

Thank you again for reporting this to us. I hope that you can continue using our SDKs with as little inconveniences as possible. If any other problem arises, please come back and let us know!

Take care.

sadasant on 2 Jun 2020

🎉1

Works now 👍 Thank you for the quick fix!

tomi on 2 Jun 2020

❤1

Was this page helpful?

0 / 5 - 0 ratings