[BUG]KeyVaultPropertySource Class/getPropertyNames method will load all secrets (including disable secrets) in the key vault #14052
Comments
ghost
added
needs-triage
|
@TonySh127-ms are you using the key vault starter or the sdk directly? |
|
Discussed with @TonySh127-ms offline and the customer used the spring-boot-starter for keyvault. Need confirmation from the SDK side that whether the new SDK solves this kind of issue. |
joshfree
added
the
Client
ghost
removed
the
needs-triage
|
@AlexGhiondea @vcolin7 can you please follow up? |
|
thanks @joshfree and @saragluna. Waiting update from @AlexGhiondea and @vcolin7 . Please let me know if it cannot fix in a short term. I can explain it to client side. Many thanks your time again! |
|
Hi @TonySh127-ms, I spent some time looking into this issue and found the following: the behavior the customer sees is caused by how the Spring Boot starter for Key Vault Secrets works. Basically, whenever a Spring application using this starter runs, it will obtain the names of all the existing secrets in a given vault by calling the /secrets endpoint, which loads all enabled and disabled secrets (not the deleted ones), the application will then retrieve details of specific secrets if required. It is not an issue with the Key Vault service or SDK but just a consequence of how the Spring Boot starter is coded. A short-term solution is not to use the Spring Boot starter but the Key Vault SDK itself directly. This way the customer will have more control about which secrets are loaded and when during an applications lifecycle. Additionally, I could not reproduce a case where my application crashed from loading too many secrets just by creating and deleting a certificate in a vault. In order to do something like this I would need more information from the customer: what dependencies they use in their project including versions and sample code where this can be reproduced. |
vcolin7
added
azure-spring
|
@vcolin7 do we have an option could pass to the SDK that load only enabled secrets? Seems like we shouldn't load the disabled secrets in our Spring integration. |
|
@saragluna Unfortunately, there is no parameter we can pass the service for it to give us enabled secrets only :/ |
|
The issue is caused by how the Spring Boot starter for Key Vault Secrets works. we didn't filter disabled secrets. now I create a PR to fix the problem |
|
@TonySh127-ms |
|
Hi Team, the issue has been confirmed fixed. We can close this thread now. Many thanks everyone great effort and time!!! |
Support custom metadata when copy to Blob or ADLS Gen2 (Azure#14052)
Describe the bug
Currently the key vault enable the soft-delete feature by default. If create/deleted the certificate will cause the Jave app crashed because it load the disabled the secret.
The KeyVaultPropertySource Class loads all secrets in the KeyVault. It should not load disabled secrets in getPropertyNames method
By the way, the workaround is purged the certificate. But it still may better improve it at SDK part because there is not request to load the soft-deleted secret
Exception or Stack Trace
Add the exception log and stack trace if available
To Reproduce
Steps to reproduce the behavior:
A. Created KeyVault Certificates (not secret) and deleted the Certificates after that the java application crashed.
C. the certificates automatically creates Secret Identifier when creating new certificates
D. And after deleting the certificate the Azure system DISABLE the secret identifier
E. In that case java application try to read the DISABLED secret in run time
i. And then java app crashed.
The library is com.microsoft.azure:azure-keyvault:1.2.2
Code Snippet
Add the code snippet that causes the issue.
@value("${cluster-app-sb-connection-string}")
String connectionString;
@value("${cluster-app.sb.topic-name}")
String topicName;
Expected behavior
A clear and concise description of what you expected to happen.
Screenshots
If applicable, add screenshots to help explain your problem.
Setup (please complete the following information):
Additional context
Add any other context about the problem here.
Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report
The text was updated successfully, but these errors were encountered: