A spring boot application with the key vault starter added fails to start if the key vault contains any disabled secrets #17991
Assignees
Labels
azure-spring
All azure-spring related issues
azure-spring-keyvault
Spring keyvault related issues.
customer-reported
Issues that are reported by GitHub users external to the Azure organization.
question
The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Comments
ghost
added
needs-triage
joshfree
added
azure-spring
ghost
removed
the
needs-triage
|
Thanks for reporting this issue with the KeyVault Spring Boot Starter, @frayneposset. @jialindai could you please help route this? |
|
Hi, @frayneposset , This problem has already fixed in this commit, should be fixed in 2.3.5. Which version are you using? |
|
Reported error was for 2.2.4. Confirmed the error no longer occurs in 2.3.5. This issue can be closed. |
azure-sdk
pushed a commit
to azure-sdk/azure-sdk-for-java
that referenced
this issue
Apr 27, 2022
add xms-ids for providerhub (Azure#17991)
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Describe the bug
If you add the key vault spring boot starter to a spring boot application and configure it correctly it should add all the enabled secrets and their values to a property source in the Spring Boot Environment. If a secret is disabled the application fails to start as the starter is incorrectly trying to get the value of a disabled secret
Exception or Stack Trace
Status code 403, "{"error":{"code":"Forbidden","message":"Operation get is not allowed on a disabled secret.","innererror":{"code":"SecretDisabled"}}}"
2020-12-04 18:43:35.340 ERROR 95317 --- [ main] o.s.boot.SpringApplication : Application run failed
com.azure.core.exception.ResourceModifiedException: Status code 403, "{"error":{"code":"Forbidden","message":"Operation get is not allowed on a disabled secret.","innererror":{"code":"SecretDisabled"}}}"
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[na:na]
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[na:na]
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[na:na]
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[na:na]
at com.azure.core.http.rest.RestProxy.instantiateUnexpectedException(RestProxy.java:357) ~[azure-core-1.3.0.jar:na]
at com.azure.core.http.rest.RestProxy.lambda$ensureExpectedStatus$3(RestProxy.java:400) ~[azure-core-1.3.0.jar:na]
at reactor.core.publisher.MonoFlatMap$FlatMapMain.onNext(MonoFlatMap.java:118) ~[reactor-core-3.3.4.RELEASE.jar:3.3.4.RELEASE]
at reactor.core.publisher.Operators$MonoSubscriber.complete(Operators.java:1712) ~[reactor-core-3.3.4.RELEASE.jar:3.3.4.RELEASE]
at reactor.core.publisher.MonoCacheTime$CoordinatorSubscriber.signalCached(MonoCacheTime.java:320) ~[reactor-core-3.3.4.RELEASE.jar:3.3.4.RELEASE]
at reactor.core.publisher.MonoCacheTime$CoordinatorSubscriber.onNext(MonoCacheTime.java:337) ~[reactor-core-3.3.4.RELEASE.jar:3.3.4.RELEASE]
at reactor.core.publisher.Operators$ScalarSubscription.request(Operators.java:2274) ~[reactor-core-3.3.4.RELEASE.jar:3.3.4.RELEASE]
at reactor.core.publisher.MonoCacheTime$CoordinatorSubscriber.onSubscribe(MonoCacheTime.java:276) ~[reactor-core-3.3.4.RELEASE.jar:3.3.4.RELEASE]
at reactor.core.publisher.FluxFlatMap.trySubscribeScalarMap(FluxFlatMap.java:191) ~[reactor-core-3.3.4.RELEASE.jar:3.3.4.RELEASE]
at reactor.core.publisher.MonoFlatMap.subscribeOrReturn(MonoFlatMap.java:53) ~[reactor-core-3.3.4.RELEASE.jar:3.3.4.RELEASE]
at reactor.core.publisher.InternalMonoOperator.subscribe(InternalMonoOperator.java:48) ~[reactor-core-3.3.4.RELEASE.jar:3.3.4.RELEASE]
at reactor.core.publisher.MonoDefer.subscribe(MonoDefer.java:52) ~[reactor-core-3.3.4.RELEASE.jar:3.3.4.RELEASE]
at reactor.core.publisher.MonoCacheTime.subscribeOrReturn(MonoCacheTime.java:132) ~[reactor-core-3.3.4.RELEASE.jar:3.3.4.RELEASE]
at reactor.core.publisher.InternalMonoOperator.subscribe(InternalMonoOperator.java:48) ~[reactor-core-3.3.4.RELEASE.jar:3.3.4.RELEASE]
at reactor.core.publisher.MonoFlatMap$FlatMapMain.onNext(MonoFlatMap.java:150) ~[reactor-core-3.3.4.RELEASE.jar:3.3.4.RELEASE]
at reactor.core.publisher.FluxDoFinally$DoFinallySubscriber.onNext(FluxDoFinally.java:123) ~[reactor-core-3.3.4.RELEASE.jar:3.3.4.RELEASE]
at reactor.core.publisher.FluxHandle$HandleSubscriber.onNext(FluxHandle.java:112) ~[reactor-core-3.3.4.RELEASE.jar:3.3.4.RELEASE]
at reactor.core.publisher.FluxMap$MapConditionalSubscriber.onNext(FluxMap.java:213) ~[reactor-core-3.3.4.RELEASE.jar:3.3.4.RELEASE]
at reactor.core.publisher.FluxDoFinally$DoFinallySubscriber.onNext(FluxDoFinally.java:123) ~[reactor-core-3.3.4.RELEASE.jar:3.3.4.RELEASE]
at reactor.core.publisher.FluxHandleFuseable$HandleFuseableSubscriber.onNext(FluxHandleFuseable.java:178) ~[reactor-core-3.3.4.RELEASE.jar:3.3.4.RELEASE]
at reactor.core.publisher.FluxContextStart$ContextStartSubscriber.onNext(FluxContextStart.java:103) ~[reactor-core-3.3.4.RELEASE.jar:3.3.4.RELEASE]
at reactor.core.publisher.Operators$MonoSubscriber.complete(Operators.java:1712) ~[reactor-core-3.3.4.RELEASE.jar:3.3.4.RELEASE]
at reactor.core.publisher.MonoCollectList$MonoCollectListSubscriber.onComplete(MonoCollectList.java:121) ~[reactor-core-3.3.4.RELEASE.jar:3.3.4.RELEASE]
at reactor.core.publisher.FluxPeek$PeekSubscriber.onComplete(FluxPeek.java:252) ~[reactor-core-3.3.4.RELEASE.jar:3.3.4.RELEASE]
at reactor.core.publisher.FluxMap$MapSubscriber.onComplete(FluxMap.java:136) ~[reactor-core-3.3.4.RELEASE.jar:3.3.4.RELEASE]
at reactor.netty.channel.FluxReceive.terminateReceiver(FluxReceive.java:421) ~[reactor-netty-0.9.6.RELEASE.jar:0.9.6.RELEASE]
at reactor.netty.channel.FluxReceive.drainReceiver(FluxReceive.java:211) ~[reactor-netty-0.9.6.RELEASE.jar:0.9.6.RELEASE]
at reactor.netty.channel.FluxReceive.onInboundComplete(FluxReceive.java:369) ~[reactor-netty-0.9.6.RELEASE.jar:0.9.6.RELEASE]
at reactor.netty.channel.ChannelOperations.onInboundComplete(ChannelOperations.java:367) ~[reactor-netty-0.9.6.RELEASE.jar:0.9.6.RELEASE]
at reactor.netty.channel.ChannelOperations.terminate(ChannelOperations.java:416) ~[reactor-netty-0.9.6.RELEASE.jar:0.9.6.RELEASE]
at reactor.netty.http.client.HttpClientOperations.onInboundNext(HttpClientOperations.java:612) ~[reactor-netty-0.9.6.RELEASE.jar:0.9.6.RELEASE]
at reactor.netty.channel.ChannelOperationsHandler.channelRead(ChannelOperationsHandler.java:90) ~[reactor-netty-0.9.6.RELEASE.jar:0.9.6.RELEASE]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) ~[netty-transport-4.1.48.Final.jar:4.1.48.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) ~[netty-transport-4.1.48.Final.jar:4.1.48.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) ~[netty-transport-4.1.48.Final.jar:4.1.48.Final]
at io.netty.channel.CombinedChannelDuplexHandler$DelegatingChannelHandlerContext.fireChannelRead(CombinedChannelDuplexHandler.java:436) ~[netty-transport-4.1.48.Final.jar:4.1.48.Final]
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:321) ~[netty-codec-4.1.48.Final.jar:4.1.48.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:295) ~[netty-codec-4.1.48.Final.jar:4.1.48.Final]
at io.netty.channel.CombinedChannelDuplexHandler.channelRead(CombinedChannelDuplexHandler.java:251) ~[netty-transport-4.1.48.Final.jar:4.1.48.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) ~[netty-transport-4.1.48.Final.jar:4.1.48.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) ~[netty-transport-4.1.48.Final.jar:4.1.48.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) ~[netty-transport-4.1.48.Final.jar:4.1.48.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1486) ~[netty-handler-4.1.48.Final.jar:4.1.48.Final]
at io.netty.handler.ssl.SslHandler.decodeNonJdkCompatible(SslHandler.java:1247) ~[netty-handler-4.1.48.Final.jar:4.1.48.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1284) ~[netty-handler-4.1.48.Final.jar:4.1.48.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:498) ~[netty-codec-4.1.48.Final.jar:4.1.48.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:437) ~[netty-codec-4.1.48.Final.jar:4.1.48.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276) ~[netty-codec-4.1.48.Final.jar:4.1.48.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) ~[netty-transport-4.1.48.Final.jar:4.1.48.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) ~[netty-transport-4.1.48.Final.jar:4.1.48.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) ~[netty-transport-4.1.48.Final.jar:4.1.48.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) ~[netty-transport-4.1.48.Final.jar:4.1.48.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) ~[netty-transport-4.1.48.Final.jar:4.1.48.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) ~[netty-transport-4.1.48.Final.jar:4.1.48.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) ~[netty-transport-4.1.48.Final.jar:4.1.48.Final]
at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:792) ~[netty-transport-native-epoll-4.1.48.Final-linux-x86_64.jar:4.1.48.Final]
at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:475) ~[netty-transport-native-epoll-4.1.48.Final-linux-x86_64.jar:4.1.48.Final]
at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:378) ~[netty-transport-native-epoll-4.1.48.Final-linux-x86_64.jar:4.1.48.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) ~[netty-common-4.1.48.Final.jar:4.1.48.Final]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[netty-common-4.1.48.Final.jar:4.1.48.Final]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[netty-common-4.1.48.Final.jar:4.1.48.Final]
at java.base/java.lang.Thread.run(Thread.java:834) ~[na:na]
Suppressed: java.lang.Exception: #block terminated with an error
at reactor.core.publisher.BlockingSingleSubscriber.blockingGet(BlockingSingleSubscriber.java:99) ~[reactor-core-3.3.4.RELEASE.jar:3.3.4.RELEASE]
at reactor.core.publisher.Mono.block(Mono.java:1666) ~[reactor-core-3.3.4.RELEASE.jar:3.3.4.RELEASE]
at com.azure.security.keyvault.secrets.SecretClient.getSecretWithResponse(SecretClient.java:171) ~[azure-security-keyvault-secrets-4.1.1.jar:na]
at com.azure.security.keyvault.secrets.SecretClient.getSecret(SecretClient.java:150) ~[azure-security-keyvault-secrets-4.1.1.jar:na]
at com.microsoft.azure.keyvault.spring.KeyVaultOperation.get(KeyVaultOperation.java:100) ~[azure-spring-boot-2.2.5.jar:na]
at com.microsoft.azure.keyvault.spring.KeyVaultPropertySource.getProperty(KeyVaultPropertySource.java:27) ~[azure-spring-boot-2.2.5.jar:na]
at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.merge(EnvironmentDecryptApplicationInitializer.java:236) ~[spring-cloud-context-2.2.1.RELEASE.jar:2.2.1.RELEASE]
at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.merge(EnvironmentDecryptApplicationInitializer.java:207) ~[spring-cloud-context-2.2.1.RELEASE.jar:2.2.1.RELEASE]
at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:189) ~[spring-cloud-context-2.2.1.RELEASE.jar:2.2.1.RELEASE]
at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.initialize(EnvironmentDecryptApplicationInitializer.java:124) ~[spring-cloud-context-2.2.1.RELEASE.jar:2.2.1.RELEASE]
at org.springframework.cloud.bootstrap.BootstrapApplicationListener$DelegatingEnvironmentDecryptApplicationInitializer.initialize(BootstrapApplicationListe
To Reproduce
Follow these instructions, and then disable any secret in the key vault you added, then try and start the spring boot application.
https://docs.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-key-vault
Code Snippet
N/A
Expected behavior
The application should start, read all the enabled secrets, and put them in the Spring Environment. It should not attempt to read disabled secrets, not should it throw an exception and stop the application.
Setup (please complete the following information):
OS - any
IDE - IntelliJ though same behaviour on command line
version - "com.microsoft.azure:azure-keyvault-secrets-spring-boot-starter:2.2.5"
The text was updated successfully, but these errors were encountered: