When retrieving a secret from an existing keyvault, but an non-existing secret and using the -AsPlainText parameter, an exception is thrown.
This behavior is different as when not using the -AsPlainText parameter which is silent on not finding the secret.
Seemingly the -AsPlainText parameter contains logic that does not check if a secret could be retrieved or not.
I would expect the same behavior from both commands in the below repro.
Steps to reproduce
# The below does not return an error (if the secret is not found).
Get-AzKeyVaultSecret -VaultName "myVault" -Name "doesnotexist"
# The below returns an error (if the secret is not found).
Get-AzKeyVaultSecret -VaultName "myVault" -Name "doesnotexist" -AsPlainText
DEBUG: 9:14:02 AM - GetAzureKeyVaultSecret begin processing with ParameterSet 'ByVaultName'.
DEBUG: 9:14:02 AM - using account id '<SNIP>'...
DEBUG: [Common.Authentication]: Authenticating using Account: '<SNIP>', environment: 'AzureCloud', tenant: <SNIP>'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId:
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: ExpiresOn: 2021-03-26T09:02:10.0000000+00:00
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://vault.azure.net/.default ] ParentRequestId:
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://vault.azure.net/.default ] ParentRequestId: ExpiresOn: 2021-03-26T09:02:10.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: '<SNIP>', UserId: '<SNIP>'
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://<SNIP>.vault.azure.net/secrets/doesnotexist/?api-version=7.0
Headers:
x-ms-client-request-id : 032c685e-2243-44ca-a66f-885da92886e0
accept-language : en-US
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
NotFound
Headers:
Pragma : no-cache
x-ms-keyvault-region : westeurope
x-ms-client-request-id : 032c685e-2243-44ca-a66f-885da92886e0
x-ms-request-id : 3d55842c-d303-430e-9a6d-dc9eee56cd11
x-ms-keyvault-service-version : 1.2.205.0
x-ms-keyvault-network-info : conn_type=Ipv4;addr=178.119.173.10;act_addr_fam=InterNetwork;
Strict-Transport-Security : max-age=31536000;includeSubDomains
X-Content-Type-Options : nosniff
Cache-Control : no-cache
Date : Fri, 26 Mar 2021 08:14:01 GMT
X-Powered-By : ASP.NET
Body:
{
"error": {
"code": "SecretNotFound",
"message": "A secret with (name/id) doesnotexist was not found in this key vault. If you recently deleted this secret you may be able to recover it using the correct recovery command. For help resolving this issue, please see
https://go.microsoft.com/fwlink/?linkid=2125182"
}
}
Get-AzKeyVaultSecret : Object reference not set to an instance of an object.
At line:1 char:1
+ Get-AzKeyVaultSecret -VaultName "<SNIP>" -Name "doesnote ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Get-AzKeyVaultSecret], NullReferenceException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.GetAzureKeyVaultSecret
DEBUG: AzureQoSEvent: CommandName - Get-AzKeyVaultSecret; IsSuccess - False; Duration - 00:00:00.3881320; Exception - System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.Azure.Commands.KeyVault.GetAzureKeyVaultSecret.WriteSecret(PSKeyVaultSecret secret)
at Microsoft.Azure.Commands.KeyVault.GetAzureKeyVaultSecret.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord();
DEBUG: Finish sending metric.
DEBUG: 9:14:03 AM - GetAzureKeyVaultSecret end processing.
Error output
Message : Object reference not set to an instance of an object.
StackTrace : at Microsoft.Azure.Commands.KeyVault.GetAzureKeyVaultSecret.WriteSecret(PSKeyVaultSecret secret)
at Microsoft.Azure.Commands.KeyVault.GetAzureKeyVaultSecret.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Exception : System.NullReferenceException
InvocationInfo : {Get-AzKeyVaultSecret}
Line : Get-AzKeyVaultSecret -VaultName "<SNIP>" -Name "doesnotexist" -AsPlainText
Position : At line:1 char:1
+ Get-AzKeyVaultSecret -VaultName "<SNIP>" -Name "doesnote ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId : 114
Description
When retrieving a secret from an existing keyvault, but an non-existing secret and using the -AsPlainText parameter, an exception is thrown. This behavior is different as when not using the -AsPlainText parameter which is silent on not finding the secret.
Seemingly the -AsPlainText parameter contains logic that does not check if a secret could be retrieved or not. I would expect the same behavior from both commands in the below repro.
Steps to reproduce
Environment data
Module versions
Debug output
Error output