search

PowerShell / SecretManagement

PowerShell module to consistent usage of secrets through different extension vaults
MIT License
317 stars 46 forks source link

Unhelpful error messages / incorrect input values allowed when registering AzKeyVault #190

Closed DrDallas closed 2 years ago

DrDallas commented 2 years ago

Consider the following commands:


$myAZSecretStore = 'myAzKeyVault'

Install-Module -Name az -Verbose
Install-Module Microsoft.PowerShell.SecretManagement, Microsoft.PowerShell.SecretStore -Verbose

Connect-AzAccount # Connect; connection is successful.

$mySubscription = Get-AzSubscription | Select SubscriptionId # This is a problem; we'll see why later.

$myKeyVaultName = Get-AzKeyVault | select VaultName # This is a problem; we'll see why later.

Register-SecretVault -ModuleName Az.KeyVault -Name $myAZSecretStore -VaultParameters @{AZKVaultName = $myKeyVaultName; SubscriptionId = $mySubscription} -Verbose # No error messages returned

Test-SecretVault #Error message returned (see below)

The Test-SecretValue function returns:

Test-SecretVault : To use System.Collections.Hashtable Azure vault, the current user must be logged into Azure account subscription

The problem is that $mySubscription is not a string, but, instead, a Selected.Microsoft.Azure.Commands.Profile.Models.PSAzureSubscription. and $myKeyVaultName is a Selected.Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultIdentityItem. Register-SecretVault should have returned some sort of error during registration because either (1) the registration failed or (2) incorrect data/data types were supplied.

When $mySubscription and $myKeyVaultName are strings with the appropriate values, then Test-SecretVault works as expected. This works:

$mySubscription = Get-AzSubscription | Select -ExpandProperty SubscriptionId # This works

$myKeyVaultName = Get-AzKeyVault | select -ExpandProperty VaultName # This works

Either Microsoft.PowerShell.SecretManagement or Az.KeyVault.Extension should return some sort of error, or, at a minimum, Test-SecretVault should return better error messages during registration because, as is seen in the code example above, the current user was logged in to the Azure account subscription.

PaulHigin commented 2 years ago

Register-SecretVault does not test vault functionality but only registers it to the SecretManagement database. Test-SecretVault is intended to verify the extension vault is functioning properly. It is up to the extension vault to provide good user messages, but you might get more information by looking closer at the error record returned by the extension vault, for example any inner exceptions associated with it.

But I agree that the initial errorrecord message should be more helpful. Please create an issue with the Az.KeyVault.Extension repo since that is where the error is originating from.

DrDallas commented 2 years ago

I have opened an issue with Az.KeyVault.