[Bug] Secret URI not populated for App Configuration Settings using Key Vault References

[DhavalShewale]

Setup

• Package Name: azure-appconfiguration
• Package Version: 1.2.0
• Python Version: 3.8.3

Describe the bug

• Version 1.1.1 would populate the uri for secret reference configuration in value field
• However since version 1.2.0, a new type SecretReferenceConfigurationSetting was introduced. There is no field populated which could help to identify or retrieve the secret

Code Snippet

Code that works on version 1.1.1

from azure.appconfiguration import AzureAppConfigurationClient
from azure.keyvault.secrets import SecretClient
from azure.identity import AzureCliCredential

import json


credential = AzureCliCredential()
config_client = AzureAppConfigurationClient(base_url= APP_CONFIG_URL, credential=credential)
secret_client = SecretClient(vault_url=KEY_VAULT_URL, credential=credential)

app_config = dict()

for namespace in NAMESPACE_FILTER.split(','):
    for config in config_client.list_configuration_settings(key_filter=f'/{namespace}/*', label_filter=LABEL_FILTER):
         if config.content_type == 'application/vnd.microsoft.appconfig.keyvaultref+json;charset=utf-8':
             app_config[config.key.split('/')[-1]] = secret_client.get_secret(json.loads(config.value)['uri'].split('/')[-1]).value
         else:
             app_config[config.key.split('/')[-1]] = config.value

Code Output

Config returned by version 1.1.1

• Type of config returned - azure.appconfiguration._models.ConfigurationSetting
• Contents:

{
  'additional_properties': {},
  'key': <key>, 
  'label': <label>, 
  'content_type': 'application/vnd.microsoft.appconfig.keyvaultref+json;charset=utf-8', 
  'value': '{"uri":<keyvault_uri>}', 
  'last_modified': <last_modified>, 
  'tags': {}, 
  'read_only': False, 
  'etag': <etag>'
}

Config returned by version 1.2.0

• Type of config returned - azure.appconfiguration._models.SecretReferenceConfigurationSetting
• Contents:

{
  'key': <key>, 
  'label': <label>, 
  'content_type': 'application/vnd.microsoft.appconfig.keyvaultref+json;charset=utf-8', 
  'etag': <etag>, 
  'last_modified': <last_modified>, 
  'read_only': False, 
  'tags': {}, 
  'secret_id': None, 
  '_value': '{"secret_uri": null}'
}

Expected behavior

• uri for the referred secret should be populated so that it can be used to retrieve the secret value using SecretClient

[xiangyan99]

Thanks for the feedback, we’ll investigate asap.

[DhavalShewale]

@xiangyan99 / @YalinLi0312 : Any update on this?

[xiangyan99]

@DhavalShewale Thanks for the feedback.

Could you tell us where you get the content:

{
  'key': <key>, 
  'label': <label>, 
  'content_type': 'application/vnd.microsoft.appconfig.keyvaultref+json;charset=utf-8', 
  'etag': <etag>, 
  'last_modified': <last_modified>, 
  'read_only': False, 
  'tags': {}, 
  'secret_id': None, 
  '_value': '{"secret_uri": null}'
}

?

SecretReferenceConfigurationSetting helps parse the value string and exposes property secret_id which is the uri you mentioned. Also it is a sub-type of ConfigurationSetting. Its value property has same semantic meaning of its parent type.

Thanks.

[DhavalShewale]

@xiangyan99: What I meant by content is basically the config returned by config_client.list_configuration_settings. I have shared the entire code in the original bug report for your ready reference.

In version 1.1.1, ConfigurationSetting was returned for configuration referring key vault. The value field was populated as follows:

{"uri":"https://<keyvault-name>.vault.azure.net/secrets/<secret-id>"}

The value field can be parsed to retrieve the secret-id or uri which can then subsequently help to retrieve the secret value from keyvault.

However in version 1.2.0, SecretReferenceConfigurationSetting is returned for configuration referring key vault. There is no value field available in this model and the secret_id field is populated as None. So there is no way to identify the secret-id or uri of the keyvault secret.

[xiangyan99]

Thank you for providing the information @DhavalShewale.

We have figured out the cause. We will update the issue when we have a fix.

[xiangyan99]

@DhavalShewale sorry for the late update. We are still under discussion how to fix the bug without any data loss. :(

The SDK works fine in the scenario if you save and load the ConfigSetting both using it.

But if the ConfigSetting is created via portal, it does not work correctly.

If your scenario is always using portal to create the setting and using client SDK to consume it, I would suggest you pinning version 1.1.1 as a work around until 1.3 is released.

We will keep you posted about how the fix goes and sorry for the inconvenience.

[xiangyan99]

@DhavalShewale We have merged the fix. It will be available in next release.

[ghost]

Hi @DhavalShewale. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text “/unresolve” to remove the “issue-addressed” label and continue the conversation.

[ghost]

Hi @DhavalShewale, since you haven’t asked that we “/unresolve” the issue, we’ll close this out. If you believe further discussion is needed, please add a comment “/unresolve” to reopen the issue.