2

I have the following line of code to return a secret from a KeyVault

string kvSecret = kVClient.GetSecretAsync(azureKeyVaultUrl, secret).Result.Value;

While this works as expected, I don't really know well how the Result.Value synchronous execution handles runtime errors, exceptions, etc.

I am trying to understand if there is any possibility when I call Result.Value where there is an error and the value returned is not actually the secret but some random error therefore my variable kvSecret doesn't contain the right value but something else.

Reason I am asking that is that I want to make sure that if the variable is not null or empty, it will always contain the secret and not other random string.

Improve this question
4
  • 3
    If there's an error, you'll get an exception, not a random value. You should never block an asynchronous operation though Commented Oct 19, 2018 at 22:40
  • Thanks! If I'll get an error then that's what exactly needed. This code needs to run synchronously for other reasons beyond my control. Commented Oct 19, 2018 at 22:48
  • 1
    accessing .Result is almost always wrong - string kvSecret = await kVClient.GetSecretAsync(azureKeyVaultUrl, secret); sounds more likely Commented Oct 19, 2018 at 23:02
  • 2
    if an exception is thrown, the value of kvSecret will be inaccessible; if no exception is thrown, the value is whatever the API returns Commented Oct 19, 2018 at 23:03

1 Answer 1

Reset to default
5

Unfortunately, the KeyVault client is designed to return an Task with KeyVaultErrorException in case a secret does not exist instead of a failure message\result.

In your case, it blows up because when you call .Result it unwraps the exception within the Task and will break the execution flow.

The best way to retrieve secret in KeyVault is wrapping the logic within a Try\Catch block like below:

try
{
    var secret = await client.GetSecretAsync(secretPath);
    //... any other logic here ...
}
catch (KeyVaultErrorException kvex)
{
    //handle key not found here
}
catch (HttpRequestException ex)
{
    //handle any other error here if needed
}

To make it easier to work with keyvault, I generaly create a class to handle these logic, something like:

public class SecretManager
{
    KeyVaultClient client;
    public SecretManager(KeyVaultClient client){ this.client = client; }

    public Task<string> GetSecretAsync(string secretName){
        //here I wrap the logic mentioned above
    }
}

.

The above snipped is from the top of my head, not a copy from production code

If you use a logic like above, instead of throwing the exception for secret not found, you make the proper exeption handling and return a null value or a value that represent a not found secret, then you will be able to unwrap the results like expected.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.