Unhelpful error messages / incorrect input values allowed when registering AzKeyVault
Closed this issue · 2 comments
Consider the following commands:
$myAZSecretStore = 'myAzKeyVault'
Install-Module -Name az -Verbose
Install-Module Microsoft.PowerShell.SecretManagement, Microsoft.PowerShell.SecretStore -Verbose
Connect-AzAccount # Connect; connection is successful.
$mySubscription = Get-AzSubscription | Select SubscriptionId # This is a problem; we'll see why later.
$myKeyVaultName = Get-AzKeyVault | select VaultName # This is a problem; we'll see why later.
Register-SecretVault -ModuleName Az.KeyVault -Name $myAZSecretStore -VaultParameters @{AZKVaultName = $myKeyVaultName; SubscriptionId = $mySubscription} -Verbose # No error messages returned
Test-SecretVault #Error message returned (see below)
The Test-SecretValue
function returns:
Test-SecretVault : To use System.Collections.Hashtable Azure vault, the current user must be logged into Azure account subscription
The problem is that $mySubscription
is not a string, but, instead, a Selected.Microsoft.Azure.Commands.Profile.Models.PSAzureSubscription
. and $myKeyVaultName
is a Selected.Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultIdentityItem
. Register-SecretVault
should have returned some sort of error during registration because either (1) the registration failed or (2) incorrect data/data types were supplied.
When $mySubscription
and $myKeyVaultName
are strings with the appropriate values, then Test-SecretVault
works as expected. This works:
$mySubscription = Get-AzSubscription | Select -ExpandProperty SubscriptionId # This works
$myKeyVaultName = Get-AzKeyVault | select -ExpandProperty VaultName # This works
Either Microsoft.PowerShell.SecretManagement
or Az.KeyVault.Extension
should return some sort of error, or, at a minimum, Test-SecretVault
should return better error messages during registration because, as is seen in the code example above, the current user was logged in to the Azure account subscription.
Register-SecretVault
does not test vault functionality but only registers it to the SecretManagement database. Test-SecretVault
is intended to verify the extension vault is functioning properly. It is up to the extension vault to provide good user messages, but you might get more information by looking closer at the error record returned by the extension vault, for example any inner exceptions associated with it.
But I agree that the initial errorrecord message should be more helpful. Please create an issue with the Az.KeyVault.Extension repo since that is where the error is originating from.
I have opened an issue with Az.KeyVault.