handle keyvault reference error

Author: zhiyuanliang-ms

src/AzureAppConfigurationImpl.ts

@@ -369,8 +369,8 @@ export class AzureAppConfigurationImpl implements AzureAppConfiguration {
                         postAttempts += 1;
                         backoffDuration = calculateBackoffDuration(postAttempts);
                     }
+                    console.warn(`Failed to load. Error message: ${error.message}. It Will retry in ${backoffDuration} ms.`);
                     await new Promise(resolve => setTimeout(resolve, backoffDuration));
-                    console.warn("Failed to load configuration settings at startup. Retrying...");
                 }
             } while (!abortSignal.aborted);
         }

src/error.ts

@@ -23,6 +23,16 @@ export class ArgumentError extends Error {
     }
 }
 
+/**
+ * Error thrown when it fails to get the secret from the Key Vault.
+ */
+export class KeyVaultReferenceError extends Error {
+    constructor(message: string) {
+        super(message);
+        this.name = "KeyVaultReferenceError";
+    }
+}
+
 export function isFailoverableError(error: any): boolean {
     if (!isRestError(error)) {
         return false;

src/keyvault/AzureKeyVaultKeyValueAdapter.ts

@@ -5,7 +5,7 @@ import { ConfigurationSetting, isSecretReference, parseSecretReference } from "@
 import { IKeyValueAdapter } from "../IKeyValueAdapter.js";
 import { KeyVaultOptions } from "./KeyVaultOptions.js";
 import { getUrlHost } from "../common/utils.js";
-import { ArgumentError } from "../error.js";
+import { ArgumentError, KeyVaultReferenceError } from "../error.js";
 import { SecretClient, parseKeyVaultSecretIdentifier } from "@azure/keyvault-secrets";
 
 export class AzureKeyVaultKeyValueAdapter implements IKeyValueAdapter {
@@ -29,21 +29,24 @@ export class AzureKeyVaultKeyValueAdapter implements IKeyValueAdapter {
             throw new ArgumentError("Failed to process the key vault reference. The keyVaultOptions is not configured.");
         }
 
-        // precedence: secret clients > credential > secret resolver
         const { name: secretName, vaultUrl, sourceId, version } = parseKeyVaultSecretIdentifier(
             parseSecretReference(setting).value.secretId
         );
-
-        const client = this.#getSecretClient(new URL(vaultUrl));
-        if (client) {
-            const secret = await client.getSecret(secretName, { version });
-            return [setting.key, secret.value];
-        }
-
-        if (this.#keyVaultOptions.secretResolver) {
-            return [setting.key, await this.#keyVaultOptions.secretResolver(new URL(sourceId))];
+        try {
+            // precedence: secret clients > credential > secret resolver
+            const client = this.#getSecretClient(new URL(vaultUrl));
+            if (client) {
+                const secret = await client.getSecret(secretName, { version });
+                return [setting.key, secret.value];
+            }
+            if (this.#keyVaultOptions.secretResolver) {
+                return [setting.key, await this.#keyVaultOptions.secretResolver(new URL(sourceId))];
+            }
+        } catch (error) {
+            throw new KeyVaultReferenceError(buildKeyVaultReferenceErrorMessage(error.message, setting, sourceId));
         }
 
+        // When code reaches here, it means that the key vault reference cannot be resolved in all possible ways.
         throw new ArgumentError("Failed to process the key vault reference. No key vault secret client, credential or secret resolver callback is configured.");
     }
 
@@ -75,3 +78,7 @@ export class AzureKeyVaultKeyValueAdapter implements IKeyValueAdapter {
         return undefined;
     }
 }
+
+function buildKeyVaultReferenceErrorMessage(message: string, setting: ConfigurationSetting, secretIdentifier?: string ): string {
+    return `${message} Key: ${setting.key} Label: ${setting.label ?? ""} ETag: ${setting.etag ?? ""} SecretIdentifier: ${secretIdentifier ?? ""}`;
+}