update

Author: zhiyuanliang-ms

src/error.ts

@@ -2,6 +2,8 @@
 // Licensed under the MIT license.
 
 import { isRestError } from "@azure/core-rest-pipeline";
+import { AuthenticationError } from "@azure/identity";
+
 
 /**
  * Error thrown when an operation cannot be performed by the Azure App Configuration provider.
@@ -27,13 +29,16 @@ export class ArgumentError extends Error {
  * Error thrown when a Key Vault reference cannot be resolved.
  */
 export class KeyVaultReferenceError extends Error {
-    constructor(message: string) {
-        super(message);
+    constructor(message: string, options?: ErrorOptions) {
+        super(message, options);
         this.name = "KeyVaultReferenceError";
     }
 }
 
 export function isFailoverableError(error: any): boolean {
+    if (error instanceof AuthenticationError) {
+        return true;
+    }
     if (!isRestError(error)) {
         return false;
     }

src/keyvault/AzureKeyVaultKeyValueAdapter.ts

@@ -27,11 +27,12 @@ export class AzureKeyVaultKeyValueAdapter implements IKeyValueAdapter {
         if (!this.#keyVaultOptions) {
             throw new ArgumentError("Failed to process the Key Vault reference because Key Vault options are not configured.");
         }
-
-        const { name: secretName, vaultUrl, sourceId, version } = parseKeyVaultSecretIdentifier(
-            parseSecretReference(setting).value.secretId
-        );
+        let sourceId;
         try {
+            const { name: secretName, vaultUrl, sourceId: parsedSourceId, version } = parseKeyVaultSecretIdentifier(
+                parseSecretReference(setting).value.secretId
+            );
+            sourceId = parsedSourceId;
             // precedence: secret clients > credential > secret resolver
             const client = this.#getSecretClient(new URL(vaultUrl));
             if (client) {
@@ -42,7 +43,7 @@ export class AzureKeyVaultKeyValueAdapter implements IKeyValueAdapter {
                 return [setting.key, await this.#keyVaultOptions.secretResolver(new URL(sourceId))];
             }
         } catch (error) {
-            throw new KeyVaultReferenceError(buildKeyVaultReferenceErrorMessage(error.message, setting, sourceId));
+            throw new KeyVaultReferenceError(buildKeyVaultReferenceErrorMessage(setting, sourceId), { cause: error });
         }
 
         // When code reaches here, it means that the key vault reference cannot be resolved in all possible ways.
@@ -79,6 +80,6 @@ export class AzureKeyVaultKeyValueAdapter implements IKeyValueAdapter {
     }
 }
 
-function buildKeyVaultReferenceErrorMessage(message: string, setting: ConfigurationSetting, secretIdentifier?: string ): string {
-    return `${message} Key: '${setting.key}' Label: '${setting.label ?? ""}' ETag: '${setting.etag ?? ""}' SecretIdentifier: '${secretIdentifier ?? ""}'`;
+function buildKeyVaultReferenceErrorMessage(setting: ConfigurationSetting, secretIdentifier?: string ): string {
+    return `Failed to resolve Key Vault reference. Key: '${setting.key}' Label: '${setting.label ?? ""}' ETag: '${setting.etag ?? ""}' SecretIdentifier: '${secretIdentifier ?? ""}'`;
 }