azure-sdk-for-python icon indicating copy to clipboard operation
azure-sdk-for-python copied to clipboard
verified publisher icon Azure

[Key Vault] Raise useful error when `KeyReleasePolicy` is incorrectly created

Open mccoyp opened this issue 2 years ago • 2 comments

The KeyReleasePolicy model expects an encoded_policy parameter as bytes. If a string is passed instead, no error is raised -- but when the created policy is provided to a create_key request, the service returns an error suggesting that the policy was never provided (see https://github.com/Azure/azure-sdk-for-python/issues/29945):

azure.core.exceptions.HttpResponseError: (BadParameter) AKV.SKR.1004: Exportable keys must have release policy.

This doesn't make the cause of the failure obvious at all. Though input validation is generally avoided, we should raise an error when a string is provided to the KeyReleasePolicy constructor so that users have an easier way to identify the problem.

mccoyp avatar Apr 20 '23 23:04 mccoyp

30000 🎉

EpicWink avatar May 17 '23 03:05 EpicWink

After further testing, the service just drops invalid release policies from keys -- i.e. if you create a non-exportable key with an invalid policy, the creation is successful. The created key just won't have any release policy attached.

This means that keys could be successfully created and used for non-release operations, even if a bad policy was passed along prior. Non-breaking error behavior is a little trickier as a result.

mccoyp avatar Sep 06 '23 22:09 mccoyp