feat: add 'get' call before executing encrypt/decrypt because the sdk…

… produces weird errors on those if the vault is inaccessible
lukasjarosch · Oct 12, 2023 · bfc3c49 · bfc3c49
1 parent bb13770
commit bfc3c49
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/secret/driver/azure.go b/secret/driver/azure.go
@@ -82,6 +82,14 @@ func (driver *Azure) Encrypt(input string) (string, error) {
 	if driver.config.IgnoreVersion {
 		version = ""
 	}
+
+	// execute a get first because 'encrypt' produces weird errors if one does not
+	// have access to the vault/key. At least `GetKey` produces a somewhat more usable error like a 401.
+	_, err := driver.client.GetKey(context.TODO(), driver.config.KeyName, version, nil)
+	if err != nil {
+		return "", err
+	}
+
 	res, err := driver.client.Encrypt(context.TODO(), driver.config.KeyName, version, encryptParams, nil)
 	if err != nil {
 		return "", err
@@ -91,6 +99,7 @@ func (driver *Azure) Encrypt(input string) (string, error) {
 }
 
 func (driver *Azure) Decrypt(input string) (string, error) {
+
 	decoded, err := base64.RawStdEncoding.DecodeString(input)
 	if err != nil {
 		return "", err
@@ -105,6 +114,14 @@ func (driver *Azure) Decrypt(input string) (string, error) {
 	if driver.config.IgnoreVersion {
 		version = ""
 	}
+
+	// execute a get first because 'decrypt' produces weird errors if one does not
+	// have access to the vault/key. At least `GetKey` produces a somewhat more usable error like a 401.
+	_, err = driver.client.GetKey(context.TODO(), driver.config.KeyName, version, nil)
+	if err != nil {
+		return "", err
+	}
+
 	res, err := driver.client.Decrypt(context.TODO(), driver.config.KeyName, version, encryptParams, nil)
 	if err != nil {
 		return "", err