[Key Vault] 'TypeError: string indices must be integers' Raised During Retrieval

[ColtAllen]

• Package Names: azure-keyvault-keys (v4.4.0) & azure-keyvault-secrets (v4.3.0)
• Operating System: Cloud AzureML Service
• Python Versions: 3.6.9 & 3.8.1

When attempting to retrieve KeyVault keys or secrets using either the SecretClient() or KeyClient() method in an AzureML Notebook, the following error trace is returned:

---------------------------------------------------------------------------
TypeError                                 Traceback (most recent call last)
<ipython-input-51-f5144f2ccb52> in <module>
     63 
     64 client = KeyClient(vault_url=keyVaultName, credential=token)
---> 65 retrieved_key = client.get_key('KEY-NAME')

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azure/core/tracing/decorator.py in wrapper_use_tracer(*args, **kwargs)
     81             span_impl_type = settings.tracing_implementation()
     82             if span_impl_type is None:
---> 83                 return func(*args, **kwargs)
     84 
     85             # Merge span is parameter is set, but only if no explicit parent are passed

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azure/keyvault/keys/_client.py in get_key(self, name, version, **kwargs)
    276                 :dedent: 8
    277         """
--> 278         bundle = self._client.get_key(self.vault_url, name, key_version=version or "", error_map=_error_map, **kwargs)
    279         return KeyVaultKey._from_key_bundle(bundle)
    280 

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azure/keyvault/keys/_generated/_operations_mixin.py in get_key(self, vault_base_url, key_name, key_version, **kwargs)
   1337         mixin_instance._serialize.client_side_validation = False
   1338         mixin_instance._deserialize = Deserializer(self._models_dict(api_version))
-> 1339         return mixin_instance.get_key(vault_base_url, key_name, key_version, **kwargs)
   1340 
   1341     def get_key_versions(

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azure/keyvault/keys/_generated/v7_2/operations/_key_vault_client_operations.py in get_key(self, vault_base_url, key_name, key_version, **kwargs)
    362 
    363         if response.status_code not in [200]:
--> 364             map_error(status_code=response.status_code, response=response, error_map=error_map)
    365             error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, response)
    366             raise HttpResponseError(response=response, model=error)

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azure/core/exceptions.py in map_error(status_code, response, error_map)
     99     if not error_type:
    100         return
--> 101     error = error_type(response=response)
    102     raise error
    103 

/anaconda/envs/azureml_py36/lib/python3.6/site-packages/azure/keyvault/keys/_shared/exceptions.py in _get_exception_for_key_vault_error(cls, response)
     22     try:
     23         body = ContentDecodePolicy.deserialize_from_http_generics(response)
---> 24         message = "({}) {}".format(body["error"]["code"], body["error"]["message"])  # type: Optional[str]
     25     except (DecodeError, KeyError):
     26         # Key Vault error response bodies should have the expected shape and be deserializable.

TypeError: string indices must be integers

This type of error is usually raised whenever a list iterator is ran against a dictionary. Do these packages require Python>3.8.1?

[YalinLi0312]

Thanks for your feedback, we'll investigate asap.

[mccoyp]

Hi @ColtAllen, thank you for opening an issue! Both of these packages support Python 3.6+, so you should be good there. I don't remember having seen this error before, so I'm looking into it now and will try to reproduce this locally. In the meantime, I have a couple of questions that would help me understand the context more:

• First, are you seeing similar errors with any other SDK packages?
• Second, are you able to make any successful calls with either client (e.g. setting a secret or listing keys)?
• Lastly, would it be possible to capture the contents of the erroring response?

[mccoyp]

Update on this: I created an AzureML Notebook and tried to reproduce the issue, but I was able to successfully get a key and secret. Would it be possible to share a snippet of code from where this error is happening?

[ColtAllen]

Hey @mccoyp, I appreciate your prompt response.

• First, are you seeing similar errors with any other SDK packages?

We did not encounter any errors when using the asynchronous azure.keyvault.secrets.aio package, which has an identical code syntax to that of azure-keyvault-secrets. However, the secrets in question are database credentials, and the DB connector was not able to interpret the coroutine objects returned by azure.keyvault.secrets.aio. Asynchronous processes are also outside the scope of our project.

• Second, are you able to make any successful calls with either client (e.g. setting a secret or listing keys)?

I am not. At this time the Key Vault does not contain any keys, only secrets. However, the same TypeError: string indices must be integers message is being returned for both the key and secret clients. If the resource does not exist, shouldn't a ResourceNotFoundError or HttpResponseError be raised instead?

• Lastly, would it be possible to capture the contents of the erroring response?

The error trace is provided in my original post for this issue.

Update on this: I created an AzureML Notebook and tried to reproduce the issue, but I was able to successfully get a key and secret. Would it be possible to share a snippet of code from where this error is happening?

Unfortunately the original code was wiped out while resolving a merge conflict and is no longer available. However, after escalating this issue I was granted access to the Key Vault and noticed the secrets I was attempting to retrieve were expired. I'll recreate the secrets and see if I'm still getting the same error.

I will direct any further questions about the Key Vault service to Security Support. However, seeing as this now may be an issue regarding error handling (please see my bolded comments in this post) I would like to keep this open for now.

[mccoyp]

You're right that this kind of error response is surprising -- usually an HttpResponseError is raised for general errors relating to service issues, and I would have expected to see a response like that in the case of fetching an expired secret. I don't think I've tried getting an expired secret before, though, so that could be the source of the issue (I'll make a note to try this out!). I'm curious to see if renewing the secrets will resolve the issue, but I agree that leaving this open as a tracker for the error response is a good idea.

[ghost]

Hi, we're sending this friendly reminder because we haven't heard back from you in a while. We need more information about this issue to help address it. Please be sure to give us your input within the next 7 days. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

[ColtAllen]

After working with MS Security and registering an app in the Azure Active Directory, I am now able to access the key vault without issue. However, I can also retrieve expired secrets; shouldn't that raise an error?

The code that raised the original error generated an authentication token via a user-defined function to access the key vault. It's interesting an improper authentication would raise a TypeError, but that seems to be what caused the issue.

I've notified MS Security about the expired secret access. If that is outside the scope of error handling, then this issue can be closed out.

[ColtAllen]

I was just notified by MS Security that my above inquiry is expected behavior. This issue can now be closed.