SecretClient.list_properties_of_secrets() nextlink URL does not match the original vault URL provided to the secret client

[krissmilne]

• Package Name: azure.keyvault.secrets.SecretClient
• Package Version: 4.7.0
• Operating System: Amazon Linux 2
• Python Version: 3.8.16

Describe the bug
When constructing the SecretClient with a custom domain name for the Azure Vault URL and calling list_properties_of_secrets() method, the nextlink for the ItemPaged iterator returns the default public Vault URL.

This causes subsequent iterations to fail.

To Reproduce

1. Connecting to Azure Key Vault using a Private Endpoint with an Azure Application Gateway
   • The problem may also exist if just using a Private Endpoint without Azure Application Gateway
2. Custom DNS record resolves to the front end of the Azure Application Gateway
3. Construct the SecretClient with the vault_url set to the URL of the Application Gateway
4. Call SecretClient.list_properties_of_secrets()
5. If the number of secrets exceeds the page and a nextlink is returned for the ItemPaged iterator, the nextlink is set to the public URL of the Key Vault
6. The next API calls to Key Vault Secrets uses the public vault URL

Expected behavior
The nextlink URL should match the FQDN of the original vault_url supplied to the SecretClient

Verbose Logs Output
18/04/2023 07:45:06: DEBUG: https://my-example-key-vault.custom.domain.name:443 "GET /secrets?api-version=7.4 HTTP/1.1" 200 6307

18/04/2023 07:45:06: INFO: Response status: 200
Response headers:
'Date': 'Tue, 18 Apr 2023 07:45:06 GMT'
'Content-Type': 'application/json; charset=utf-8'
'Content-Length': '6307'
'Connection': 'keep-alive'
'Cache-Control': 'no-cache'
'Pragma': 'no-cache'
'Expires': '-1'
'x-ms-keyvault-region': 'eastasia'
'x-ms-client-request-id': 'REDACTED'
'x-ms-request-id': 'REDACTED'
'x-ms-keyvault-service-version': '1.9.775.1'
'x-ms-keyvault-network-info': 'conn_type=PrivateLink;private_endpoint=/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Network/privateEndpoints/REDACTED;addr=REDACTED;act_addr_fam=InterNetworkV6;'
'X-Content-Type-Options': 'REDACTED'
'Strict-Transport-Security': 'REDACTED'

18/04/2023 07:45:06: DEBUG: Response status: '200'
Response headers:
'Date': 'Tue, 18 Apr 2023 07:45:06 GMT'
'Content-Type': 'application/json; charset=utf-8'
'Content-Length': '6307'
'Connection': 'keep-alive'
'Cache-Control': 'no-cache'
'Pragma': 'no-cache'
'Expires': '-1'
'x-ms-keyvault-region': 'eastasia'
'x-ms-client-request-id': 'REDACTED'
'x-ms-request-id': 'REDACTED'
'x-ms-keyvault-service-version': '1.9.775.1'
'x-ms-keyvault-network-info': 'conn_type=PrivateLink;private_endpoint=/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Network/privateEndpoints/REDACTED;addr=REDACTED;act_addr_fam=InterNetworkV6;'
'X-Content-Type-Options': 'nosniff'
'Strict-Transport-Security': 'max-age=31536000;includeSubDomains'
Response content:
{"value":[REDACTED],"nextLink":"https://REDACTED.vault.azure.net:443/secrets?api-version=7.4&$skiptoken=REDACTED"}

18/04/2023 07:45:06: DEBUG: Request URL: 'https://REDACTED.azure.net:443/secrets?api-version=7.4&$skiptoken=REDACTED'
Request method: 'GET'
Request headers:
'x-ms-client-request-id': 'REDACTED'
'User-Agent': 'azsdk-python-keyvault-secrets/4.7.0 Python/3.8.16 (Linux-4.14.296-222.539.amzn2.x86_64-x86_64-with-glibc2.2.5)'
Request body:
This request has no body

18/04/2023 07:45:06: INFO: Request URL: 'https://REDACTED.vault.azure.net:443/secrets?api-version=REDACTED&$skiptoken=REDACTED'
Request method: 'GET'
Request headers:
'x-ms-client-request-id': 'REDACTED'
'User-Agent': 'azsdk-python-keyvault-secrets/4.7.0 Python/3.8.16 (Linux-4.14.296-222.539.amzn2.x86_64-x86_64-with-glibc2.2.5)'
No body was attached to the request

18/04/2023 07:45:06: DEBUG: Starting new HTTPS connection (1): REDACTED.vault.azure.net:443

18/04/2023 07:47:15: DEBUG: Request URL: 'https://REDACTED.vault.azure.net:443/secrets?api-version=7.4&$skiptoken=REDACTED'
Request method: 'GET'
Request headers:
'x-ms-client-request-id': 'REDACTED'
'User-Agent': 'azsdk-python-keyvault-secrets/4.7.0 Python/3.8.16 (Linux-4.14.296-222.539.amzn2.x86_64-x86_64-with-glibc2.2.5)'
Request body:
This request has no body

18/04/2023 07:47:15: INFO: Request URL: 'https://REDACTED.vault.azure.net:443/secrets?api-version=REDACTED&$skiptoken=REDACTED'
Request method: 'GET'
Request headers:
'x-ms-client-request-id': 'REDACTED'
'User-Agent': 'azsdk-python-keyvault-secrets/4.7.0 Python/3.8.16 (Linux-4.14.296-222.539.amzn2.x86_64-x86_64-with-glibc2.2.5)'
No body was attached to the request

[krissmilne]

I've been able to implement the following workaround for this problem, however, this issue should still be resolved.

By using the by_page() method of the ItemPaged returned object, it's possible to override the continuation_token before the next page is retrieved from the API.

secret_properties = secret_client.list_properties_of_secrets()
pages = secret_properties.by_page()
for page in pages:
    if pages.continuation_token:
        if urlparse(pages.continuation_token).hostname != urlparse(secret_client.vault_url).hostname:
            pages.continuation_token = pages.continuation_token.replace(urlparse(
                pages.continuation_token).hostname, urlparse(secret_client.vault_url).hostname)
        for secret in page:
            print(secret.name)

[kashifkhan]

Hi @krissmilne , thank you for the feedback. We will investigate and get back to you asap.

[mccoyp]

Hi @krissmilne, thank you for opening an issue! I'm glad you were able to figure out a temporary workaround. Just to confirm, is the https://my-example-key-vault.custom.domain.name:443 URL in your log output referring to the desired, private vault name while the https://REDACTED.vault.azure.net:443 URL refers to the public vault name?

If that's the case, it looks like our library may have to interpret the service response and conditionally decide whether to use the nextLink domain, much like what you implemented in your workaround. That's something we'd need to discuss with the service team, as modifying the service response instead could make this easier and less error prone.

[github-actions]

Hi @krissmilne. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

[krissmilne]

Hi @mccoyp , that is correct, the original vault_url provided to the SecretClient was https://my-example-key-vault.custom.domain.name:443 this has been modified for the purposes of this public issue. This is a private DNS name that resolves to a Private Endpoint. The Azure REST API appears to respond with the nextlink that resolves to the Key Vaults default public URL https://REDACTED.vault.azure.net:443.

I agree with your assessment, this appears to be an issue with the REST API service that is responding incorrectly, rather than an issue with the Python SDK.