Bugfix for error when creating a new Azure Keyvault

AzureKeyVault/AzureClient.cs

@@ -158,8 +158,17 @@ public virtual async Task<KeyVaultResource> CreateVault()
 
                 logger.LogTrace($"getting subscription info for provided subscription id {VaultProperties.SubscriptionId}");
 
-                SubscriptionResource subscription = KvManagementClient.GetSubscriptionResource(SubscriptionResource.CreateResourceIdentifier(VaultProperties.SubscriptionId));
-                ResourceGroupResource resourceGroup = subscription.GetResourceGroup(VaultProperties.ResourceGroupName);
+                var subscription = KvManagementClient.GetSubscriptionResource(SubscriptionResource.CreateResourceIdentifier(VaultProperties.SubscriptionId));
+
+                var resourceGroups = subscription.GetResourceGroups();
+                ResourceGroupResource resourceGroup = await resourceGroups.GetAsync(VaultProperties.ResourceGroupName);
+                logger.LogTrace("calling getAsync on resourcegroup...");
+                await resourceGroup.GetAsync();
+                logger.LogTrace("completed getAsync on resource group...");
+
+                var s = resourceGroup.HasData.ToString();
+
+                logger.LogTrace($"resource group has data?: {s}");
 
                 AzureLocation loc;
 
@@ -170,7 +179,7 @@ public virtual async Task<KeyVaultResource> CreateVault()
                     {
                         logger.LogTrace($"no Vault Region location specified for new Vault, Getting available regions for resource group {resourceGroup.Data.Name}.");
                         var locOptions = await resourceGroup.GetAvailableLocationsAsync();
-                        logger.LogTrace($"got location options for subscription {subscription.Data.SubscriptionId}", locOptions);
+                        logger.LogTrace($"got location options for subscription {VaultProperties.SubscriptionId}", locOptions);
                         loc = locOptions.Value.FirstOrDefault();
                     }
                     catch (Exception ex)
@@ -276,9 +285,22 @@ public virtual async Task<IEnumerable<CurrentInventoryItem>> GetCertificatesAsyn
 
                 logger.LogTrace($"got a pageable response");
             }
+            catch (AuthenticationFailedException ex)
+            {
+                logger.LogError($"Authentication failed: {ex.Message}");
+                logger.LogError(LogHandler.FlattenException(ex));
+                throw;
+            }
+            catch (RequestFailedException ex) // Catch other potential Azure-specific errors
+            {
+                logger.LogError($"Azure Key Vault operation failed: {ex.Status} - {ex.Message}");
+                logger.LogError(LogHandler.FlattenException(ex));
+                throw;
+            }
             catch (Exception ex)
             {
                 logger.LogError($"Error performing inventory.  {ex.Message}", ex);
+                logger.LogError(LogHandler.FlattenException(ex));
                 throw;
             }
 

AzureKeyVault/Jobs/AzureKeyVaultJob.cs

@@ -40,7 +40,7 @@ public void InitializeStore(dynamic config)
                 // ClientSecret can be omitted for managed identities, required for service principal auth
                 VaultProperties.ClientSecret = PAMUtilities.ResolvePAMField(PamSecretResolver, logger, "Server Password", config.ServerPassword);
 
-                if (VaultProperties.ClientSecret == null)
+                if (string.IsNullOrEmpty(VaultProperties.ClientSecret))
                 {
                     logger.LogTrace("No client secret provided, assuming Managed Identity authentication");
                 }

AzureKeyVault/Jobs/Management.cs

@@ -17,7 +17,6 @@
 using Keyfactor.Orchestrators.Extensions.Interfaces;
 using System.Collections.Generic;
 using Newtonsoft.Json;
-using System.Security.AccessControl;
 
 namespace Keyfactor.Extensions.Orchestrator.AzureKeyVault
 {
@@ -42,15 +41,18 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
             {
                 Result = OrchestratorJobStatusJobResult.Failure,
                 FailureMessage = "Invalid Management Operation"
-            };
-
-            string tagsJSON;
-            bool preserveTags;
+            };            
 
             logger.LogTrace("parsing entry parameters.. ");
-
-            tagsJSON = config.JobProperties[EntryParameters.TAGS] as string ?? string.Empty;
-            preserveTags = config.JobProperties[EntryParameters.PRESERVE_TAGS] as bool? ?? false;
+            string tagsJSON = string.Empty;
+            bool preserveTags = false;
+            if (config.JobProperties != null)
+            {
+                config.JobProperties.TryGetValue(EntryParameters.TAGS, out object tagsJSONObj);
+                config.JobProperties.TryGetValue(EntryParameters.PRESERVE_TAGS, out object preserveTagsObj);
+                tagsJSON = tagsJSONObj == null ? string.Empty : tagsJSONObj.ToString();
+                preserveTags = preserveTagsObj == null ? false : Boolean.Parse(preserveTagsObj.ToString());
+            }
 
             switch (config.OperationType)
             {

CHANGELOG.md

@@ -1,3 +1,7 @@
+- 3.1.11
+  - bug fix for error when creating new Azure Keyvaults
+  - documentation updates
+
 - 3.1.10
   - bug fix for government cloud host name resolution
 

README.md

@@ -70,7 +70,7 @@ The high level steps required to configure the Azure Keyvault Orchestrator exten
 
 1) [Configure the Azure Keyvault for client access](#configure-the-azure-keyvault-for-client-access)
 
-1) [Create the Store Type in Keyfactor](#create-the-akv-certificate-store-type)
+1) [Create the Store Type in Keyfactor](#akv-certificate-store-type)
 
 1) [Install the Extension on the Orchestrator](#installation)
 
@@ -544,7 +544,7 @@ To use the Azure Key Vault Universal Orchestrator extension, you **must** create
 
 
 The Azure Keyvault Certificate Store Type is designed to integrate with Microsoft Azure Key Vault, enabling users to
-manage and automate the lifecycle of cryptographic certificates stored in Azure Key Vault through Keyfactor Command.
+manage and automate the lifecycle of cryptographic certificates stored in Azure Keyvault through Keyfactor Command.
 This Certificate Store Type represents the connection and configuration necessary to interact with specific instances of
 Azure Key Vault, allowing for operations such as inventory, addition, removal, and discovery of certificates and
 certificate stores.
@@ -565,6 +565,11 @@ However, ensuring that the orchestrator has network access to Azure endpoints is
 mindful of these caveats and limitations will help ensure successful deployment and use of the Azure Keyvault
 Certificate Store Type within your organization’s security framework.
 
+> :warning:
+> The alias you provide when enrolling a certificate will be used as the certificate name in Azure Keyvault.
+> Consequently; [it must _only_ contain alphanumeric characters and hyphens](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules#microsoftkeyvault).
+> If you encounter the error "The request URI contains an invalid name" when attempting to perform an enrollment, it is likely due to the use of disallowed characters in the alias.
+
 
 
 
@@ -633,7 +638,7 @@ the Keyfactor Command Portal
    ##### Advanced Tab
    | Attribute | Value | Description |
    | --------- | ----- | ----- |
-   | Supports Custom Alias | Optional | Determines if an individual entry within a store can have a custom Alias. |
+   | Supports Custom Alias | Required | Determines if an individual entry within a store can have a custom Alias. |
    | Private Key Handling | Optional | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |
    | PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |
 

docsource/akv.md

@@ -1,7 +1,7 @@
 ## Overview
 
 The Azure Keyvault Certificate Store Type is designed to integrate with Microsoft Azure Key Vault, enabling users to
-manage and automate the lifecycle of cryptographic certificates stored in Azure Key Vault through Keyfactor Command.
+manage and automate the lifecycle of cryptographic certificates stored in Azure Keyvault through Keyfactor Command.
 This Certificate Store Type represents the connection and configuration necessary to interact with specific instances of
 Azure Key Vault, allowing for operations such as inventory, addition, removal, and discovery of certificates and
 certificate stores.
@@ -22,3 +22,8 @@ However, ensuring that the orchestrator has network access to Azure endpoints is
 mindful of these caveats and limitations will help ensure successful deployment and use of the Azure Keyvault
 Certificate Store Type within your organization’s security framework.
 
+> :warning:
+> The alias you provide when enrolling a certificate will be used as the certificate name in Azure Keyvault.
+> Consequently; [it must _only_ contain alphanumeric characters and hyphens](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules#microsoftkeyvault).
+> If you encounter the error "The request URI contains an invalid name" when attempting to perform an enrollment, it is likely due to the use of disallowed characters in the alias.
+

docsource/content.md

@@ -25,7 +25,7 @@ The high level steps required to configure the Azure Keyvault Orchestrator exten
 
 1) [Configure the Azure Keyvault for client access](#configure-the-azure-keyvault-for-client-access)
 
-1) [Create the Store Type in Keyfactor](#create-the-akv-certificate-store-type)
+1) [Create the Store Type in Keyfactor](#akv-certificate-store-type)
 
 1) [Install the Extension on the Orchestrator](#installation)
 

integration-manifest.json

@@ -19,7 +19,7 @@
           "BlueprintAllowed": false,
           "Capability": "AKV",
           "ClientMachineDescription": "The GUID of the tenant ID of the Azure Keyvault instance; for example, '12345678-1234-1234-1234-123456789abc'.",
-          "CustomAliasAllowed": "Optional",
+          "CustomAliasAllowed": "Required",
           "EntryParameters": [
             {
               "Name": "CertificateTags",