[TEST] az keyvault secret show --vault-name returns misleading error when vault DNS is unreachable

[notyashhh]

Describe the bug

When running az keyvault secret show --vault-name myvault --name mysecret, if the Key Vault DNS is unreachable (e.g., due to private endpoint misconfiguration), the error message is misleading:

ERROR: (VaultNotFound) The vault "myvault" was not found. 

The actual issue is DNS resolution failure, not that the vault does not exist. This sends users down the wrong debugging path (checking vault names, subscription, etc.) when the real problem is network/DNS.

Steps to reproduce

1. Create a Key Vault with private endpoint enabled
2. Disable/misconfigure the private DNS zone
3. Run: az keyvault secret show --vault-name myvault --name mysecret
4. Observe misleading "VaultNotFound" error

Expected behavior

The error should indicate DNS resolution failure, e.g.:

ERROR: Could not resolve hostname "myvault.vault.azure.net". Check your network configuration and ensure private DNS is correctly configured if using private endpoints.

Environment

• az cli version: 2.85.0
• OS: Ubuntu 22.04
• Shell: bash
• Python: 3.11.2

---

This is a test issue for validating the Sentinel triage agent. It will be closed after testing.

[yonzhan]

Thank you for opening this issue, we will look into it.

[microsoft-github-policy-service]

🔔 Routing this issue to @act-identity-squad.

[notyashhh]

🔍 Sentinel Analysis

Category: bug | Severity: P2-medium | Component: KeyVault

Sentinel Triage Analysis

Component: KeyVault (az keyvault secret show)
Verdict: Action Required
Severity: P2-Medium

Root Cause

The misleading error occurs because of how the keyvault command handler processes HTTP 404 responses. When a vault has private endpoints enabled but private DNS is misconfigured:

1. DNS resolves to the public IP instead of the private IP
2. The request hits the public endpoint, which returns HTTP 404 (public access denied)
3. The CLI's show_exception_handler() wraps this as ResourceNotFoundError with the service message: (VaultNotFound) The vault "myvault" was not found.

The error handling code is in _command_type.py. There is already a partial handler for complete DNS failures (ClientRequestError with 'Failed to establish a new connection'), but the 404/VaultNotFound path lacks guidance about private endpoint configuration.

Suggested Fix

Enhance the error message for VaultNotFound (404) responses to include:

• A suggestion to verify private DNS zone configuration if using private endpoints
• A note that this error can occur when DNS resolves to the public endpoint for a private-endpoint-only vault

This could be implemented in keyvault_exception_handler() or by intercepting the 404 before show_exception_handler is called.

---

🤖 This analysis was generated by Sentinel, an AI triage agent for the Identity Squad.

---

Verdict: ⚠️ ActionRequired

Root Cause Analysis:
The error path is traced through the keyvault module's custom command type handler in src/azure-cli/azure/cli/command_modules/keyvault/_command_type.py. When az keyvault secret show is called, the CLI constructs a vault URL ({vault-name}.vault.azure.net) and the azure-keyvault-secrets SDK makes an HTTP request. There are two DNS failure scenarios:

1. Complete DNS failure (no resolution): A ClientRequestError with 'Failed to establish a new connection' is raised. The existing keyvault_exception_handler() (line 32-49 of _command_type.py) catches this and returns: 'Max retries exceeded attempting to connect to Vault. The Vault may not exist or you may need to flush your DNS cache and try again later.' — this is partially helpful but still misleading ('may not exist').

2. DNS resolves to wrong IP (private DNS misconfigured → resolves to public IP): The request reaches the public endpoint, which returns HTTP 404 because public access is disabled. The show_exception_handler() in src/azure-cli-core/azure/cli/core/commands/arm.py (line 466-476) catches the 404, wraps it as ResourceNotFoundError with the service's original message: '(VaultNotFound) The vault "myvault" was not found.' This is the primary scenario described in the issue and is genuinely misleading.

The fix location is in keyvault_exception_handler() and/or the keyvault_command_handler() try/except block in _command_type.py. For scenario 2, the 404 VaultNotFound should include additional guidance about private endpoint/DNS configuration. For scenario 1, the existing message should be improved to be more specific about DNS resolution failure.

Version: Reporter is on az cli 2.85.0 (latest). This is a long-standing UX issue, not a regression.

Note: The issue body contains a footer indicating this is a test issue for Sentinel validation, but the described bug is technically valid.

Duplicate Check:
No duplicate issues found. Searched for: 'keyvault secret show vault DNS unreachable', 'VaultNotFound DNS', 'keyvault DNS resolution', 'VaultNotFound private endpoint', 'keyvault error message private endpoint', 'keyvault private DNS' — all returned zero results in Azure/azure-cli. This appears to be a novel issue report.

Scope: in-scope — Key Vault commands (az keyvault) are explicitly owned by the Identity Squad. The issue involves error message handling in the keyvault command module (_command_type.py), which is within the squad's ownership. The fix would be in Identity-owned source files.

Fix Feasibility: easy
Fix Description: Modify keyvault_exception_handler() in _command_type.py to intercept HttpResponseError/ResourceNotFoundError with 'VaultNotFound' code and append guidance text: 'If this vault uses private endpoints, verify that your private DNS zone is correctly configured and that DNS resolves to the private IP address.' Also improve the existing ClientRequestError message to remove the ambiguous 'may not exist' wording and emphasize DNS/network troubleshooting.

Use /sentinel fix to generate a PR with this fix.

---

Analysis by Sentinel — ACT Identity Squad triage agent.
Commands: /sentinel analyze · /sentinel fix · /sentinel similar

[microsoft-github-policy-service]

🔔 Routing this issue to @act-identity-squad.

[notyashhh]

Closing test issue. Sentinel triage agent validated successfully.