Azure
diff --git a/‎.vscode/cspell.json
Lines changed: 29 additions & 0 deletions b/‎.vscode/cspell.json
Lines changed: 29 additions & 0 deletions
diff --git a/‎eng/versioning/version_client.txt
Lines changed: 5 additions & 0 deletions b/‎eng/versioning/version_client.txt
Lines changed: 5 additions & 0 deletions
diff --git a/‎pom.xml
Lines changed: 1 addition & 0 deletions b/‎pom.xml
Lines changed: 1 addition & 0 deletions
diff --git a/‎sdk/keyvault-v2/.gitignore
Lines changed: 67 additions & 0 deletions b/‎sdk/keyvault-v2/.gitignore
Lines changed: 67 additions & 0 deletions
diff --git a/‎sdk/keyvault-v2/README.md
Lines changed: 37 additions & 0 deletions b/‎sdk/keyvault-v2/README.md
Lines changed: 37 additions & 0 deletions
diff --git a/‎sdk/keyvault-v2/TROUBLESHOOTING.md
Lines changed: 175 additions & 0 deletions b/‎sdk/keyvault-v2/TROUBLESHOOTING.md
Lines changed: 175 additions & 0 deletions
@@ -16,6 +16,7 @@
     "**/checkstyle-suppressions.xml",
     "**/spotbugs-exclude.xml",
     "**/sdk/**/target/**",
+    "**/sdk/**/target/**",
     "**/session-records/**",
     "**/sdk/**/**/assets.json",
     "**/sdk/**/*-matrix.json",
@@ -1385,6 +1386,34 @@
       "words": [
         "AISEARCH"
       ]
+    },
+    {
+      "filename": "sdk/keyvault-v2/*",
+      "words": [
+        "azsdkengsys",
+        "baos",
+        "centralus",
+        "ekus",
+        "FIPS",
+        "IMDS",
+        "inprogress",
+        "mhsm",
+        "myaccount",
+        "myalias",
+        "mydomain",
+        "myissuer",
+        "northcentralus",
+        "OAEP",
+        "RLSIGN",
+        "RSAES",
+        "RSNULL",
+        "SECG",
+        "SECP",
+        "southcentralus",
+        "uksouth",
+        "upns",
+        "vcolin" // TODO: Remove after all TODOs are removed from the codebase
+      ]
     }
   ],
   "allowCompoundWords": true
 
@@ -493,6 +493,10 @@ com.azure.v2:azure-core;2.0.0-beta.1;2.0.0-beta.1
 com.azure.v2:azure-core-test;2.0.0-beta.1;2.0.0-beta.1
 com.azure.v2:azure-data-appconfiguration;2.0.0-beta.1;2.0.0-beta.1
 com.azure.v2:azure-identity;2.0.0-beta.1;2.0.0-beta.1
+com.azure.v2:azure-security-keyvault-administration;5.0.0-beta.1;5.0.0-beta.1
+com.azure.v2:azure-security-keyvault-certificates;5.0.0-beta.1;5.0.0-beta.1
+com.azure.v2:azure-security-keyvault-secrets;5.0.0-beta.1;5.0.0-beta.1
+com.azure.v2:azure-security-keyvault-keys;5.0.0-beta.1;5.0.0-beta.1
 io.clientcore:clientcore-parent;1.0.0-beta.3;1.0.0-beta.3
 io.clientcore:core;1.0.0-beta.9;1.0.0-beta.10
 io.clientcore:http-netty4;1.0.0-beta.1;1.0.0-beta.1
@@ -513,6 +517,7 @@ io.clientcore:annotation-processor-test;1.0.0-beta.1;1.0.0-beta.1
 unreleased_io.clientcore:core;1.0.0-beta.10
 unreleased_io.clientcore:annotation-processor;1.0.0-beta.3
 unreleased_com.azure.v2:azure-core;2.0.0-beta.1
+unreleased_com.azure.v2:azure-identity;2.0.0-beta.1
 
 # Released Beta dependencies: Copy the entry from above, prepend "beta_", remove the current
 # version and set the version to the released beta. Released beta dependencies are only valid
 
@@ -129,6 +129,7 @@
     <module>sdk/iothub</module>
     <module>sdk/iotoperations</module>
     <module>sdk/keyvault</module>
+    <module>sdk/keyvault-v2</module>
     <module>sdk/kubernetesconfiguration</module>
     <module>sdk/kusto</module>
     <module>sdk/labservices</module>
 
@@ -0,0 +1,67 @@
+*.class
+*.cer
+*.key
+*.pfx
+
+#External libs
+extlib/
+
+# Auth files
+*.auth
+*.azureauth
+
+# Local checkstyle
+*.checkstyle
+
+# Mobile Tools for Java (J2ME)
+.mtj.tmp/
+
+# Package Files #
+*.jar
+*.war
+*.ear
+
+# Azure Tooling #
+node_modules
+packages
+
+# Eclipse #
+*.pydevproject
+.project
+.metadata
+bin/**
+tmp/**
+tmp/**/*
+*.tmp
+*.bak
+*.swp
+*~.nib
+local.properties
+.classpath
+.settings/
+.loadpath
+bin/
+
+# Other Tooling #
+.classpath
+.project
+**/target/classes/**
+**/target/generated-sources/**
+**/target/generate-test-sources/**
+**/target/maven-status/**
+**/target/test-classes/com/**
+**/target/surefire-reports/**
+**/target/maven-archiver/**
+!**/target/test-classes/session-records/**
+.idea
+*.iml
+
+# Mac OS #
+.DS_Store
+.DS_Store?
+
+# Windows #
+Thumbs.db
+
+# reduced pom files should not be included
+dependency-reduced-pom.xml
@@ -0,0 +1,37 @@
+# Azure Key Vault client libraries for Java
+
+[![Build Status](https://dev.azure.com/azure-sdk/public/_apis/build/status/598?branchName=main)](https://dev.azure.com/azure-sdk/public/_build/latest?definitionId=598) [![Build Documentation](https://img.shields.io/badge/documentation-published-blue.svg)](https://azuresdkartifacts.blob.core.windows.net/azure-sdk-for-java/index.html) [![Dependencies](https://img.shields.io/badge/dependencies-analyzed-blue.svg)](https://azuresdkartifacts.blob.core.windows.net/azure-sdk-for-java/staging/dependencies.html) [![SpotBugs](https://img.shields.io/badge/SpotBugs-Clean-success.svg)](https://azuresdkartifacts.blob.core.windows.net/azure-sdk-for-java/staging/spotbugsXml.html) [![CheckStyle](https://img.shields.io/badge/CheckStyle-Clean-success.svg)](https://azuresdkartifacts.blob.core.windows.net/azure-sdk-for-java/staging/checkstyle-aggregate.html)
+
+Azure Key Vault is a cloud service that provides secure storage of certificates, cryptographic keys and secrets used by
+cloud applications and services.
+
+Azure Key Vault Managed HSM is a fully-managed, highly-available, single-tenant, standards-compliant cloud service that
+enables you to safeguard cryptographic keys for your cloud applications using FIPS 140-2 Level 3 validated HSMs.
+
+For more information refer to [About Azure Key Vault][azure_keyvault] and
+[What is Azure Key Vault Managed HSM?][azure_keyvault_mhsm].
+
+Documentation for this SDK can be found at [Azure Key Vault Java Documentation][azure_keyvault_java].
+
+## Getting started
+
+To get started with a specific library, see the **README.md** file located in the library's project folder. You can find
+service libraries in the `/sdk/keyvault-v2/azure-security-keyvault-<subcomponent>` directory.
+
+- [Azure Key Vault Keys][azure_keyvault_keys_library] is a cloud service that enables you to safeguard and manage
+  cryptographic keys.
+- [Azure Key Vault Certificates][azure_keyvault_certificates_library] is a cloud service that allows you to securely
+  manage and tightly control your certificates.
+- [Azure Key Vault Secrets][azure_keyvault_secrets_library] is a cloud service that provides management and secure
+  storage for secrets, such as passwords and database connection strings.
+- The [Azure Key Vault Administration][azure_keyvault_administration_library] library clients support administrative
+  tasks such as full backup/restore and key-level role-based access control (RBAC) for Azure Key Vault Managed HSM.
+
+<!-- LINKS -->
+[azure_keyvault]: https://learn.microsoft.com/azure/key-vault/general/overview
+[azure_keyvault_java]: https://learn.microsoft.com/java/api/overview/azure/keyvault
+[azure_keyvault_mhsm]: https://learn.microsoft.com/azure/key-vault/managed-hsm/overview
+[azure_keyvault_administration_library]: https://github.com/vcolin7/azure-sdk-for-java/blob/feature/vicolina/keyvault/v2/sdk/keyvault-v2/azure-security-keyvault-administration/README.md
+[azure_keyvault_certificates_library]: https://github.com/vcolin7/azure-sdk-for-java/blob/feature/vicolina/keyvault/v2/sdk/keyvault-v2/azure-security-keyvault-certificates/README.md
+[azure_keyvault_keys_library]: https://github.com/vcolin7/azure-sdk-for-java/blob/feature/vicolina/keyvault/v2/sdk/keyvault-v2/azure-security-keyvault-keys/README.md
+[azure_keyvault_secrets_library]: https://github.com/vcolin7/azure-sdk-for-java/blob/feature/vicolina/keyvault/v2/sdk/keyvault-v2/azure-security-keyvault-secrets/README.md
@@ -0,0 +1,175 @@
+# Troubleshooting Azure Key Vault SDK Issues
+The Azure Key Vault SDKs for Java use a common HTTP pipeline and authentication to create, update, and delete secrets, keys, and certificates in Key Vault and Managed HSM. This troubleshooting guide contains steps for diagnosing issues common to these SDKs.
+
+For package-specific troubleshooting guides, see any of the following:
+
+* [Troubleshooting guide for the Azure Key Vault Administration SDK][kv_admin_troubleshooting]
+* [Troubleshooting guide for the Azure Key Vault Certificates SDK][kv_certs_troubleshooting]
+* [Troubleshooting guide for the Azure Key Vault Keys SDK][kv_keys_troubleshooting]
+* [Troubleshooting guide for the Azure Key Vault Secrets SDK][kv_secrets_troubleshooting]
+
+## Table of Contents
+* [Troubleshooting Authentication Issues](#troubleshooting-authentication-issues)
+    * [HTTP 401 Errors](#http-401-errors)
+        * [Frequent HTTP 401 Errors in Logs](#frequent-http-401-errors-in-logs)
+        * [AKV10032: Invalid issuer](#akv10032--invalid-issuer)
+    * [HTTP 403 Errors](#http-403-errors)
+        * [Operation Not Permitted](#operation-not-permitted)
+        * [Access Denied to First Party Service](#access-denied-to-first-party-service)
+    * [Other authentication issues](#other-authentication-issues)
+        * [Tenant authentication issues](#tenant-authentication-issues)
+        * [Incorrect challenge resource](#incorrect-challenge-resource)
+* [Other Service Errors](#other-service-errors)
+    * [HTTP 429: Too Many Requests](#http-429--too-many-requests)
+* [Support](#support)
+
+## Troubleshooting Authentication Issues
+### HTTP 401 Errors
+HTTP 401 errors may indicate problems authenticating, but silent 401 errors are also an expected part of the Azure Key Vault authentication flow.
+
+#### Frequent HTTP 401 Errors in Logs
+Most often, this is expected. Azure Key Vault issues a challenge for initial requests that force authentication. You may see these errors most often during application startup, but may also see these periodically during the application's lifetime when authentication tokens are near expiration.
+
+If you are not seeing subsequent exceptions from the Key Vault SDKs, authentication challenges are likely the cause. If you continuously see 401 errors without successful operations, there may be an issue with the authentication library that's being used. We recommend using the Azure SDK's [azure-identity] library for authentication.
+
+#### AKV10032: Invalid issuer
+You may see an error similar to:
+
+```text
+com.azure.v2.core.exception.HttpResponseException: Status code 401, "{"error":{"code":"Unauthorized","message":"AKV10032: Invalid issuer. Expected one of https://sts.windows.net/{tenant 1}/, found https://sts.windows.net/{tenant 2}/."}}"
+```
+
+This is most often caused by being logged into a different tenant than the Key Vault authenticates. See our [DefaultAzureCredential] documentation to see the order credentials are read. You may be logged into a different tenant for one credential that gets read before another credential. For example, you might be logged into Visual Studio under the wrong tenant even though you're logged into the Azure CLI under the correct tenant.
+
+Automatic tenant discovery support has been added when referencing package `azure-identity` version 1.4.0 or newer, and any of the following Key Vault SDK package versions or newer:
+
+| Package                                  | Minimum Version |
+|------------------------------------------|-----------------|
+| `azure-security-keyvault-administration` | 5.0.0-beta.1    |
+| `azure-security-keyvault-certificates`   | 5.0.0-beta.1    |
+| `azure-security-keyvault-keys`           | 5.0.0-beta.1    |
+| `azure-security-keyvault-secrets`        | 5.0.0-beta.1    |
+
+Upgrading to the package versions should resolve any "Invalid Issuer" errors as long as the application or user is a member of the resource's tenant.
+
+### HTTP 403 Errors
+HTTP 403 errors indicate the user is not authorized to perform a specific operation in Key Vault or Managed HSM.
+
+#### Operation Not Permitted
+You may see an error similar to:
+
+```text
+com.azure.v2.core.exception.HttpResponseException: Status code 403, {"error":{"code":"Forbidden","message":"Operation decrypt is not permitted on this key.","innererror":{"code":"KeyOperationForbidden"}}}
+```
+
+The operation and inner `code` may vary, but the rest of the text will indicate which operation is not permitted. This error indicates that the authenticated application or user does not have permissions to perform that operation, though the cause may vary.
+
+1. Check that the application or user has the appropriate permissions:
+    * [Access policies][access_policies] (Key Vault)
+    * [Role-Based Access Control (RBAC)][rbac] (Key Vault and Managed HSM)
+2. If the appropriate permissions are assigned to your application or user, make sure you are authenticating as that user.
+   If using the [DefaultAzureCredential], a different credential might've been used than one you expected.
+   [Enable logging][identity_logging] and you will see which credential the [DefaultAzureCredential] used as shown below, and why previously-attempted credentials were rejected.
+
+   ```text
+   [ERROR] c.azure.identity.EnvironmentCredential   : Azure Identity => ERROR in EnvironmentCredential: Missing required environment variable AZURE_CLIENT_ID
+   [ERROR] c.azure.identity.EnvironmentCredential   : EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
+   [INFO] c.azure.identity.DefaultAzureCredential  : Azure Identity => Attempted credential EnvironmentCredential is unavailable.
+   [ERROR] c.a.i.implementation.IdentityClient      : ManagedIdentityCredential authentication unavailable. Connection to IMDS endpoint cannot be established, connect timed out.
+   [ERROR] c.a.identity.ManagedIdentityCredential   : Azure Identity => ERROR in getToken() call for scopes [https://management.core.windows.net//.default]: ManagedIdentityCredential authentication unavailable. Connection to IMDS endpoint cannot be established, connect timed out.
+   [INFO] c.azure.identity.DefaultAzureCredential  : Azure Identity => Attempted credential ManagedIdentityCredential is unavailable.
+   [ERROR] c.a.identity.SharedTokenCacheCredential  : Azure Identity => ERROR in getToken() call for scopes [https://management.core.windows.net//.default]: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
+   [INFO] c.azure.identity.DefaultAzureCredential  : Azure Identity => Attempted credential SharedTokenCacheCredential is unavailable.
+   [ERROR] com.azure.v2.identity.IntelliJCredential    : Azure Identity => ERROR in getToken() call for scopes [https://management.core.windows.net//.default]: Unrecognized field "tenantId" (class com.azure.v2.identity.implementation.IntelliJAuthMethodDetails), not marked as ignorable (4 known properties: "authMethod", "azureEnv", "accountEmail", "credFilePath"])
+   ```
+
+#### Access Denied to First Party Service
+You may see an error similar to:
+
+```text
+com.azure.v2.core.exception.HttpResponseException: Status code 403, {"error":{"code":"Forbidden","message":"Access denied to first party service. ...","innererror":{"code":"AccessDenied"}}}
+```
+
+The error `message` may also contain the tenant ID (`tid`) and application ID (`appid`). This error may occur because:
+
+1. You have the **Allow trust services** option enabled and are trying to access the Key Vault from a service not on
+   [this list](https://docs.microsoft.com/azure/key-vault/general/overview-vnet-service-endpoints#trusted-services) of
+   trusted services.
+2. You are authenticated against a Microsoft Account (MSA) in Visual Studio or another credential provider. See
+   [above](#operation-not-permitted) for troubleshooting steps.
+
+### Other authentication issues
+
+See our Azure Identity [troubleshooting guide][identity_troubleshooting] for general guidance on authentication errors.
+
+#### Multi-tenant authentication issues
+
+If a `ClientAuthenticationException` is thrown with a message similar to:
+
+> The current credential is not configured to acquire tokens for tenant
+
+See our [troubleshooting guide for multi-tenant authentication issues][identity_multitenant]. Read our [release notes](https://aka.ms/azsdk/blog/multi-tenant-guidance) for more information about this change.
+
+#### Incorrect challenge resource
+
+If an exception is thrown with a message similar to:
+
+> The challenge resource '<my-key-vault>.vault.azure.net' does not match the requested domain. If you wish to disable this check for your client, pass 'true' to the SecretClientBuilder.disableChallengeResourceVerification() method when building it. See https://aka.ms/azsdk/blog/vault-uri for more information.
+
+Check that the resource is expected - that you're not receiving an authentication challenge from an unknown host which may indicate an incorrect request URI. If the resource is correct but you're using a mock service or non-transparent proxy, use the `disableChallengeResourceVerification()` when creating your clients with a client builder, for example:
+
+```java
+import com.azure.v2.core.TokenCredential;
+import com.azure.v2.identity.DefaultAzureCredentialBuilder;
+import com.azure.v2.security.keyvault.secrets.SecretClient;
+import com.azure.v2.security.keyvault.secrets.SecretClientBuilder;
+
+public class MyClass {
+    public static void main(String[] args) {
+        TokenCredential credential = new DefaultAzureCredentialBuilder().build();
+        SecretClient client = new SecretClientBuilder()
+            .vaultUrl("https://my-key-vault.vault.azure.net/")
+            .credential(credential)
+            .disableChallengeResourceVerification();
+    }
+}
+```
+
+Read our [release notes][release_notes_resource] for more information about this change.
+
+## Other Service Errors
+To troubleshoot additional HTTP service errors not described below, see [Azure Key Vault REST API Error Codes][kv_error_codes].
+
+### HTTP 429: Too Many Requests
+If you get an exception or see logs that describe HTTP 429, you may be making too many requests to Key Vault too quickly.
+
+Possible solutions include:
+
+1. Use a singleton for any `CertificateClient`, `KeyClient`, `CryptographyClient`, or `SecretClient` and their async counterparts in your application for a single Key Vault.
+2. Use a single instance of [DefaultAzureCredential] or other credential you use to authenticate your clients for each Key Vault or Managed HSM endpoint you need to access.
+3. You could cache a certificate, key, or secret in memory for a time to reduce calls to retrieve them.
+4. Use [Azure App Configuration][azure_appconfiguration] for storing non-secrets and references to Key Vault secrets. Storing all app configuration in Key Vault will increase the likelihood of requests being throttled as more application instances are started.
+5. If you are performing encryption or decryption operations, consider using wrap and unwrap operations for a symmetric key which this may also improve application throughput.
+
+See our [Azure Key Vault throttling guide][throttling_guide] for more information.
+
+## Support
+
+For additional support, please search our [existing issues](https://github.com/Azure/azure-sdk-for-java/issues) or [open a new issue](https://github.com/Azure/azure-sdk-for-java/issues/new/choose). You may also find existing answers on community sites like [Stack Overflow](https://stackoverflow.com/questions/tagged/azure-keyvault+java).
+
+[access_policies]: https://docs.microsoft.com/azure/key-vault/general/assign-access-policy
+[azure_appconfiguration]: https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/appconfiguration/azure-data-appconfiguration/README.md
+[azure-identity]: https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/identity/azure-identity/README.md
+[DefaultAzureCredential]: https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/identity/azure-identity/README.md#defaultazurecredential
+[kv_admin_troubleshooting]: https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/keyvault-v2/azure-security-keyvault-administration/TROUBLESHOOTING.md
+[kv_certs_troubleshooting]: https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/keyvault-v2/azure-security-keyvault-certificates/TROUBLESHOOTING.md
+[kv_error_codes]: https://docs.microsoft.com/azure/key-vault/general/rest-error-codes
+[kv_keys_troubleshooting]: https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/keyvault-v2/azure-security-keyvault-keys/TROUBLESHOOTING.md
+[kv_secrets_troubleshooting]: https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/keyvault-v2/azure-security-keyvault-secrets/TROUBLESHOOTING.md
+[identity_logging]: https://docs.microsoft.com/azure/developer/java/sdk/logging-overview
+[identity_troubleshooting]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/identity/azure-identity/TROUBLESHOOTING.md
+[identity_multitenant]: https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/identity/azure-identity/TROUBLESHOOTING.md#troubleshoot-multi-tenant-authentication-issues
+[rbac]: https://docs.microsoft.com/azure/key-vault/general/rbac-guide
+[release_notes_resource]: https://aka.ms/azsdk/blog/vault-uri
+[release_notes_tenant]: https://aka.ms/azsdk/blog/multi-tenant-guidance
+[throttling_guide]: https://docs.microsoft.com/azure/key-vault/general/overview-throttling