feat: enhance error messaging for environment secrets fetching permission by coleheflin · Pull Request #1930

feat: enhance error messaging for environment secrets fetching permission by coleheflin · Pull Request #1930 · astronomer/astro-cli

Problem

Users encountering environment secrets fetching permission errors during astro dev start --deployment-id XXX receive a cryptic error message that provides no actionable guidance for resolution.

Current Error Message:

Error: showSecrets on organization with id clt4farh34gm801n753x80fo8 is not allowed

This error occurs when the organization does not have "Environment Secrets Fetching" enabled in organization settings, but users have no way to understand what this means or how to resolve it.

Solution

Enhanced error handling in the environment objects listing flow to detect secrets fetching permission errors and provide specific, actionable troubleshooting guidance.

New Error Message:

Error: environment secrets fetching is not enabled for this organization.

To resolve this issue:
• Ask an organization administrator to enable "Environment Secrets Fetching" in organization settings
• Navigate to Organization Settings > General > Environment Secrets Fetching
• Toggle the setting to "Enabled"

This setting controls whether deployments can access organization environment secrets during local development.

Without this setting enabled, you can still use 'astro dev start' without the --deployment-id flag for local development.

Technical Implementation

Changes Made

Enhanced Error Detection (cloud/environment/environment.go):

Added isSecretsFetchingNotAllowedError() helper function to detect API permission errors
Enhanced listEnvironmentObjects() to intercept and transform secrets permission errors
Implemented error chain checking to handle wrapped errors properly

Comprehensive Testing (cloud/environment/environment_test.go):

Added TestIsSecretsFetchingNotAllowedError() with 11 test cases covering:
- Exact error message matching
- Case-insensitive matching
- Wrapped error handling
- False positive prevention
- Edge cases (nil, empty errors)

Error Detection Logic

The detection function checks for errors containing all three key components:

"showsecrets" (case-insensitive)
"organization" (case-insensitive)
"not allowed" (case-insensitive)

This ensures precise matching while avoiding false positives from other organization or secrets-related errors.

Testing

Unit Tests

go test -v ./cloud/environment
# All 16 test cases pass, including comprehensive error detection scenarios

End-to-End Testing

Tested with real deployment ID that triggers the permission error:

./astro dev start --deployment-id cmf4jvuwd3a7u01p561iekhzn
# ✅ Enhanced error message displays correctly
# ✅ Provides clear actionable guidance
# ✅ Explains the setting location and purpose

### Code Quality - ✅ All linter checks pass (gofumpt, golangci-lint) - ✅ Follows Go error handling conventions - ✅ Maintains backward compatibility

This enhancement transforms a confusing technical error into helpful user guidance, improving the developer experience for users setting up local Airflow development with Astro deployments.