docs: user guide on error handling

Author: coryan

Cargo.lock

@@ -28,7 +28,8 @@ categories.workspace = true
 name = "getting_started"
 
 [dependencies]
-tokio = { version = "1", features = ["full", "macros"] }
+crc32c = "0.6"
+tokio  = { version = "1", features = ["full", "macros"] }
 # ANCHOR: longrunning
 google-cloud-longrunning = { version = "0.22", path = "../../src/generated/longrunning" }
 # ANCHOR_END: longrunning

guide/samples/Cargo.toml

@@ -0,0 +1,120 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Examples showing how to handle errors.
+
+use google_cloud_gax as gax;
+use google_cloud_secretmanager_v1 as sm;
+
+// ANCHOR: update-secret
+pub async fn update_secret(
+    project_id: &str,
+    secret_id: &str,
+    data: Vec<u8>,
+) -> crate::Result<sm::model::SecretVersion> {
+    // ANCHOR: update-secret-client
+    let client = sm::client::SecretManagerService::builder().build().await?;
+    // ANCHOR_END: update-secret-client
+
+    // ANCHOR: update-secret-initial-attempt
+    match update_attempt(&client, project_id, secret_id, data.clone()).await {
+        // ANCHOR_END: update-secret-initial-attempt
+        // ANCHOR: update-secret-success
+        Ok(version) => {
+            println!("new version is {}", version.name);
+            Ok(version)
+        }
+        // ANCHOR_END: update-secret-success
+        // ANCHOR: update-secret-svc-error
+        Err(e) => {
+            if let Some(svc) = e.as_inner::<gax::error::ServiceError>() {
+                // ANCHOR_END: update-secret-svc-error
+                // ANCHOR: update-secret-not-found
+                if is_not_found(svc) {
+                    // ANCHOR_END: update-secret-not-found
+                    // ANCHOR: update-secret-create
+                    let _ = create_secret(&client, project_id, secret_id).await?;
+                    // ANCHOR_END: update-secret-create
+                    // ANCHOR: update-secret-try-again
+                    let version = update_attempt(&client, project_id, secret_id, data).await?;
+                    println!("new version is {}", version.name);
+                    return Ok(version);
+                    // ANCHOR: update-secret-try-again
+                }
+            }
+            Err(e.into())
+        }
+    }
+}
+// ANCHOR_END: client-retry
+
+// ANCHOR: examine-error
+pub fn is_not_found(error: &gax::error::ServiceError) -> bool {
+    let status = error.status();
+    status.code == 404 || status.code == gax::error::rpc::Code::NotFound as i32
+}
+// ANCHOR_END: examine-error
+
+// ANCHOR: update-attempt
+async fn update_attempt(
+    client: &sm::client::SecretManagerService,
+    project_id: &str,
+    secret_id: &str,
+    data: Vec<u8>,
+) -> gax::Result<sm::model::SecretVersion> {
+    let checksum = crc32c::crc32c(&data) as i64;
+    client
+        .add_secret_version(format!("projects/{project_id}/secrets/{secret_id}"))
+        .set_payload(
+            sm::model::SecretPayload::new()
+                .set_data(data)
+                .set_data_crc32c(checksum),
+        )
+        .send()
+        .await
+}
+// ANCHOR_END: update-attempt
+
+// ANCHOR: create-secret
+pub async fn create_secret(
+    client: &sm::client::SecretManagerService,
+    project_id: &str,
+    secret_id: &str,
+) -> gax::Result<sm::model::Secret> {
+    use google_cloud_gax::options::RequestOptionsBuilder;
+    use google_cloud_gax::retry_policy::AlwaysRetry;
+    use google_cloud_gax::retry_policy::RetryPolicyExt;
+    use std::time::Duration;
+
+    client
+        .create_secret(format!("projects/{project_id}"))
+        .with_retry_policy(
+            AlwaysRetry
+                .with_attempt_limit(5)
+                .with_time_limit(Duration::from_secs(15)),
+        )
+        .set_secret_id(secret_id)
+        .set_secret(
+            sm::model::Secret::new()
+                .set_replication(sm::model::Replication::new().set_replication(
+                    sm::model::replication::Replication::Automatic(
+                        sm::model::replication::Automatic::new().into(),
+                    ),
+                ))
+                .set_labels([("integration-test", "true")]),
+        )
+        .send()
+        .await
+}
+// ANCHOR_END: create-secret

guide/samples/src/error_handling.rs

@@ -17,6 +17,7 @@
 
 pub type Result<T> = std::result::Result<T, Box<dyn std::error::Error>>;
 
+pub mod error_handling;
 pub mod lro;
 pub mod polling_policies;
 pub mod retry_policies;

guide/samples/src/lib.rs

@@ -74,11 +74,7 @@ mod driver {
 
     #[tokio::test(flavor = "multi_thread")]
     async fn retry_policies_request() -> user_guide_samples::Result<()> {
-        use google_cloud_gax::options::RequestOptionsBuilder;
-        use google_cloud_gax::retry_policy::AlwaysRetry;
-        use google_cloud_gax::retry_policy::RetryPolicyExt;
         use google_cloud_secretmanager_v1 as sm;
-        use std::time::Duration;
 
         let project_id = std::env::var("GOOGLE_CLOUD_PROJECT").unwrap();
         let secret_id: String = rand::rng()
@@ -91,26 +87,49 @@ mod driver {
         // The sample will delete this secret. If that fails, the cleanup step
         // for the integration tests will garbage collect it in a couple of
         // days.
-        let _ = client
-            .create_secret(format!("projects/{project_id}"))
+        let _ = user_guide_samples::error_handling::create_secret(&client, &project_id, &secret_id)
+            .await?;
+        user_guide_samples::retry_policies::request_retry(&client, &project_id, &secret_id).await
+    }
+
+    #[tokio::test]
+    async fn error_handling() -> user_guide_samples::Result<()> {
+        use google_cloud_gax::retry_policy::AlwaysRetry;
+        use google_cloud_gax::retry_policy::RetryPolicyExt;
+        use google_cloud_secretmanager_v1 as sm;
+        use std::time::Duration;
+
+        let project_id = std::env::var("GOOGLE_CLOUD_PROJECT").unwrap();
+        let secret_id: String = rand::rng()
+            .sample_iter(&Alphanumeric)
+            .take(SECRET_ID_LENGTH)
+            .map(char::from)
+            .collect();
+
+        let client = sm::client::SecretManagerService::builder()
             .with_retry_policy(
                 AlwaysRetry
                     .with_attempt_limit(5)
                     .with_time_limit(Duration::from_secs(15)),
             )
-            .set_secret_id(&secret_id)
-            .set_secret(
-                sm::model::Secret::new()
-                    .set_replication(sm::model::Replication::new().set_replication(
-                        sm::model::replication::Replication::Automatic(
-                            sm::model::replication::Automatic::new().into(),
-                        ),
-                    ))
-                    .set_labels([("integration-test", "true")]),
-            )
+            .build()
+            .await?;
+        // The secret is immediately deleted. If that fails, the cleanup step
+        // for the integration tests will garbage collect it in a couple of
+        // days.
+        let _ = user_guide_samples::error_handling::create_secret(&client, &project_id, &secret_id)
+            .await?;
+        let version = user_guide_samples::error_handling::update_secret(
+            &project_id,
+            &secret_id,
+            "The quick brown fox jumps over the lazy dog".into(),
+        )
+        .await?;
+        let _ = client.destroy_secret_version(&version.name).send().await?;
+        let _ = client
+            .delete_secret(format!("projects/{project_id}/secrets/{secret_id}"))
             .send()
             .await?;
-
-        user_guide_samples::retry_policies::request_retry(&client, &project_id, &secret_id).await
+        Ok(())
     }
 }

guide/samples/tests/driver.rs

@@ -21,6 +21,7 @@ limitations under the License.
 - [Setting up Rust on Cloud Shell](setting_up_rust_on_cloud_shell.md)
 - [How to initialize a client](initialize_a_client.md)
 - [Configuring retry policies](configuring_retry_policies.md)
+- [Error Handling](error_handling.md)
 - [Working with long-running operations](working_with_long_running_operations.md)
 - [Configuring polling policies](configuring_polling_policies.md)
 - [How to write tests using a client](mock_a_client.md)

guide/src/SUMMARY.md

@@ -0,0 +1,117 @@
+<!-- 
+Copyright 2025 Google LLC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+
+# Error Handling
+
+Sometimes applications need to branch based on the type and details of the
+error returned by the client library. This guide will show you how to write
+code to handle such errors.
+
+> **Retryable errors:** one of the most common reasons to handle
+> errors in distributed systems is to retry requests that fail due to transient
+> errors. The Google Cloud client libraries for Rust implement a policy-based
+> retry loop. You only need to configure the policies to enable the retry loop,
+> and the libraries implement common retry policies. Consult the
+> [Configuring Retry Policies] section before implementing your own retry loop.
+
+## Prerequisites
+
+The guide uses the [Secret Manager] service, that makes the examples more
+concrete and therefore easier to follow. With that said, the same ideas work for
+any other service.
+
+You may want to follow the service [quickstart]. This guide will walk you
+through the steps necessary to enable the service, ensure you have logged in,
+and that your account has the necessary permissions.
+
+### Dependencies
+
+As it is usual with Rust, you must declare the dependency in your
+`Cargo.toml` file. We use:
+
+```toml
+{{#include ../samples/Cargo.toml:secretmanager}}
+```
+
+## Motivation
+
+In this guide we will create a new *secret version*. Secret versions are
+contained in *secrets*. One must create the secret before creating secret
+versions. A common pattern in cloud services is to use a resource as-if the
+container for it existed, and only create the container if there is an error.
+If the container exists most of the time, such an approach is more efficient
+than checking if the container exists before making the request. Checking if
+the container exists consumes more quota, results in more RPC charges, and is
+slower when the container already exists.
+
+## Handling the error
+
+First make an attempt to create a new secret version:
+
+```rust,ignore
+{{#include ../samples/src/error_handling.rs:update-secret-initial-attempt}}
+```
+
+If this succeeds, we can just print the successful result and return:
+
+```rust,ignore
+{{#include ../samples/src/error_handling.rs:update-secret-success}}
+```
+
+The request may have failed for many reasons: because the connection dropped
+before the request was fully sent, or the connection dropped before the response
+was received, or because it was impossible to create the authentication tokens.
+
+The retry policies can deal with most of these errors, here we are interested
+only in errors returned by the service:
+
+```rust,ignore
+{{#include ../samples/src/error_handling.rs:update-secret-svc-error}}
+```
+
+and then only in errors that correspond to a missing secret:
+
+```rust,ignore
+{{#include ../samples/src/error_handling.rs:update-secret-not-found}}
+```
+
+```rust,ignore
+{{#include ../samples/src/error_handling.rs:examine-error}}
+```
+
+If this is a "not found" error, we try to create the secret. This will simply
+return on failures:
+
+```rust,ignore
+{{#include ../samples/src/error_handling.rs:update-secret-create}}
+```
+
+Assuming the creation of the secret is successful, we can try to create the
+secret version again, this time just returning an error if anything fails:
+
+```rust,ignore
+{{#include ../samples/src/error_handling.rs:update-secret-try-again}}
+```
+
+## Error handling: complete code
+
+```rust,ignore
+{{#include ../samples/src/error_handling.rs:update-secret}}
+```
+
+[configuring retry policies]: /configuring_retry_policies.md
+[quickstart]: https://cloud.google.com/secret-manager/docs/quickstart
+[secret manager]: https://cloud.google.com/secret-manager

guide/src/error_handling.md

@@ -246,7 +246,7 @@ async fn run_secret_versions(
         .await?;
     println!("DISABLE_SECRET_VERSION = {disable:?}");
 
-    println!("\nTesting disable_secret_version()");
+    println!("\nTesting enable_secret_version()");
     let enable = client
         .enable_secret_version(&create_secret_version.name)
         .send()