]> Invalid Issuer when connecting to Azure Key Vault 🌐:aligrant.com

Invalid Issuer when connecting to Azure Key Vault

Alastair Grant | Tuesday 1 February 2022

I recently had to load a certificate from an Azure Key Vault and hit an error when retrieving via Visual Studio:

AKV10032: Invalid issuer. Expected one of https://sts.windows.net/xxx/, found https://sts.windows.net/yyy/.
Status: 401 (Unauthorized)

This felt a bit strange as I had the relevant URL for the key vault, and permissions for it.  I was using the DefaultAzureCredential, which handles gathering the relevant credentials from a number of different sources, when working with Visual Studio, it takes the currently authenticated Azure user.

The problem arises from people with access to multiple Azure AD tenancies (which seems way to easy to collect).  The library for accessing the Key Vault endpoint cannot decide which credentials to authenticate you with.

The solution is to tell the DefaultAzureCredential which tenancy to use, and can be done with the Options object that you can pass in, something like this:

var azCredentialOptions = new DefaultAzureCredentialOptions()
{
    VisualStudioCodeTenantId = this.tenantId,
    VisualStudioTenantId = this.tenantId,
    ManagedIdentityClientId = this.managedIdentityId,
};

azCredentialOptions can be passed into the constructor of DefaultAzureCredential class.

Breaking from the voyeuristic norms of the Internet, any comments can be made in private by contacting me.