how to get key info from other tenant

Siqing Zheng 90 Reputation points
2024-05-08T01:55:48.3233333+00:00

Hi
according to this article: https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-cross-tenant-new-account?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json&tabs=azure-portal

I want do a validation by get the key info with the cross tenant application or the user-assigned identity. How to do that?

I tried use golang `

client.GetKey(...

but it's error
RESPONSE 401: 401 Unauthorized

ERROR CODE: Unauthorized

--------------------------------------------------------------------------------

{

"error": {

"code": "Unauthorized",

"message": "AKV10032: Invalid issuer. Expected one of https://sts.windows.net/...

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,147 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Akshay-MSFT 16,436 Reputation points Microsoft Employee
    2024-05-08T16:44:14.43+00:00

    @Siqing Zheng

    Thank for your time and patience. I was able to test through this in my lab and found the following:

    The details about the key can't be fetched using managed Identity or service principal as both have dependencies and authorization token cannot be fetched using managed Identity credential library:

    I got the following error while trying the same, seems like this is a preventive limitation to avoid any intrusion to customer's tenant hosting CMK.

    User's image

    ImdsCredential.get_token failed: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.
    ManagedIdentityCredential.get_token failed: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.
    

    On the contrary I used the CLI and got the details about the version, name and the URI of the vault:

    az storage account show --name akshaycmk --resource-group AzureLabService --query encryption
    
    
    

    User's image

    Assuming this is what you were looking for please do let me know if you have any further queries.

    Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.

    Thanks,

    Akshay Kaushik


  2. Ethan-9463 0 Reputation points
    2024-05-20T09:27:31.23+00:00

    Hi,

    Any update on this?

    I have a very similar issue, using Golang SDK.

    Thanks.