Share via

When I authenticate to get access token for Key Vault and attempt to use I get AKV10022: Invalid audience, expected ......

Mark Robertson 6 Reputation points
2021-12-09T01:26:04.017+00:00

1) I register an App with Azure AD which will be known as "markrobertson", Application ID (client) = 77b677b5-XXXXXXXXXXXX

1) I added API permissions for 'markrobertson' for Azure Key Vault.

2) I create a Client secret for 'markrobertson' which we will say is SECRET

My Subscription S1, with ID c65a7e1e-XXXXXXXXXXXXX has a resource group which contains a resource group tv3test which contains a key vault 'tv3test'

I have added access policies for my "tv3test' vault for 'markrobertson'

I authenticate to https://login.microsoftonline.com/c65a7e1e-XXXXXXXXX/oauth2/v2.0/token
and provide associated body which is x-www-form-urlencoded
grant_type=client_credentials&client_id=77b677b5-XXXXXXXXXXX&client_secret=SECRET&scope=https://vault.azure.net/.default

and I get an access token back.

When I attempt to use the token with a request to GET https://tv3test.vault.azure.net/keyName providing the token via Authorization: Bearer access_token

I receive in return:
{
"error": {
"code": "Unauthorized",
"message": "AKV10022: Invalid audience. Expected https://vault.azure.net, found: 00000002-0000-0000-c000-000000000000."
}
}

I am attempting to follow the instructions numerous folks have provided for using postman automation such as: https://www.c-sharpcorner.com/article/how-to-access-azure-key-vault-secrets-through-rest-api-using-postman/ as well as https://blog.jongallant.com/2021/02/azure-rest-apis-postman-2021/.

I have exhuasuted the documentation from Azure attempting to identify what MAY be the issue with no result.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,448 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator
    2021-12-09T18:03:15.157+00:00

    @Mark Robertson
    Thank you for your post!

    Based off your error message - Invalid audience. Expected https://vault.azure.net, found: 00000002-0000-0000-c000-000000000000 and issue description, it looks like you're using the correct scope of https://vault.azure.net/.default. When calling the Get Secrets REST API from my Postman environment, I didn't run into any issues, but was able to re-produce a similar error message as yours.

    Get Key Vault Access Token:
    POST https://login.microsoftonline.com/{<!-- -->{tenantId}}/oauth2/v2.0/token
    Scope - https://vault.azure.net/.default
    Grant Type - client_credentials

    Verify your Access Token:
    Using https://jwt.ms/ -> Paste your Access Token into the "Enter Token Below" window. -> Confirm the audience is https://vault.azure.net.
    156362-image.png

    Get Secret:
    GET https://<<Vaultname>>.vault.azure.net/secrets/testSecret?api-version=7.1
    Header - `Key: Authorization // Value: Bearer <<access_token value>>

    156230-image.png
    Note - I created a similar error message by using the scope management.azure.com rather than vault.azure.net.

    I hope this helps!

    If you have any other questions or are still having issues, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.