Java on Azure - Unable to retrieve password from keyvault - ERROR: AKV10032: Invalid issuer

Question

I got this error.

2022-03-19 15:11:39.503  WARN 129984 --- [ctor-http-nio-1] c.a.s.k.secrets.SecretAsyncClient        : Failed to get secret - storageaccountconnectionstring
Status code 401, "{"error":{"code":"Unauthorized","message":"AKV10032: Invalid issuer. Expected one of https://sts.windows.net/<REDACTED>/, https://sts.windows.net/<REDACTED>/, https://sts.windows.net/<REDACTED>/, found https://sts.windows.net/<REDACTED>/."}}"
2022-03-19 15:11:39.504  WARN 129984 --- [nio-8080-exec-3] c.k.j.U.r.GetConnectionStringRepository  : com.azure.core.exception.HttpResponseException: Status code 401, "{"error":{"code":"Unauthorized","message":"AKV10032: Invalid issuer. Expected one of https://sts.windows.net/<REDACTED>/, https://sts.windows.net/<REDACTED>/, https://sts.windows.net/<REDACTED>/, found https://sts.windows.net/<REDACTED>/."}}"
2022-03-19 15:11:39.535 ERROR 129984 --- [nio-8080-exec-3] o.a.c.c.C.[.[.[/].[dispatcherServlet]    : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Handler dispatch failed; nested exception is java.lang.Error: Get connectionstring operation has failed.] with root cause

I'm using Java SDK and writing the below code.

package com.kohei3110.javaonazureblobdemo.UploadBlob.repository;

import java.util.logging.Logger;

import com.azure.identity.DefaultAzureCredential;
import com.azure.identity.DefaultAzureCredentialBuilder;
import com.azure.security.keyvault.secrets.SecretClient;
import com.azure.security.keyvault.secrets.SecretClientBuilder;
import com.azure.security.keyvault.secrets.models.KeyVaultSecret;

public class GetConnectionStringRepository {
    private static final String SECRET_NAME = "storageaccountconnectionstring";
    private static final String keyVaultName = "kvjavaonazureblobdemo";

    private String keyVaultUri = "https://" + keyVaultName + ".vault.azure.net";

    Logger logger = Logger.getLogger(GetConnectionStringRepository.class.getName());
    String connectionString = "";

    public String getConnectionString() {
        try {
            DefaultAzureCredential defaultAzureCredential = buildCredential();
            SecretClient secretClient = buildSecretClient(defaultAzureCredential);
            KeyVaultSecret secret = secretClient.getSecret(SECRET_NAME);
            String connectionString = secret.getValue();
            return connectionString;
        } catch (Exception e) {
            logger.warning(e.toString());
            throw new Error("Get connectionstring operation has failed.");
        }
    }

    private DefaultAzureCredential buildCredential() {
        DefaultAzureCredential defaultAzureCredential = new DefaultAzureCredentialBuilder()
            .build();
        return defaultAzureCredential;
    }

    private SecretClient buildSecretClient(DefaultAzureCredential defaultAzureCredential) {
        SecretClient secretClient = new SecretClientBuilder()
            .vaultUrl(keyVaultUri)
            .credential(defaultAzureCredential)
            .buildClient();
        return secretClient;
    }
}

Also, I set environment variables.

export AZURE_CLIENT_ID=xxxxx
export AZURE_CLIENT_SECRET=xxxxxx
export AZURE_TENANT_ID=xxxxx

Answer 1

Thanks for reaching out.

Could you please verify that both the user/service principal and the vault are in the same tenant? If you are using a Managed Identity, you should verify that the Managed Identity is in the same tenant as the vault. Here is similar thread for your reference: https://learn.microsoft.com/en-us/answers/questions/714417/unable-to-retrieve-password-from-keyvault-error-ak.html

Hope this helps.

-----
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.