Java on Azure - Unable to retrieve password from keyvault - ERROR: AKV10032: Invalid issuer

Kohei Saito 1 Reputation point Microsoft Employee

I got this error.

2022-03-19 15:11:39.503  WARN 129984 --- [ctor-http-nio-1] c.a.s.k.secrets.SecretAsyncClient        : Failed to get secret - storageaccountconnectionstring
Status code 401, "{"error":{"code":"Unauthorized","message":"AKV10032: Invalid issuer. Expected one of<REDACTED>/,<REDACTED>/,<REDACTED>/, found<REDACTED>/."}}"
2022-03-19 15:11:39.504  WARN 129984 --- [nio-8080-exec-3] c.k.j.U.r.GetConnectionStringRepository  : Status code 401, "{"error":{"code":"Unauthorized","message":"AKV10032: Invalid issuer. Expected one of<REDACTED>/,<REDACTED>/,<REDACTED>/, found<REDACTED>/."}}"
2022-03-19 15:11:39.535 ERROR 129984 --- [nio-8080-exec-3] o.a.c.c.C.[.[.[/].[dispatcherServlet]    : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Handler dispatch failed; nested exception is java.lang.Error: Get connectionstring operation has failed.] with root cause

I'm using Java SDK and writing the below code.

package com.kohei3110.javaonazureblobdemo.UploadBlob.repository;

import java.util.logging.Logger;


public class GetConnectionStringRepository {
    private static final String SECRET_NAME = "storageaccountconnectionstring";
    private static final String keyVaultName = "kvjavaonazureblobdemo";

    private String keyVaultUri = "https://" + keyVaultName + "";

    Logger logger = Logger.getLogger(GetConnectionStringRepository.class.getName());
    String connectionString = "";

    public String getConnectionString() {
        try {
            DefaultAzureCredential defaultAzureCredential = buildCredential();
            SecretClient secretClient = buildSecretClient(defaultAzureCredential);
            KeyVaultSecret secret = secretClient.getSecret(SECRET_NAME);
            String connectionString = secret.getValue();
            return connectionString;
        } catch (Exception e) {
            throw new Error("Get connectionstring operation has failed.");

    private DefaultAzureCredential buildCredential() {
        DefaultAzureCredential defaultAzureCredential = new DefaultAzureCredentialBuilder()
        return defaultAzureCredential;

    private SecretClient buildSecretClient(DefaultAzureCredential defaultAzureCredential) {
        SecretClient secretClient = new SecretClientBuilder()
        return secretClient;

Also, I set environment variables.

export AZURE_CLIENT_ID=xxxxx
export AZURE_TENANT_ID=xxxxx
Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,141 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,561 Reputation points

    Thanks for reaching out.

    Could you please verify that both the user/service principal and the vault are in the same tenant? If you are using a Managed Identity, you should verify that the Managed Identity is in the same tenant as the vault. Here is similar thread for your reference:

    Hope this helps.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments