I have an application using Java Springboot and I have already given access from my Managed Identity to the KeyVault.

When I try to set a new secret using the java code I got this error below:

"message":"Failed to set secret - secret-name \nStatus code 401, "{"error":{"code":"Unauthorized","message":"AKV10032: Invalid issuer. Expected one of

public void setAzureTokens() {
    try{
        SecretClient secretClient = new SecretClientBuilder()
                .vaultUrl(keyVaultUri)
                .credential(new DefaultAzureCredentialBuilder().build())
                .buildClient();

        secretClient.setSecret(new KeyVaultSecret(key, value));

    }
    catch (Exception e){
        LOG.error("Error during during token update", e);
    }
}

Do I need to set any information about Tenant, clientId, or my Managed Identity on Application.properties?

CodePudding user response：

This is a cross-tenant issue as said by @Alex i.e; this problem arises for whom has access to multiple Azure AD tenancies and when library for accessing the Key Vault endpoint cannot decide which credentials to authenticate you with.

The solution is to tell the DefaultCredentialProvider which tenancy to use, and can be done with the Options that you can pass in DefaultAzureCredentialOptions().

var o = new DefaultAzureCredentialOptions();
o.VisualStudioTenantId = preConfig["AzureTenantId"];
configurationBuilder.AddAzureKeyVault(new Uri(preConfig["KeyVaultName"]), new DefaultAzureCredential(o));

Reference

(or)

You can set AZURE_TENANT_ID as environment variables and can be used as here > Azure Key Vault Secret client library for Java | Microsoft Docs