azure-cli: AKV10032: Invalid issuer error for listing of key vault secrets from nondefault tenant subscription

Describe the bug

Command Name az keyvault secret list

Errors:

AKV10032: Invalid issuer. Expected one of https://sts.windows.net/<nondefault tenant>/, found https://sts.windows.net/<default tenant>/.

To Reproduce:

Steps to reproduce the behavior.

az login // login with one tenant
az login // login with second tenant
az account list // verify multiple subscriptions exist with different tenants
az keyvault secret list --subscription <subscription from nondefault tenant> --vault-name {} --query '[].id'

Expected Behavior

Secret ids are printed.

Environment Summary

Windows-10-10.0.18362-SP0
Python 3.6.6
Shell: powershell.exe

azure-cli 2.0.80

Additional Context

az account list

[
  {
    "cloudName": "AzureCloud",
    "id": "<default subscription>",
    "isDefault": true,
    "name": "Visual Studio Enterprise with MSDN",
    "state": "Enabled",
    "tenantId": "<default tenant>",
    "user": {
      "name": "<email>",
      "type": "user"
    }
  },
  {
    "cloudName": "AzureCloud",
    "id": "<subscription from nondefault tenant>",
    "isDefault": false,
    "name": "Visual Studio Enterprise",
    "state": "Enabled",
    "tenantId": "<nondefault tenant>",
    "user": {
      "name": "<email>",
      "type": "user"
    }
  }
]

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 12
Comments: 33 (5 by maintainers)

Commits related to this issue

[KeyVault] Fix #11871: AKV10032: Invalid issuer error for operations in nondefault tenant/subscription (#18162) * keyvault data plane cross tenant * all data plane * cli_ctx for client factory ... — committed to Azure/azure-cli by evelyn-ys 3 years ago
Merge remote-tracking branch 'azure/dev' into Aladdin-src (#19131) * {Doc} Add managed identity command guideline (#17473) * [WebApp] Add to `az webapp deploy` param help text (#17743) * Add to... — committed to Azure/azure-cli by kairu-ms 3 years ago

Most upvoted comments

A solution I’ve found for both Core/Classic .NET frameworks was to set an AZURE_TENANT_ID env var or set the value via credential options:

var o = new DefaultAzureCredentialOptions();
o.VisualStudioTenantId = preConfig["AzureTenantId"];
configurationBuilder.AddAzureKeyVault(new Uri(preConfig["KeyVaultName"]), new DefaultAzureCredential(o));

.NET Classic MicrosoftConfigurationBuilders don’t seem to accept options, though. https://github.com/aspnet/MicrosoftConfigurationBuilders/blob/main/src/Azure/AzureKeyVaultConfigBuilder.cs#L93 Env var was the only option that worked…

+15

dgaspar on Jun 4, 2021

I have the same issue, it works when i use the sdk3

var azureServiceTokenProvider = new AzureServiceTokenProvider();
                       var keyVaultClient = new KeyVaultClient(
                           new KeyVaultClient.AuthenticationCallback(
                               azureServiceTokenProvider.KeyVaultTokenCallback));
                       builder.AddAzureKeyVault(
                           keyVaultEndpoint, keyVaultClient, new DefaultKeyVaultSecretManager());

But this one doesn’t work : client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());

+12

fouufi on May 18, 2021

@yungezz please mark this as a bug There is a key and it’s not working properly, it’s not a feature request.

+10

t3mi on Apr 22, 2020

I am receiving this error even on the default subscription.

az account show
{
  "environmentName": "AzureCloud",
  "homeTenantId": "REDACTED",
  "id": "REDACTED",
  "isDefault": true,
  "managedByTenants": [
    {
      "tenantId": "REDACTED"
    }
  ],
  "name": "Enterprise Dev/Test",
  "state": "Enabled",
  "tenantId": "REDACTED",
  "user": {
    "name": "REDACTED",
    "type": "user"
  }
}

az keyvault secret list --vault-name keyvault-test
AKV10032: Invalid issuer. Expected one of https://sts.windows.net/ab8cb611-0add-432b-9975-ae87e1ebe6f7/, https://sts.windows.net/f8cdef31-a31e-4b4a-93e4-5f571e91255a/, https://sts.windows.net/e2d54eb5-3869-4f70-8578-dee5fc7331f4/, found https://sts.windows.net/71fdf23f-162c-4ca1-a83b-7a68e8b5ea85/.

The keyvault-test keyvault is in the default subscription listed above. I am certain that this used to work.

az version
{
  "azure-cli": "2.11.1",
  "azure-cli-core": "2.11.1",
  "azure-cli-telemetry": "1.0.5",
  "extensions": {}
}

MikePennington on Sep 22, 2020

That being said, if you set the sub as default just before, it works, so:

az account set --subscription {SubID}
az keyvault secret list --vault-name myVault

bendubuisson on Apr 28, 2020

I don’t get this error in powershell with AZ CLI (e.g. listing the secrets from the keyvault). I get this error running code from Visual Studio: .AddAzureKeyVault(keyVaultUri, new DefaultAzureCredential(true)) (browser window popping up) and the same error with: .AddAzureKeyVault(keyVaultUri, new SharedTokenCacheCredential("my.email@company.com"))

I have logged in and out in VS (2019), the Azure Service Authentication under Tools > Options looks good

It’s working when using the old nuget (Microsoft.Extensions.Configuration.AzureKeyVault 3.1.14) - without supplying any credentials.

Maybe I should add that I have multiple accounts on Azure Portal, but only logged in to the one referred to above I also have multiple subscriptions

mira-mayhem on Apr 17, 2021

az keyvault storage list --vault-name <Vault Name> doesn’t work. Neither with --subscription <sub> nor without --subscription works.

Azure cli version: 2.0.75

juniwang on May 14, 2020

For the people running into this even when the subscription ID is set correctly, you should check the --vault-name for typos. You may be trying to talk to the wrong Key Vault (that’s what happened in my case).

lvisterin on Feb 24, 2021

The day a bug becomes a feature request. (I can confirm this bug, it is still on-going)

c0dezer019 on Dec 12, 2020

Can confirm this also happens with InteractiveBrowserCredential. Trying to access a keyvault with my work account which is permitted in azure to access the keyvault. Pretty sure the keyvault I am trying to access resides in a non-default azure subscription.

MaDOS on Apr 28, 2021

Our deployment is blocked due to the same error code

2020-03-12T19:23:08.4378500Z Operation Info: 2020-03-12T19:23:08.4386094Z Start Time: 03/12/2020 19:22:40 2020-03-12T19:23:08.4392880Z End Time: 03/12/2020 19:22:40 2020-03-12T19:23:08.4439932Z Error Reason: Error in ‘payloadProperties’ for extension ‘Microsoft.Azure.Portal.HostingService/DeployPortalExtension’. Error Message: Rollout action failed. Please check the help link for more information. 2020-03-12T19:23:08.4442589Z AKV10032: Invalid issuer. Expected one of …

jjnwu on Mar 13, 2020

@t3mi This is a cross-tenants issue, I believe it’s similar with #7607 , the parameter --subscription seems broken now as we are facing some complicated cross-tenants problems, please avoid using this parameter as a workaround. For more info, please refer to: #7902

bim-msft on Feb 8, 2020