AKV10032: Invalid issuer when we try to fetch key-vault information using DefaultCredential()

[dpmragu]

Library name and version

Azure.Identity 1.5.0 & Azure.Security.KeyVault.Secrets 4.20

Query/Question

In the Azure portal, a user is added as a Guest in the Tenant where the key-vault resource resides. In addition, the user has associated with default account tenants.

As per the new Identity Framework, the DefaultCredentials() is used to fetch the secret info from Azure Key-Vault. I got the below error message when it executed from the Visual Studio
AKV10032: Invalid issuer. Expected one of https://sts.windows.net/456***********/, https://sts.windows.net/s38**************/, https://sts.windows.net/e4*****************/, found https://sts.windows.net/080**************************/.
Status: 401 (Unauthorized)
ErrorCode: Unauthorized

Even we tried adding tenantId in the default credentials but no luck. Below is the code that we have used in the VisualStudio code.

var options = new DefaultAzureCredentialOptions { VisualStudioTenantId = "s38*****************" }; var client = new SecretClient(vaultUri: new Uri(keyVaultUrl), new DefaultAzureCredential(options));

But able to access the key-vault information using Azure CLI when followed the below steps

• az login
• az account list
• az account set --subscription "my cloud" ( set with tenant where key-vault resides, in my case which start with s38***********)
• az keyvault secret list --vault-name "my key vault name"

Is there any way to resolve this issue in Visual Studio?

Environment

Visual Studio 2019 16.11.7
Windows 10
.NET Framework 4.6.1

[jsquire]

Thank you for your feedback. Tagging and routing to the team members best able to assist.

[christothes]

Hi @dpmragu -
Can you confirm that the account you are logging into Visual Studio with is the correct account? Just in case it is helpful, the troubleshooting guide outlines how to confirm.

Also, does authenticate work as expected if you allow the AzureCli to authenticate by logging in with az login?

[dpmragu]

Hi @christothes - I followed the troubleshooting guide but got the same error. Here are the few steps that I have done

1. Tools > Options > logout and login again with the same account
2. Navigate to the Visual studio profile icon > Remove all the accounts under "All Accounts" and add again.
3. Deleted the folder from the path %AppData%/Local/.identityService and restarted the VS and logded with the same user

I used the same authentication using Azure CLI.

[christothes]

Can you reproduce this with a version of Azure.Security.KeyVault.Secrets v 4.3.0-beta.2 or later?

That version added a new feature that will "discover" the correct tenant Id based on the challenge coming back from the service. Assuming the current account is a member of that tenant, it should attempt again with the correct tenant specified.

[ghost]

Hi, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

[dpmragu]

I tried with Azure.Security.KeyVault.Secrets with version 4.3.0-beta.2 but receiving the same error message AKV10032: Invalid issuer.

Thank you.

[dpmragu]

Hi, I tried with Azure.Security.KeyVault.Secrets with version 4.3.0-beta.5 and working fine as expected but not worked when we tried with 4.3.0-beta.2

Thanks.

[ghost]

Hi @dpmragu. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text “/unresolve” to remove the “issue-addressed” label and continue the conversation.

[ghost]

Hi @dpmragu, since you haven’t asked that we “/unresolve” the issue, we’ll close this out. If you believe further discussion is needed, please add a comment “/unresolve” to reopen the issue.