Update Azure keyvault secret through Azure API

U

4

8

I am trying to update keyvault secret in Azure through Postman. But getting Authorization error. Any suggestions. Anything I am missing. Thanks in advance

{
  "error": {
    "code": "Unauthorized",
    "message": "AKV10022: Invalid audience. Expected https://vault.azure.net, found: https://management.azure.com/."
  }
}

Using the below to update the secret:

PUT https://demokv.vault.azure.net/secrets/secretname?api-version=7.0

in Body:

{
  "value": "mysecretvalue"
}

Uzzia answered 13/2, 2020 at 21:22 Comment(2)

seems that the problem is related to the way you're acquiring the authorization token (passed in the Authorization header). – Comment 13/2, 2020 at 21:50

Worked fine after adding audience for keyvault. Thanks – Uzzia 14/2, 2020 at 7:9

S

7

As mentioned in another reply, the audience of your token is not correct, to call Azure Keyvault REST API - Set Secret - Set Secret, the audience should be https://vault.azure.net.

To get the token, you could use the client credential flow in the postman.

1.Register an AD App in azure ad, then get values for signing in and create a new application secret.

2.Navigate to the keyvault in the portal, add the service principal of the AD App to the Access policies.

In the postman, follow the screenshot below, fix the properties that got from step 1.

POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token

client_id=<client_id>
&scope=https://vault.azure.net/.default
&client_secret=<client_secret>
&grant_type=client_credentials

Then copy the token to call the REST API to set secret, it will work fine.

Shemeka answered 14/2, 2020 at 6:22 Comment(1)

can you pls link to where the api scopes(vault.azure.net) for keyvault and other resources are documented? – Unread 26/11, 2020 at 14:19

P

8

Also, you can get the token with az account get-access-token --resource "https://vault.azure.net"

To specificity vault resource

Perigordian answered 15/1, 2021 at 19:58 Comment(1)

Was looking for a human way to do it all day! It work from both TFS (Windows) and Cloud CLI. Many thanks! – Unconsidered 24/2 at 0:28

S

7

As mentioned in another reply, the audience of your token is not correct, to call Azure Keyvault REST API - Set Secret - Set Secret, the audience should be https://vault.azure.net.

To get the token, you could use the client credential flow in the postman.

1.Register an AD App in azure ad, then get values for signing in and create a new application secret.

2.Navigate to the keyvault in the portal, add the service principal of the AD App to the Access policies.

In the postman, follow the screenshot below, fix the properties that got from step 1.

POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token

client_id=<client_id>
&scope=https://vault.azure.net/.default
&client_secret=<client_secret>
&grant_type=client_credentials

Then copy the token to call the REST API to set secret, it will work fine.

Shemeka answered 14/2, 2020 at 6:22 Comment(1)

can you pls link to where the api scopes(vault.azure.net) for keyvault and other resources are documented? – Unread 26/11, 2020 at 14:19

F

4

My challenge was using the older version of the oauth API.

Ensure that you're using:

POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token

And not:

POST https://login.microsoftonline.com/<tenant-id>/oauth2/token

Fucus answered 21/5, 2020 at 18:50 Comment(0)

P

3

You acquired the access token (Bearer) for the wrong audience,

AKV10022: Invalid audience.
Expected https://vault.azure.net,
Found: https://management.azure.com/.

Acquire a new one for the correct audience and give it another go.

Puppet answered 13/2, 2020 at 21:53 Comment(1)

Worked fine after adding audience for keyvault. Thanks – Uzzia 14/2, 2020 at 7:9

Recommended topics

Hot tags