Update Azure keyvault secret through Azure API

Question

I am trying to update keyvault secret in Azure through Postman. But getting Authorization error. Any suggestions. Anything I am missing. Thanks in advance

{
  "error": {
    "code": "Unauthorized",
    "message": "AKV10022: Invalid audience. Expected https://vault.azure.net, found: https://management.azure.com/."
  }
}

Using the below to update the secret:

PUT https://demokv.vault.azure.net/secrets/secretname?api-version=7.0

in Body:

{
  "value": "mysecretvalue"
}

Answer 1

Also, you can get the token with az account get-access-token --resource "https://vault.azure.net"

To specificity vault resource

Answer 2

My challenge was using the older version of the oauth API.

Ensure that you're using:

POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token

And not:

POST https://login.microsoftonline.com/<tenant-id>/oauth2/token

Answer 3

As mentioned in another reply, the audience of your token is not correct, to call Azure Keyvault REST API - Set Secret - Set Secret, the audience should be https://vault.azure.net.

To get the token, you could use the client credential flow in the postman.

1.Register an AD App in azure ad, then get values for signing in and create a new application secret.

2.Navigate to the keyvault in the portal, add the service principal of the AD App to the Access policies.

In the postman, follow the screenshot below, fix the properties that got from step 1.

POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token

client_id=<client_id>
&scope=https://vault.azure.net/.default
&client_secret=<client_secret>
&grant_type=client_credentials

Then copy the token to call the REST API to set secret, it will work fine.

Answer 4

You acquired the access token (Bearer) for the wrong audience,

AKV10022: Invalid audience.
Expected https://vault.azure.net,
Found: https://management.azure.com/.

Acquire a new one for the correct audience and give it another go.