AKV10032: Invalid issuer error when connecting to Azure Key Vault from App Service

Question

An API is deployed as an App Service on Azure. It connects to a Key Vault that is on the same subscription. An access policy was created for the App Service in the Key Vault. The App Service is configured with a system assigned identity. When the API attempts to access the key vault, the following error occurs:

AKV10032: Invalid issuer. Expected one of https://sts.windows.net/b68456ea-cf3c-4835-9d30-a4b164f33190/, https://sts.windows.net/f8cdef31-a31e-4b4a-93e4-5f571e91255a/, https://sts.windows.net/e2d54eb5-3869-4f70-8578-dee5fc7331f4/, found https://sts.windows.net/98de912a-48b9-4d1d-b5cd-21fd3f4f449d/.\

Edit: I've removed a lot of content from this question as there was an error in it and I've been on the wrong track. Both the Key Vault and the App service do use the same tenant (contrary to my original post). The tenant Id is 98de912a-48b9-4d1d-b5cd-21fd3f4f449d, which is the one that is found in the error message above.

Answer 1

I faced this issue when upgrading some of the old projects nuget packages. The reason was I had multiple different tenants resource in my az account list. Having Azure.Security.KeyVault.Secrets locally makes it work locally for me. This is temporary as I will migrate of all the Azure resources into one tenant.

<ItemGroup Condition="'$(Configuration)' == 'Debug'">
   <PackageReference Include="Azure.Security.KeyVault.Secrets" Version="4.6.0" />
</ItemGroup>

Answer 2

For me, this happened as my user account had access to multiple tenants. This is what helped me on Mac OS. The steps would similar on Linux and Windows too (I think!).

1. Find your tenant ID. https://portal.azure.com/ -> Microsoft Entra ID -> Overview

2. Clear your local Azure cache and then replace xxx with your tenant ID copied from the previous step.

rm -rf ~/.azure
az login --tenant xxx

Answer 3

For me the issue was that I was signed into Visual Studio with more than one account. Even though the "correct" one was the active one, the error only went away after signing out with the other one.

Answer 4

Some of the answers here were spot on, I received it after trying to initially connect to a KeyVault that used "null" as the vault name appended into a formatted KeyVault uri.

If you're running into this issue, I recommend:

1. Validating that your KeyVault uri is being built / defined properly (all dynamic variables resolve).
2. That you validate that you're not using old versions of your Azure Dependencies.

Answer 5

In my case, it was a guest account in Visual Studio. So only adding a tenant's account to Visual Studio works

Answer 6

This was happening because of a typo in the name of the key vault that I was given. Unfortunately the typo version was for an existing key vault, so we went on the wrong track investigating authorization problems.

Answer 7

You cannot change the Key Vault's AAD tenant.

If you use system-assigned managed identity on the App Service, it'll create a service principal in the same AAD tenant where the App Service is. If the Key Vault and App Service are in the same subscription, they are under the same AAD tenant as well then. You should be able to add that service principal to Key Vault access policies then and use it to access Key Vault.

If you have an app registration/service principal in another AAD tenant however, it cannot access the Key Vault.