Keyvault Authentication (REST API)

Question

I am a little confused by Microsoft's scattered documentation.

I have created an application (https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal), which means I now have:

Application ID
Key
Directory ID

I have gone into the KeyVault in Azure Portal, and I have granted permissions to the application.

For test purposes, I am trying to run a test via CURL. The basis I am using for this is the following Microsoft pages (https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service#request-an-access-token and https://learn.microsoft.com/en-us/rest/api/#create-the-request)

So, the first thing I do is get a token through the following call:

curl -d "grant_type=client_credentials&client_id=<removed_for_security>&client_secret=<removed_for_security>" https://login.microsoftonline.com/<removed_for_security>/oauth2/token

This returns a token.

I then (try to) use that token as follows:

curl -H "Authorization: Bearer <removed_for_security>” -vv https://<removed_for_security>.vault.azure.net/secrets/<removed_for_security>/<removed_for_security>

I get no content back, just "HTTP/1.1 401 Unauthorized"

I have the same issue. I'm still getting an "401 Unauthorized" error after working through the two answers below. Are there special keyvault permissions that need to be grant (access policies or otherwise) to use the rest api? I've already granted my service principal access to keys: create, list, encrypt, decrypt, wrapKey, UnwrapKey, get. Those are the only operations I'm trying to run. I've also already given my service principal access to the keyvault resource itself. Still no luck. — jschmitter, Oct 08 '18 at 17:57

score 5 · Answer 1 · answered Jan 02 '18 at 11:49

You need to specify the resource you are requesting the token for.

curl -d "grant_type=client_credentials&client_id=<removed_for_security>&client_secret=<removed_for_security>&resource=https://vault.azure.net" https://login.microsoftonline.com/<removed_for_security>/oauth2/token

and also add the api version.

score 2 · Accepted Answer · answered May 05 '17 at 09:48

2

Ok, so I can confirm that the request you are doing is valid, for the most part, you forgot the API-version, but problem is not with the API version (it would tell you that).

https://xxx.vault.azure.net/secrets/xxx/?api-version=2015-06-01

this url works, so I guess the token is not right. The easiest way to check would be to go to JWT.io and paste the token there and see the contents, if they match with what the Key Vault expects. Probably you have a mismatch.

answered May 05 '17 at 09:48

4c74356b41

69,186
6
100
141

Yup. I forgot the API version. – Little Code May 05 '17 at 11:37
weird, when I removed the API version it told me specifically that I forgot to specify the API version... good to know that it worked @LittleCode – 4c74356b41 May 05 '17 at 13:07

Keyvault Authentication (REST API)

2 Answers2

Linked