Access Azure Key Vault using Service-to-Service Access Token via REST

Question

I am having trouble getting enough permission to access Azure Key Vault using my app ( and not via user login ). Here is my setup:

I have a azure key vault setup:

I have given my app called "KeyVault" every permission.

My app is registered with Azure Active Directory. And I have give it permission to access the Key Vault:

After all this, I try to get an Access Token using the following REST API:

https://login.microsoftonline.com/<DOMAIN_ID>/oauth2/token

The client_id and resource are both the App ID of my registered app in Active Directory I showed earlier. ( is this correct? )

I do get an Access Token back, which I use to try to query a secret in my vault. Unfortunately as you can see it return an 401 error, which is no permission. What am I doing wrong?

The URL is from the "Secret Identifier" of the secret in the key vault.

Shui shengbao Shui shengbao · Accepted Answer · 2018-01-24T02:31:19

The client_id and resource are both the App ID of my registered app in Active Directory I showed earlier.

No, the resource id is not app id. As Rich said, the value is https://vault.azure.net.

I test it in my lab with Power Shell, the code should like below:

$TENANTID=""
$APPID=""
$PASSWORD=""
$result=Invoke-RestMethod -Uri https://login.microsoftonline.com/$TENANTID/oauth2/token?api-version=1.0 -Method Post -Body @{"grant_type" = "client_credentials"; "resource" = "https://vault.azure.net"; "client_id" = "$APPID"; "client_secret" = "$PASSWORD" }
$token=$result.access_token

$url="https://shui.vault.azure.net/secrets/shui01/cea20d376aee4d25a2d714df19314c26?api-version=2016-10-01"

$Headers=@{
    'authorization'="Bearer $token"

}

Invoke-RestMethod  -Uri $url  -Headers $Headers -Method GET

Note: If you want to get the API input information, you could use Azure Power Shell -debug to get it. For example:

Access Azure Key Vault using Service-to-Service Access Token via REST

2 Answers