Azure-cli: AKV10032: Invalid issuer error for listing of key vault secrets from nondefault tenant subscription

Created on 15 Jan 2020 · 12Comments · Source: Azure/azure-cli

Describe the bug

Command Name
az keyvault secret list

Errors:

AKV10032: Invalid issuer. Expected one of https://sts.windows.net/<nondefault tenant>/, found https://sts.windows.net/<default tenant>/.

To Reproduce:

Steps to reproduce the behavior.

az login // login with one tenant
az login // login with second tenant
az account list // verify multiple subscriptions exist with different tenants
az keyvault secret list --subscription <subscription from nondefault tenant> --vault-name {} --query '[].id'

Expected Behavior

Secret ids are printed.

Environment Summary

Windows-10-10.0.18362-SP0
Python 3.6.6
Shell: powershell.exe

azure-cli 2.0.80

Additional Context

az account list

[
  {
    "cloudName": "AzureCloud",
    "id": "<default subscription>",
    "isDefault": true,
    "name": "Visual Studio Enterprise with MSDN",
    "state": "Enabled",
    "tenantId": "<default tenant>",
    "user": {
      "name": "<email>",
      "type": "user"
    }
  },
  {
    "cloudName": "AzureCloud",
    "id": "<subscription from nondefault tenant>",
    "isDefault": false,
    "name": "Visual Studio Enterprise",
    "state": "Enabled",
    "tenantId": "<nondefault tenant>",
    "user": {
      "name": "<email>",
      "type": "user"
    }
  }
]

KeyVault customer-reported feature-request

Source

t3mi

👍8

Most helpful comment

@yungezz please mark this as a bug There is a key and it's not working properly, it's not a feature request.

t3mi on 22 Apr 2020

👍5

All 12 comments

@bim-msft, please help take a look, thanks.

jsntcy on 16 Jan 2020

Any updates on this?

t3mi on 7 Feb 2020

@t3mi This is a cross-tenants issue, I believe it's similar with #7607 , the parameter --subscription seems broken now as we are facing some complicated cross-tenants problems, please avoid using this parameter as a workaround. For more info, please refer to: #7902

bim-msft on 8 Feb 2020

👎1

Our deployment is blocked due to the same error code

2020-03-12T19:23:08.4378500Z Operation Info:
2020-03-12T19:23:08.4386094Z Start Time: 03/12/2020 19:22:40
2020-03-12T19:23:08.4392880Z End Time: 03/12/2020 19:22:40
2020-03-12T19:23:08.4439932Z Error Reason: Error in 'payloadProperties' for extension 'Microsoft.Azure.Portal.HostingService/DeployPortalExtension'. Error Message: Rollout action failed. Please check the help link for more information.
2020-03-12T19:23:08.4442589Z AKV10032: Invalid issuer. Expected one of ....

jjnwu on 13 Mar 2020

😕1

the scenario in keyvault requires global --subscription works well for cross-tenant scenarios firstly.

yungezz on 10 Apr 2020

@yungezz please mark this as a bug There is a key and it's not working properly, it's not a feature request.

t3mi on 22 Apr 2020

👍5

I have experienced the same bug with secret set with the subscription flag

bendubuisson on 28 Apr 2020

That being said, if you set the sub as default just before, it works, so:

az account set --subscription {SubID}
az keyvault secret list --vault-name myVault

bendubuisson on 28 Apr 2020

👍3

az keyvault storage list --vault-name <Vault Name> doesn't work. Neither with --subscription <sub> nor without --subscription works.

Azure cli version: 2.0.75

juniwang on 14 May 2020

👍1

@t3mi This is a cross-tenants issue, I believe it's similar with #7607 , the parameter --subscription seems broken now as we are facing some complicated cross-tenants problems, please avoid using this parameter as a workaround. For more info, please refer to: #7902

any update? we are also running into this issue while attempting cross tenant key access. tried both with and without subscription parameter.

dosani on 3 Sep 2020

I am receiving this error even on the _default_ subscription.

az account show
{
  "environmentName": "AzureCloud",
  "homeTenantId": "REDACTED",
  "id": "REDACTED",
  "isDefault": true,
  "managedByTenants": [
    {
      "tenantId": "REDACTED"
    }
  ],
  "name": "Enterprise Dev/Test",
  "state": "Enabled",
  "tenantId": "REDACTED",
  "user": {
    "name": "REDACTED",
    "type": "user"
  }
}

az keyvault secret list --vault-name keyvault-test
AKV10032: Invalid issuer. Expected one of https://sts.windows.net/ab8cb611-0add-432b-9975-ae87e1ebe6f7/, https://sts.windows.net/f8cdef31-a31e-4b4a-93e4-5f571e91255a/, https://sts.windows.net/e2d54eb5-3869-4f70-8578-dee5fc7331f4/, found https://sts.windows.net/71fdf23f-162c-4ca1-a83b-7a68e8b5ea85/.

The keyvault-test keyvault is in the default subscription listed above. I am certain that this used to work.

az version
{
  "azure-cli": "2.11.1",
  "azure-cli-core": "2.11.1",
  "azure-cli-telemetry": "1.0.5",
  "extensions": {}
}

MikePennington on 22 Sep 2020

👍1

The day a bug becomes a feature request. (I can confirm this bug, it is still on-going)

c0dezer019 on 12 Dec 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

telemetry hangs during az-cli invocations

ambakshi · 3Comments

Can anyone tell me how to add a static public IP to a nic?

rlewkowicz · 3Comments

Failure during installing the azure-cli 2.0 in Bash on Ubuntu on Windows

troydai · 3Comments

query operator with JMESPath doesn't handle a 'dash' (-) properly

cicorias · 3Comments

Default parameters don't work with mutually exclusive parameter sets

derekperkins · 3Comments