sdk/keyvault/TROUBLESHOOTING.md
The Azure Key Vault SDKs for .NET use a common HTTP pipeline and authentication to create, update, and delete secrets, keys, and certificates in Key Vault and Managed HSM. This troubleshooting guide contains steps for diagnosing issues common to these SDKs.
For any package-specific troubleshooting guides, see any of the following:
See Azure SDK diagnostics for help diagnosing various problems across all our Azure SDKs for .NET.
HTTP 401 errors may indicate problems authenticating.
Most often, this is expected. Azure Key Vault issues a challenge for initial requests that force authentication. You may see these errors most often during application startup, but may also see these periodically during the application's lifetime when authentication tokens are near expiration.
If you are not seeing subsequent exceptions from the Key Vault SDKs, authentication challenges are likely the cause.
You may see an error similar to:
Azure.RequestFailedException : Service request failed.
Status: 401 (Unauthorized)
Content:
{"error":{"code":"Unauthorized","message":"AKV10032: Invalid issuer. Expected one of https://sts.windows.net/{tenant 1}/, found https://sts.windows.net/{tenant 2}/."}}
This is most often caused by being logged into a different tenant than the Key Vault authenticates. See our DefaultAzureCredential documentation to see the order credentials are read. You may be logged into a different tenant for one credential that gets read before another credential. For example, you might be logged into Visual Studio under the wrong tenant even though you're logged into the Azure CLI under the right tenant.
Automatic tenant discovery support has been added when referencing package Azure.Identity version
1.5.0 or newer, and any of the following Key Vault SDK package versions or newer:
| Package | Minimum Version |
|---|---|
Azure.Security.KeyVault.Administration | 4.1.0 |
Azure.Security.KeyVault.Certificates | 4.3.0 |
Azure.Security.KeyVault.Keys | 4.3.0 |
Azure.Security.KeyVault.Secrets | 4.3.0 |
Upgrading to the package versions should resolve any "Invalid Issuer" errors as long as the application or user is a member of the resource's tenant.
If you are using the Azure.Identity package - which contains DefaultAzureCredential - to authenticate requests to
Azure Key Vault, please see our troubleshooting guide.
HTTP 403 errors indicate the user is not authorized to perform a specific operation in Key Vault or Managed HSM.
You may see an error similar to:
Azure.RequestFailedException : Service request failed.
Status: 403 (Forbidden)
Content:
{"error":{"code":"Forbidden","message":"Operation decrypt is not permitted on this key.","innererror":{"code":"KeyOperationForbidden"}}}
The operation and inner code may vary, but the rest of the text will indicate which operation is not permitted.
This error indicates that the authenticated application or user does not have permissions to perform that operation,
though the cause may vary.
Check that the application or user has the appropriate permissions:
If the appropriate permissions are assigned to your application or user, make sure you are authenticating as that user. If using the DefaultAzureCredential a different credential might've been used than one you expected. Enable logging and you will see which credential the DefaultAzureCredential used as shown below, and why previously-attempted credentials were rejected.
[Informational] DefaultAzureCredential credential selected: Azure.Identity.EnvironmentCredential
You may see an error similar to:
Azure.RequestFailedException : Service request failed.
Status: 403 (Forbidden)
Content:
{"error":{"code":"Forbidden","message":"Access denied to first party service. ...","innererror":{"code":"AccessDenied"}}}
The error message may also contain the tenant ID (tid) and application ID (appid). This error may occur because:
See our Azure.Identity troubleshooting guide for general guidance on authentication errors.
If an AuthenticationFailedException is thrown with a message similar to:
The current credential is not configured to acquire tokens for tenant
See our troubleshooting guide for multi-tenant authentication issues. Read our release notes for more information about this change.
If an InvalidOperationException is thrown with a message similar to:
The challenge resource 'myvault.vault.azure.net' does not match the requested domain. Set DisableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information.
Check that the resources is expected - that you're not receiving a challenge from an unknown host which may indicate an incorrect request URI.
If it is correct but you are using a mock service or non-transparent proxy for testing, set the DisableChallengeResourceVerification to true in your client options:
SecretClientOptions options = new SecretClientOptions()
{
DisableChallengeResourceVerification = true
};
SecretClient client = new SecretClient(vaultUri, credential, options);
Read our release notes for more information about this change.
To troubleshoot additional HTTP service errors not described below, see Azure Key Vault REST API Error Codes.
If you get an exception or see logs that describe HTTP 429, you may be making too many requests to Key Vault too quickly.
Possible solutions include:
CertificateClient, KeyClient, or SecretClient in your application for a single Key Vault.
How you code this will depend on what application configuration library you use. You can find several examples using
our Microsoft.Extensions.Azure
package designed for configuring ASP.NET
and other .NET applications.See our Azure Key Vault throttling guide for more information.
For additional support, please search our existing issues or open a new issue. You may also find existing answers on community sites like Stack Overflow.