Key Vault returns 401 with access token (MSI PowerShell Function App)

Question:

I am trying to connect to Keyvault with my Azure Function using PowerShell.
The Managed Service Identity (MSI) has been turned on, and in Keyvault I granted the MSI ‘get’ and ‘list’ access policies.
Using the script below I successfully get an access token, but when I make the request to Keyvault I always receive a 401 response.

Any idea why the token is not sufficient?

Answer:

Try changing the resource URI to https://vault.azure.net (with no trailing slash). The token validation on the server expects the exact same string as it returns in the 401 response’s WWW-Authenticate header. In general, Key Vault returns 401 for cases where the token is missing or fails validation (three common cases are the token is expired, has an incorrect resource URI, or was issued by a different tenant than the vault is associated with).

Source:

Key Vault returns 401 with access token (MSI PowerShell Function App) by licensed under CC BY-SA | With most appropriate answer!

Leave a Reply