Unable to access azure key vault secrets wih ADAL token

[AMoghrabi]

I am successfully able to retrieve a token using the gem and authenticate against Azure Service Management API. Using the same token, I can also use the Azure Key Vault REST API to retrieve my vault:

https://msdn.microsoft.com/en-us/library/azure/mt620026.aspx

However, when trying to retrieve a secret from my vault:

https://msdn.microsoft.com/en-us/library/azure/dn903633.aspx

This returns a 401 Unauthorized.

I recently found this stackoverflow post and it suggests that when making a token request, I need to pass a resource header:

When you make the request for the Bearer token, make sure that you include the "resource" header, and that it is set to "https://vault.azure.net". If you don't, you'll get a token, but you won't be able to access any vault data with it.

[AMoghrabi]

Turns out to be a bug on Azure's end. You need to use the client ID of Powershell because there isn't an option to assign access to vault within your application in AD.

[jglazner]

@AMoghrabi can you elaborate on this? I have been beating my head against a wall all day because of this, how do I authorize my application to talk to the keyvalut data api's?

[AMoghrabi]

Hey @jglazner, this SO post has helped me solve the issue:

http://stackoverflow.com/questions/30096576/using-adal-for-accessing-the-azure-keyvault-on-behalf-of-a-user

Basically you need to impersonate Powershell making the call because there isn't an option in Azure AD to assign access to Azure Vault. The client ID is:

1950a258-227b-4e31-a9cf-717495945fc2

Let me know if you need additional help.

[tyconsulting]

Try this: https://blogs.msdn.microsoft.com/cclayton/2017/01/02/using-key-vault-secrets-in-powershell/ I just tested it and works :)