Cannot get certificate from Azure key vault - Failed to acquire a new access token

Question

I have created a key vault in azure and stored both secrets and certificates. I am using managed identities for accessing the key vault. From my Azure VM using java i am able to get the secret from the key vault using

Using the below code i am able to get the secret correctly.

SecretClient secretClient = new SecretClientBuilder()
    .httpLogOptions(new HttpLogOptions().setLogLevel(HttpLogDetailLevel.BODY_AND_HEADERS))
    .vaultUrl("https://testkeyvault.vault.azure.net/")
    .credential(new ManagedIdentityCredentialBuilder().build()).buildClient();
KeyVaultSecret keyVaultSecret = secretClient.getSecret("test-secret");
System.out.println(keyVaultSecret.getName());

But when i try to get the certificate using below code -

CertificateClient certificateClient = new CertificateClientBuilder()
    .httpLogOptions(new HttpLogOptions().setLogLevel(HttpLogDetailLevel.BODY_AND_HEADERS))
    .vaultUrl("https://testkeyvault.vault.azure.net/")
    .credential(new ManagedIdentityCredentialBuilder().build()).buildClient();
    
KeyVaultCertificateWithPolicy certificate = certificateClient.getCertificate("test-cert");

I get the exception -

[main] ERROR com.azure.core.credential.SimpleTokenCache - Failed to acquire a new access token.
[parallel-2] ERROR com.azure.core.credential.SimpleTokenCache - Failed to acquire a new access token.
[parallel-4] ERROR com.azure.core.credential.SimpleTokenCache - Failed to acquire a new access token.
[parallel-6] ERROR com.azure.core.credential.SimpleTokenCache - Failed to acquire a new access token.
[parallel-6] WARN com.azure.security.keyvault.certificates.CertificateAsyncClient - Failed to Retrieve the certificate - test-cert
Max retries 3 times exceeded. Error Details: To convert to a resource string the specified array must be exactly length 1

In keyvault access policies i have given all permissions including GET for both secrets and certificates for this VM. But getting secrets is working good and not certificates. Can someone help me here.

Answer 1

• I would suggest you to please clear your system memory cache as there might be already an existing session going on with those authentication credentials and the token might be stored in current system memory due to which you might not be able to access the certificate stored in key vault through the Java app.

Also, I would suggest you to logoff through any existing or parallel sessions in Azure and then try again. Ensure that the certificate uploaded in key vault has the correct password set for retrieving the private key from it for a managed identity. For more details, please refer to the below sample code on retrieving the certificate from key vault using Java: -

Please find the link below for more details regarding authenticating a service principal with managed identities: -

https://github.com/Azure/azure-sdk-for-java/wiki/Azure-Identity-Examples#authenticating-a-service-principal-with-a-client-certificate