[keyvault:azkeys] cannot get key in cross tenent scenario

[suqin-haha]

Bug Report

• import path "github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys"
• SDK version azkeys@v1.1.0 : https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys@v1.1.0
• go version 1.22

Condition: In cross tenant CMEK scenario, https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-cross-tenant-new-account?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json&tabs=azure-portal

Detailed use case I asked in Microsoft QA platform: https://learn.microsoft.com/en-us/answers/questions/1663980/how-to-get-key-info-from-other-tenant

I cannot get the key. Return unauthorized message:

client, err := azkeys.NewClient(vaultURL, cred, nil)
if err != nil {
    log.Fatalf("failed to create client: %v", err)
}
resp, err := client.GetKey(context.TODO(), "key-name-xxx", "71e9...", nil)
if err != nil {
    log.Fatalf("failed to get key: %v", err)
}

--------------------------------------------------------------------------------
RESPONSE 401: 401 Unauthorized
ERROR CODE: Unauthorized
--------------------------------------------------------------------------------
{
  "error": {
    "code": "Unauthorized",
    "message": "AKV10032: Invalid issuer. Expected one of https://sts.windows.net/90a59e9d-.../, https://sts.windows.net/f8cde.../, https://sts.windows.net/e2d54e.../, found https://sts.windows.net/.../."
  }
}

Expect to have Key information returned.

Reproduce: Just like the link I put above.

• Two tenant A, B.
• A create vault and key.
• B register multi-tennant application with federated identity set for CMEK
• A give the permission/role to the application created in B
• Use Azkey SDK to get the key by the application (I use client secret credential)

NOTE:

1. Same problem for .Net. https://github.com/Azure/azure-sdk-for-net/issues/18359
2. I asked question in Microsoft QA platform too (no answer yet): https://learn.microsoft.com/en-us/answers/questions/1663980/how-to-get-key-info-from-other-tenant

[gracewilcox]

Same as https://github.com/Azure/azure-sdk-for-go/issues/19841

Looking into now

[gracewilcox]

Hi @suqin-haha! We are aware that we don't currently have cross tenant auth in Key Vault. Planning to add this functionality.

[suqin-haha]

Hi @suqin-haha! We are aware that we don't currently have cross tenant auth in Key Vault. Planning to add this functionality.

Thanks @gracewilcox And Could the SDK also have a region field in the key information? The purpose of this get key cross tenant feature is for Key Validation when costumers provide their own key. In the same scenario, the region is also important since DiskEncryptionSet requuires key in the Same region. Although, there is a hacky way to get the region, https://learn.microsoft.com/en-us/answers/questions/1661177/how-to-get-azure-key-key-vault-region, but it's better if we could have a region field in the key information. :)