Hey team,
I am using HashiCorp Vault OSS deployed with Helm Chart in an OpenShift cluster v1.18.1. It is running in HA mode and have auto-unseal feature enabled with Azure Key Vault.
I did a rekey process of recovery keys and used GPG encryption to encrypt the keys.
I am trying to rekey again and this process requires that you have old recovery keys in order to generate the new ones. Here comes the problem: after providing each one of the decrypted keys, at the end I get the following error:
Blockquote
Error posting unseal key: Error making API request
URL: PUT https://$VAULT_URL/v1/sys/rekey-recovery/update
Code: 400. Errors:
- recovery key verification failed: failed to decrypt encrypted stored keys: error decrypting seal wrapped value
error decrypting using seal azurekeyvault: ClientSecretCredential authentication failed. FromClientSecret():
RESPONSE 401 Unauthorized
{
“error”: “invalid_client”,
“error_description”: "AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app
I am not quite sure why it outputs this error, as I am not providing any secret in the command.
Although, I have checked that Service Principal secret is valid and has not expired.