Skip to content

azure-security-keyvault-jca-2.9.0.jar file checking for Azure RBAC permisions in keyvault level #46130

New issue
New issue
Open
Open
azure-security-keyvault-jca-2.9.0.jar file checking for Azure RBAC permisions in keyvault level#46130
Assignees
vcolin7
Labels
ClientThis issue points to a problem in the data-plane of the library.KeyVaultcustomer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-team-attentionWorkflow: This issue needs attention from Azure service team or SDK teamquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that
@Akhilvs007

Description

@Akhilvs007
Akhilvs007
opened on Jul 23, 2025

Describe the bug
Signing of jar file using azure-security-keyvault-jca-2.9.0.jar file works only when the role "Key Vault Certificate User" is added to key vault level and not when its added in the certificate level of a certificate present inside keyvault.

Exception or Stack Trace
The below error is produced while trying to sign a jar file using certificate from Azurekeyvault:
jarsigner: Certificate chain not found for: sign-cert. sign-cert must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain

To Reproduce
Ensure the the role "Key Vault Certificate User" is assigned to certificate inside a keyvault and not within the key vault level itself and issue the command below:
jarsigner -verbose -keystore NONE -storetype AzureKeyVault -signedjar helloworld-signed.jar helloworld.jar "sign-cert" -storepass '""' -providerName AzureKeyVault -providerClass com.azure.security.keyvault.jca.KeyVaultJcaProvider "-J-Dazure.keyvault.uri=https://yourkeyvault.vault.azure.net/" "-J-Dazure.keyvault.tenant-id=tenant_id" "-J-Dazure.keyvault.client-id=client_id" "-J-Dazure.keyvault.client-secret=secret" -tsa http://timestamp.digicert.com -providerPath "azure-security-keyvault-jca-2.9.0.jar"

Code Snippet
Add the code snippet that causes the issue.

Expected behavior
The jarsigning should work based on RBAC configured in the certificate level within a keyvault

Screenshots
If applicable, add screenshots to help explain your problem.

Setup (please complete the following information):

  • OS: [e.g. iOS] Windows
  • IDE: [e.g. IntelliJ]
  • Library/Libraries: [e.g. com.azure:azure-core:1.16.0 (groupId:artifactId:version)]
  • Java version: [e.g. 8] 21.0.7
  • App Server/Environment: [e.g. Tomcat, WildFly, Azure Function, Apache Spark, Databricks, IDE plugin or anything special]
  • Frameworks: [e.g. Spring Boot, Micronaut, Quarkus, etc]

If you suspect a dependency version mismatch (e.g. you see NoClassDefFoundError, NoSuchMethodError or similar), please check out Troubleshoot dependency version conflict article first. If it doesn't provide solution for the problem, please provide:

  • verbose dependency tree (mvn dependency:tree -Dverbose)
  • exception message, full stack trace, and any available logs

Additional context
If the role "Key Vault Certificate User" is added to key vault level then the signing works which is not expected as this exposes all the certificates within that keyvault to serviceprincipal

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

  • Bug Description Added
  • Repro Steps Added
  • Setup information Added

Metadata

Metadata

Assignees

Labels

ClientThis issue points to a problem in the data-plane of the library.KeyVaultcustomer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-team-attentionWorkflow: This issue needs attention from Azure service team or SDK teamquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Projects

Azure SDK for Key Vault

Status

Untriaged

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions