I am a little confused by Microsoft's scattered documentation.

I have created an application (https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal), which means I now have:

• Application ID
• Key
• Directory ID

I have gone into the KeyVault in Azure Portal, and I have granted permissions to the application.

For test purposes, I am trying to run a test via CURL. The basis I am using for this is the following Microsoft pages (https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service#request-an-access-token and https://docs.microsoft.com/en-us/rest/api/#create-the-request)

So, the first thing I do is get a token through the following call:

curl -d "grant_type=client_credentials&client_id=<removed_for_security>&client_secret=<removed_for_security>" https://login.microsoftonline.com/<removed_for_security>/oauth2/token

This returns a token.

I then (try to) use that token as follows:

curl -H "Authorization: Bearer <removed_for_security>” -vv https://<removed_for_security>.vault.azure.net/secrets/<removed_for_security>/<removed_for_security>

I get no content back, just "HTTP/1.1 401 Unauthorized"

Ok, so I can confirm that the request you are doing is valid, for the most part, you forgot the API-version, but problem is not with the API version (it would tell you that).

https://xxx.vault.azure.net/secrets/xxx/?api-version=2015-06-01

this url works, so I guess the token is not right. The easiest way to check would be to go to JWT.io and paste the token there and see the contents, if they match with what the Key Vault expects. Probably you have a mismatch.

You need to specify the resource you are requesting the token for.

curl -d "grant_type=client_credentials&client_id=<removed_for_security>&client_secret=<removed_for_security>&resource=https://vault.azure.net" https://login.microsoftonline.com/<removed_for_security>/oauth2/token

and also add the api version.