Rekey Vault cluster with auto-unseal enabled

[glisav]

Describe the bug
I am using v1.18.1 OSS with auto-unseal enabled (Azure). I did a rekey process and wanted to encrypt the output via GPG, with the following command:

$ vault operator rekey -init -key-shares=4 -key-threshold=4 -pgp-keys="key1.asc,key2.asc,key3.asc,key4.asc" -target=recovery

I am trying to rekey again, but get the error:

Error posting unseal key: Error making API request.

URL: PUT https://$VAULT_ADDR/v1/sys/rekey-recovery-key/update
Code: 400. Errors:

To Reproduce
Steps to reproduce the behavior:

1. Run vault operator rekey -init -key-shares=4 -key-threshold=4 -pgp-keys="key1.asc,key2.asc,key3.asc,key4.asc" -target=recovery
2. Decrypt encrypted recovery keys
3. Run again vault operator rekey -init -key-shares=4 -key-threshold=4 -pgp-keys="key1.asc,key2.asc,key3.asc,key4.asc" -target=recovery
4. It requires to provide each one of the recovery keys, but in the last step it gives this error:

Error posting unseal key: Error making API request.

URL: PUT https://$VAULT_ADDR/v1/sys/rekey-recovery-key/update
Code: 400. Errors:

• recovery key verification failed: failed to decrypt encrypted stored keys: error decrypting seal wrapped value
  error decrypting using seal azurekeyvault: ClientSecretCredential authentication failed. FromClientSecret(): http call(https://login.microsoftonline.com//oauth2/v2.0/token)(POST) error: reply status code was 401:
  {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '$SERVICE_PRINCIPAL_ID'. Trace ID: $TRACE_ID Correlation ID: $CORRELATION_ID Timestamp: 2025-02-01 17:23:12Z","error_codes":[7000215],"timestamp":"2025-02-01 17:23:12Z","trace_id":"000000","correlation_id": "error_uri":"https://login.microsoftonline.com/error?code=7000215"}
  POST https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx/oauth2/v2.0/token

Expected behavior
From my understanding, it should produce four new recovery keys encrypted with PGP keys provided in the command, maintaining the order.

Environment:

• Vault Server Version (retrieve with vault status): 1.18.1
• Vault CLI Version (retrieve with vault version): 1.18.1
• Server Operating System/Architecture:

Vault server configuration file(s):

seal "azurekeyvault" {
          client_id      = "CLIENT_ID"
          client_secret  = "CLIENT_SECRET"
          tenant_id      = "TENANT_ID"
          vault_name     = "VAULT_NAME"
          key_name       = "KEY_NAME"
        }

Additional context
Add any other context about the problem here.