Hi @sikumars-msft just tested that in the Key Vault access policy, if in addition to the Certificate permissions, I assign Get and List permissions on the Secret permissions field, the issue gets resolved. Just so if someone else gets stuck here.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi
I'm trying to add a Basic type listener to an Application Gateway instance. While doing so, I wish to choose an SSL Certificate stored in a Key Vault that has access policy configured to allow Get and List permissions to the user-assigned managed identity that I'm picking from the drop-down in the blade when configuring the listener through Azure portal. However, the Key Vault field is an error "The key vault must have GET permissions on secret" though I'm able to pick the required certificate from the next drop-down.
The error is quite misleading as it states that the Key Vault needs access to the secret, whereas the MS documentation states that the user-assigned managed identity needs access to the certificate / secret, which makes sense.
I have enabled Network Service Endpoint to only Application Gateway subnet to talk to Kay Vault and have added the App Gateway Subnet to allowed list of networks on Key Vault's Networking section.
Attached is the screenshot of the error.
Hi @sikumars-msft just tested that in the Key Vault access policy, if in addition to the Certificate permissions, I assign Get and List permissions on the Secret permissions field, the issue gets resolved. Just so if someone else gets stuck here.
Glad that you were able to fix the issue and thanks for using Microsoft Q&A community.