This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 5%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETM%3C/text%3E%3C/svg%3E)
Hi
I'm trying to add a Basic type listener to an Application Gateway instance. While doing so, I wish to choose an SSL Certificate stored in a Key Vault that has access policy configured to allow Get and List permissions to the user-assigned managed identity that I'm picking from the drop-down in the blade when configuring the listener through Azure portal. However, the Key Vault field is an error "The key vault must have GET permissions on secret" though I'm able to pick the required certificate from the next drop-down.
The error is quite misleading as it states that the Key Vault needs access to the secret, whereas the MS documentation states that the user-assigned managed identity needs access to the certificate / secret, which makes sense.
I have enabled Network Service Endpoint to only Application Gateway subnet to talk to Kay Vault and have added the App Gateway Subnet to allowed list of networks on Key Vault's Networking section.
Attached is the screenshot of the error.
Thanks for reaching out.
I am testing above scenario in my lab, will update you with my findings. Thanks .
Hi @sikumars-msft just tested that in the Key Vault access policy, if in addition to the Certificate permissions, I assign Get and List permissions on the Secret permissions field, the issue gets resolved. Just so if someone else gets stuck here.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 78%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Wow struggled with this for a while because the error message is so obtuse. Thanks for this update. Resolved my problem!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 87%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPY%3C/text%3E%3C/svg%3E)
But what about RBAC enabled key vaults. I have a key with role based access control and I am running into the same issue
Glad that you were able to fix the issue and thanks for using Microsoft Q&A community.