Share via

What permissions are required to allow app services to import a certificate from a keyvault that uses RBAC?

Barry Bahrami 11 Reputation points
2024-05-15T01:04:34.1366667+00:00

I have an azure app service and key vault that is using RBAC. I am unable to get the app service to import a certificate from key vault. I keep getting this error:

Failed to import key vault certificate: ... . Error: The service does not have access to '/subscriptions/.../resourcegroups/.../providers/microsoft.keyvault/vaults/vaultname' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.

I have followed the instructions in this document (https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli) to grant certificate and secret user to both the resource group and key vault from both system assigned identity and user assigned managed identity. Nothing works - same error.

Has anyone been able to get this working???

Thank you in advance

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,150 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,047 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. hossein jalilian 4,285 Reputation points
    2024-05-15T03:01:33.6466667+00:00

    Thanks for posting your question in the Microsoft Q&A forum.

    Here are some steps you can try to resolve this issue:

    • Ensure that you have correctly configured and enabled either a system-assigned or user-assigned managed identity for your App Service. if using a user-assigned managed identity, make sure it is assigned to both the App Service and the Key Vault resource.
    • In the Azure Key Vault resource, navigate to Access policies and click on Add Access Policy. select the Key permissions and Secret permissions you want to grant . in the Select principal field, search for and select the managed identity of your App Service.
    • Ensure that the managed identity has the "Reader" role assigned at the subscription and resource group levels . you can assign roles using the Azure portal, Azure CLI, or Azure PowerShell
    • After granting the necessary permissions, you can verify the role assignments by navigating to the Access control (IAM) blade in the Azure portal. check if the managed identity is listed with the appropriate roles assigned at the Key Vault, resource group, and subscription levels.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

    0 comments
  2. Sandeep G-MSFT 15,236 Reputation points Microsoft Employee
    2024-05-15T11:57:55.6966667+00:00

    @Barry Bahrami

    Thank you for posting this in Microsoft Q&A.

    I have done lab on this issue,

    With reader role I was able to view certificate but was not able to Add it.

    User's image

    By default, the App Service resource provider doesn't have access to your key vault. To use a key vault for a certificate deployment, you must authorize read access for the resource provider to the key vault. Currently, a Key Vault certificate supports only the Key Vault access policy, not RBAC model.

    User's image

    The above statement is in ref to Azure App services. Also as per Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control

    User's image

    Solution:

    To use RBAC, instead of assigning the newly created Azure App Service, you should assign Key Vault Secrets User role to global Microsoft Azure App service

    Once followed I was able to import the cert to my App Service from Key Vault: User's image

    User's image

    Do let me know if you have any further queries.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.