I'm trying to add a Basic type listener to an Application Gateway instance. While doing so, I wish to choose an SSL Certificate stored in a Key Vault that has access policy configured to allow Get and List permissions to the user-assigned managed identity that I'm picking from the drop-down in the blade when configuring the listener through Azure portal. However, the Key Vault field is an error "The key vault must have GET permissions on secret" though I'm able to pick the required certificate from the next drop-down.
The error is quite misleading as it states that the Key Vault needs access to the secret, whereas the MS documentation states that the user-assigned managed identity needs access to the certificate / secret, which makes sense.
I have enabled Network Service Endpoint to only Application Gateway subnet to talk to Kay Vault and have added the App Gateway Subnet to allowed list of networks on Key Vault's Networking section.
Attached is the screenshot of the error.