question

FrankHessen-4713 avatar image
0 Votes"
FrankHessen-4713 asked JamesHamil-MSFT answered

Failed to get app principal details - Certificate import from key vault

Hi. I'm having issues importing a certificate from the key vault to an App Service. The App service is setup with system assigned identity and has get and list permissions on both secrets and certificates in the keyvault.

134000-bilde.png


134007-bilde.png


134060-bilde.png


azure-key-vaultazure-webapps-ssl-certificates
bilde.png (2.1 KiB)
bilde.png (14.5 KiB)
bilde.png (1.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JamesHamil-MSFT avatar image
0 Votes"
JamesHamil-MSFT answered

Hi @FrankHessen-4713 , this looks like a permissions issue. You may need more than just GET and LIST. Did you follow that link in the warning? I would look into Key Vault access policies to make sure you have the required permissions: https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal

Please let me know if this works. If not I can assist you further.

Best,
James

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi James,

I tried giving the identity all possible permissions in the keyvault and it still fails.

I took a closer look at the link and found this:
After completing all prerequisites, now we are ready to deploy the certificate into a Web App. Currently, Azure portal doesn’t support deploying external certificate from Key Vault, you need to call Web App ARM APIs directly using ArmClient, Resource Explorer, or Template Deployment Engine.

I find this kind of wierd as the certificate is displayed in the list after I click "Import" but fails when I go further to import it.

0 Votes 0 ·

Hi James,

Finally solved this and it turns out the owner of the subscription could use the import right away without any issues. My role was only contributor.

I think you should look into this and atleast improve the error messages.

0 Votes 0 ·