1

Created Key-Vault & provided the authorization to the RP Service Principal (application registered at AzureAD) by executing the Power Shell command. Key-Vault details is given below - 

Vault Name : MyKeyVaultTest

Resource ID: /subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/ providers/Microsoft.KeyVault/vaults/MyKeyVaultTest Access Policies : Tenant ID : d29bcd12-3280-4f37-b8f2-6e9e2f581472 Object ID : daccd2fd-835a-4c03-8336-c5fcf481f3cc Application ID : 172f36fc-a098-47a1-9c83-04016d3e9781 Permissions to Keys : Get, List, Update, Create, Import, Delete, Recover, Backup, Restore, Decrypt, Encrypt, UnwrapKey, WrapKey, Verify, Sign, Purge Permissions to Secrets : Get, List, Set, Delete, Recover, Backup, Restore, Purge Permissions to Certificates : Get, List, Update, Create, Import, Delete, ManageContacts, ManageIssuers, GetIssuers, ListIssuers, SetIssuers, DeleteIssuers Permissions to (Key Vault Managed) Storage :

Created a self signed Certificate using below mentioned Power Shell script - 

$cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname XXXXXXXtechmahindra.onmicrosoft.com
$pwd = ConvertTo-SecureString -String ‘XXXXXX@1234@’ -Force -AsPlainText
$path = 'cert:\localmachine\my\' + $cert.thumbprint 
Export-PfxCertificate -cert $path -FilePath c:\temp\cert.pfx -Password $pwd

Added same certificate to Key-Vault and got the Secret named "mykeyvaulttestwebappPK" having content type "application/x-pkcs12.

Then enable ARM Client and executing below mentioned script to deploy Key Vault Certificate into Web App named "MyKeyVaultTestWebApp" which is giving error. Script and Errors are given below -

1. Script without changing the API version:

ARMClient.exe PUT /subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/certificates/keyvaultcertificate?api-version=2016-03-01 "{'Location':'SouthCentralUS','Properties':{'KeyVaultId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.KeyVault/vaults/MyKeyVaultTest', 'KeyVaultSecretName':'mykeyvaulttestwebappPK', 'serverFarmId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/serverfarms/MyKeyVaultTestWebAppServicePlan'}}"

"Code": "BadRequest",
"Message": "The service does not have access to '/subscriptions/*****-*****-*****-*****-**********/resourcegroups/rg-scotia-scale-test/providers/microsoft.keyvault/vaults/mykeyvaulttest' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."

2. Script with the Serverfarm’s API version:

ARMClient.exe PUT /subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/certificates/keyvaultcertificate?api-version=2016-09-01 "{'Location':'SouthCentralUS','Properties':{'KeyVaultId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.KeyVault/vaults/MyKeyVaultTest', 'KeyVaultSecretName':'mykeyvaulttestwebappPK', 'serverFarmId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/serverfarms/MyKeyVaultTestWebAppServicePlan'}}"

"code": "NoRegisteredProviderFound",
"message": "No registered resource provider found for location 'SouthCentralUS' and API version '2016-09-01' for type 'certificates'.


3. Script with the Key-Vault’s API version:

ARMClient.exe PUT /subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/certificates/keyvaultcertificate?api-version=2015-06-01 "{'Location':'SouthCentralUS','Properties':{'KeyVaultId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.KeyVault/vaults/MyKeyVaultTest', 'KeyVaultSecretName':'mykeyvaulttestwebappPK', 'serverFarmId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/serverfarms/MyKeyVaultTestWebAppServicePlan'}}"

"Code": "BadRequest",
"Message": "The service does not have access to '/subscriptions/*****-*****-*****-*****-**********/resourcegroups/rg-scotia-scale-test/providers/microsoft.keyvault/vaults/mykeyvaulttest' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."

[N.B.: Referred "https://blogs.msdn.microsoft.com/appserviceteam/2016/05/24/deploying-azure-web-app-certificate-through-key-vault/" used to implement the changes]

Improve this question

1 Answer 1

Reset to default
0

According to your error message, I guess you may not enable the 'Microsoft.Web' Resource Provider directly access the azure key Vault.

So you will face you could have the enough permission to access to the key vault error.

I suggest you could follow below powershell codes to enable the permission.

Then you could set the certificate in azure web app.

Codes like this:

Login-AzureRmAccount 
Set-AzureRmContext -SubscriptionId AZURE_SUBSCRIPTION_ID 
Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd -PermissionsToSecrets get

Then you could call this codes to add the certificate:

ARMClient.exe PUT /subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/certificates/keyvaultcertificate?api-version=2016-03-01 "{'Location':'SouthCentralUS','Properties':{'KeyVaultId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.KeyVault/vaults/MyKeyVaultTest', 'KeyVaultSecretName':'mykeyvaulttestwebappPK', 'serverFarmId':'/subscriptions/*****-*****-*****-*****-**********/resourceGroups/XXX-YYY-ZZZ/providers/Microsoft.Web/serverfarms/MyKeyVaultTestWebAppServicePlan'}}"

Result:

enter image description here

enter image description here

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I have tried, but still getting same error... PS C:\Windows\system32> $servicePrincipal = New-AzureRmADServicePrincipal -ApplicationId 172f36fc-a098-47a1-9c83-04016d3e9781 PS C:\Windows\system32> Set-AzureRmKeyVaultAccessPolicy -VaultName MyKeyVaultTest -ObjectId $servicePrincipal.Id -PermissionsToKeys all -PermissionsToSecrets all WARNING: The 'all' permission is being deprecated and does not include the 'purge' permission. 'Purge' permission must be explicitly set. PS C:\Windows\system32> $ServicePrincipal.ApplicationId #Outputs the ServicePrincipalName/AppPrincipalId
Don't change my PS code, the ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd means azure web app service.Please copy my codes(just change the keyvault name) and try again.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.