0

I am trying to use RBAC to sync an SSL certificate from an key vault into a web app. I have given the web app the Key Vault Certificate User role but I am still getting this error:

Failed to import Key Vault Certificate for example.org due to error: The service does not have access to '/subscriptions/xxx/resourcegroups/xxx-rg/providers/microsoft.keyvault/vaults/xxx-kv' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.

The same web app has no issues accessing secrets from the same key vault using the Key Vault Secrets User role.

Improve this question

1 Answer 1

Reset to default
1

Azure being Azure, for certificates specifically, you need to also give the `Key Vault Certificate User` to the global App Service resource provider (same resource for everyone):

  1. Go to you key vault

  2. Open Access control (IAM)

  3. Click Add role assignment

  4. Find the role Key Vault Certificate User

  5. Select Assign access to User, group, or service principal

  6. Add member 551735cb-c10c-40a3-8266-5d4a93fd07ce or abfa0a7c-a6b6-4736-8310-5855508787cd

  7. Click Review + Assign

Or via Azure CLI:

az role assignment create \
  --role "Key Vault Certificate User" \
  --assignee "abfa0a7c-a6b6-4736-8310-5855508787cd" \
  --scope "/subscriptions/{subscriptionid}/resourcegroups/{resource-group-name}/providers/Microsoft.KeyVault/vaults/{key-vault-name}"

Source: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Crbac%2Cazure-cli#authorize-app-service-to-read-from-the-vault

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.