This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 70%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EED%3C/text%3E%3C/svg%3E)
Hello all,
I have a secret in Kv, and trying to get it to Api management as a certificate,
The managed identity is already in place, but when I deploy (bicep template) I get an error message:
"details": [
{
"code": "ValidationError",
"message": "The specified password is incorrect."
}
]
any idea why I'm getting this? or maybe where the password must be placed.
Thank you
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 59%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
Hi @Es.Dev Just a follow up to my previous comment and see if you can share the requested info. That would help in assisting you better
Thanks for reaching out!
Is the Managed Identity added to the Access Policy of the Key Vault with (at least) 'Get' rights for certificates?
If this is the case, please share your Bicep template for further investigation.
Thanks for the response.
i have a keyvault that contains a application/x-pkcs12 secret.
Apim using managed identity to access the Keyvault, with Kv secrets user role assignment,
to fetch the secret I'm using the following:
resource apiManagement 'Microsoft.ApiManagement/service@2022-04-01-preview' = {
name: apimName
location: Location
sku: {
name: apimSku
capacity: 0
}
properties: {
publisherEmail: 'User@email.com'
publisherName: 'user'
}
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${managedIdentityId}':{}
}
}
}
resource ApimCert 'Microsoft.ApiManagement/service/certificates@2021-08-01' = {
parent: apiManagement
name: 'Apim-Certificate'
properties:{
keyVault: {
secretIdentifier: '${kvSecretUri}/a27f1aae17fd46b98ee47ab110c18414'
identityClientId: 'ae77399e-8727-4f60-b1f9-1d87c2147e76'
}
}
}
Thanks for sharing!
I see you're using a User Assigned Managed Identity, to which you provided 'Get' rights for secrets? Just to make sure we're not confusing terms here: did you also provide 'Get' rights for "Certificates" as well?
A secret is different from a certificate, so I just want to confirm this.
Also I'd like to confirm if you are certain that the value provided in the 'identityClientId' is the ClientId of the User Assigned Managed Idenity, and not the ObjectId.
One other thing I'm thinking about right now: have you allowed ARM template deployment access to the Key Vault using the access configuration?
i cannot give custom access policies,
I'm using Rbac for this.
Dove a bit deeper. In terms of rights it seems like you've set up everything correctly, however when looking at the documentation of Bicep it indeed looks like the password is not submitted. Below you'll find the sample code showing where the password of your certificate should be placed:
resource symbolicname 'Microsoft.ApiManagement/service/certificates@2021-12-01-preview' = {
name: 'string'
parent: resourceSymbolicName
properties: {
data: 'string'
keyVault: {
identityClientId: 'string'
secretIdentifier: 'string'
}
password: 'string'
}
}
You can find more information in the article below:
Please let me know if this was the solution :-)
Hi @Es.Dev , did the solution provided above work for you? Please let me know if I can assist you further. When this answered your query please accept the answer.