Web App add key vault certificate access error while identity has Key Vault Secrets User permission

Eric Fitskie 96

I have an Azure App Service with custom domain. The certificate for this custom domain is stored in Key Vault.

The web app has set it's identity on and has "Key Vault Secrets User" permission on the key vault. This key vault access configuration is set to "Azure role-based access control (recommended)"

When adding the certificate to the Web App I'm able to select te key vault and certificate. Also the Validate action succeed.

When I click the Add button i got an access error: "The service does not have access to '

AirGordon 7,125 Reputation points

2023-09-08T13:39:45.3666667+00:00
After applying RBAC it can take a minute or so for the access to propagate. Are you using a System Managed Id or User Assigned Managed Id? There is an additional property to set if you're using User Assigned in order to tell App Service which Identity to use for Key Vault access.

Configure the app to use this identity for key vault reference operations by setting the keyVaultReferenceIdentity property to the resource ID of the user-assigned identity;

identityResourceId=$(az identity show --resource-group <group-name> --name <identity-name> --query id -o tsv) az webapp update --resource-group <group-name> --name <app-name> --set keyVaultReferenceIdentity=${identityResourceId}

Additionally, can you ensure that there is network connectivity to the Key Vault? Specifically the "Grant Access to Trusted Azure Services" setting. https://learn.microsoft.com/en-us/azure/key-vault/general/overview-vnet-service-endpoints#grant-access-to-trusted-azure-services
Eric Fitskie 96 Reputation points

2023-09-08T14:42:48.8766667+00:00

I've retried adding the Key Vault certificate in the web app after 2 days, but still have the same error.

I'm using the system assigned managed identity.

I've not set the "Grant Access to Trusted Azure Services" on my Key Vault. Is this also needed when the System Assigned Managed Identity has already the "Key Vault Secrets User" role assigned in the Key Vault resource?
AirGordon 7,125 Reputation points

2023-09-10T11:52:58.6033333+00:00

Managed Identity is about authentication (RBAC) not anything else, you'll still need to allow services to be able to have Network Access to the KeyVault.
Eric Fitskie 96 Reputation points

2023-09-11T05:52:54.4566667+00:00

My Key Vault is set to "Allow public access from all networks". When that option is selected, there is no "Allow trusted Microsoft services to bypass this firewall" option.

I see this option only when selecting the "Allow public access from specific virtual networks and IP addresses" or "Disable public access" option.

Do I need to select the "Allow trusted Microsoft services to bypass this firewall" when "Allow public access from all networks" is selected? And how should I do that?
Akshay-MSFT 17,876 Reputation points Microsoft Employee

2023-09-11T07:16:46.68+00:00

@Eric Fitskie

Could you please share screenshot of the complete error message you got?

Thanks,

Akshay Kaushik
Eric Fitskie 96 Reputation points

2023-09-12T08:04:40.8666667+00:00

@Akshay-MSFT This is the screenshot when trying to add an certificate from key vault to my web app certificates
Akshay-MSFT 17,876 Reputation points Microsoft Employee

2023-09-14T06:35:54.91+00:00

@Eric Fitskie

Hope you got a chance to review the action plan suggested below. Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer(Yes)" and "share you feedback ". This will help us and others in the community as well.

Thanks,

Akshay Kaushik

Accepted answer

Akshay-MSFT 17,876 Reputation points Microsoft Employee

2023-09-13T09:20:18.9533333+00:00
@Eric Fitskie

Thank you for sharing the information. From above description and error I was able to reproduce the issue in my lab too. With reader role I was able to view certificate but was not able to Add it.

However after digging through it seems like it was not Azure Key Vault but Azure App Services which don't go hand in hand with RBAC. As per: Authorize App Service to read from the vault:

By default, the App Service resource provider doesn't have access to your key vault. To use a key vault for a certificate deployment, you must authorize read access for the resource provider to the key vault. Currently, a Key Vault certificate supports only the Key Vault access policy, not RBAC model.

The above statement is in ref to Azure App services. Also as per Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control

Solution:

To use RBAC, instead of assigning the newly created Azure App Service, you should assign Key Vault Secrets User role to global Microsoft Azure App service

Once followed I was able to import the cert to my App Service from Key Vault:

Do let me know if you have any further queries.

Thanks,

Akshay Kaushik,

Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.
Please sign in to rate this answer.

5 people found this answer helpful.
Eric Fitskie 96 Reputation points

2023-09-15T07:28:46.9233333+00:00

Thank you for your response.

This solves my issue.

Thiago Marcolino 0 Reputation points

2024-05-07T15:52:20.4466667+00:00

Thanks!! It worked!
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Web App add key vault certificate access error while identity has Key Vault Secrets User permission

Solution:

0 additional answers

Your answer