Hi I have a Azure API manager setup and want to add a custom domain. We have deployed Azure Key Vault and uploaded a certificate. We have deployed Key Vault with the recommended "role-based access control" We have given the APIM managed identity "Key Vault Reader" access with rbac. When we try to add the custom domain and certificate to APIM we get an error: "failed to access KeyVault Secret xxxxxxx using managed service identity ( http://aka.ms/apimmsi ) of Api Management service. Check if Managed Identity YYYYY and Object ID ZZZZZZZ has GET permissions on secrets in the KeyValuyt Access Policies. What does this error mean? We don't have Key vault access policys configured (not recommended) What RBAC role should I give the APIM managed identity to use the certificate? Thanks

Hi SKT, Try applying the following: Key Vault Secrets User Cited from https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#using-azure-rbac-secret-key-and-certificate-permissions-with-key-vault Another note is Key Vault Reader gives the following: Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material . Only works for key vaults that use the 'Azure role-based access control' permission model. If this is helpful please accept answer.

Azure Key Vault RBAC permissions required for APIM to retreive a cert?

Accepted answer

Dillon Silzer 57,586 Reputation points

2024-02-18T21:58:39.3933333+00:00
Hi SKT,

Try applying the following:

Key Vault Secrets User

Cited from https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#using-azure-rbac-secret-key-and-certificate-permissions-with-key-vault

Another note is Key Vault Reader gives the following:

Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model.

If this is helpful please accept answer.
Please sign in to rate this answer.

1 person found this answer helpful.
Erik Jensen 10 Reputation points

2024-04-29T22:32:57.6466667+00:00

I have the proper RBAC role assigned and still get this same error message. I'm using the secret identifier from the "certificates" blade because in my case I was trying a generated self-signed certificate in a non-prod setting. the user assigned managed identity is in the RBAC configuration with both secrets user and certificate user. My keyvault is exposed via a private endpoint to the same subnet that APIM resides within and the private link zone of "privatelink.vaultcore.azure.net" does show an A record for my keyvault. Since the error message is related to RBAC and not DNS/network, my assumption is that my network-plumbing is correct. Is there any way to see deeper into the deployment? When I try to add the keyvault secret using the portal GUI by using a different custom domain it does allow me to drill down into the keyvault and see this certificate. It just says I can't assign it because the User Assigned ID doesn't have GET and LIST permission on the access policy. (due to using RBAC)

Jasper Post 6 Reputation points

2024-08-20T08:57:11.83+00:00

I am experiencing the same issue: The KeyVault RBAC model does not seem to work between an APIM with an User Assigned Identity and a Key Vault with RBAC enabled. It looks like the only solution is switching to the Access Policies to get it to work.

NNPP 20 Reputation points

2024-10-28T18:46:55.2066667+00:00

This might help someone else. I had already assigned RBAC role Key Vault Secrets User but I found, it must also have RBAC role Key Vault Certificate User this is the one documented in the KB - even though my APIM is supposed to be reading a secret not a certificate, it had to have this
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure Key Vault RBAC permissions required for APIM to retreive a cert?

0 additional answers

Your answer