Cannot import Key Vault certificate to App Service

James Gurung 41 Reputation points
2023-08-06T14:30:05.85+00:00

On the Azure portal, when I try to import a Key Vault certificate to App Service, I get the error:

Failed to import Key Vault Certificate for XXX due to error: The service does not have access to '/subscriptions/XXX/resourcegroups/XXX/providers/microsoft.keyvault/vaults/XXX' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.

My Key Vault uses access policies rather than RBAC.

Based on these docs, I have added the required access policy for Microsoft.Azure.WebSites. However, I am unable to add a policy for Microsoft.Azure.CertificateRegistration because no principal by that name can be found.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,451 questions
Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
1,458 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,964 questions
0 comments No comments
{count} votes

Accepted answer
  1. Brian Zarb 1,685 Reputation points
    2023-08-06T14:43:07.68+00:00

    The Microsoft.Azure.CertificateRegistration is an sp used by App Svcs to pull certificates from Key Vault.

    I'm assuming you added the access policies, but in any case here is how to do it:
    Go to the Azure Portal.

    • Navigate to your Key Vault.
    • Under 'Settings', select 'Access policies'.
    • Click '+ Add Access Policy'.
    • Configure from template: select the appropriate permission model based on your use case, e.g., Secret Management.
    • Under 'Select principal', search for Microsoft.Azure.WebSites and select it.
    • Click 'Add' and then 'Save' to apply the changes.

    If that still doesn't work, from past experience it typically boils down to 4 possible scenarios:

    1. You might not need this principal if you're trying to import a certificate to an Azure App Service. The Microsoft.Azure.WebSites permission should be sufficient.
    2. Check your Identity:
      1. Ensure that your Azure App Service has a system-assigned managed identity enabled. This identity is what will be used to authenticate against the Key Vault.
          - Go to your Azure App Service in the portal.
        
                - Under 'Settings', select 'Identity'.
        
                      - Ensure 'System assigned' is set to 'On'
        
    3. Troubleshoot your network
      1. Check If your Key Vault is configured with Virtual Network Service Endpoints or Private Endpoints
          1. Then ensure that your App Service can access the Key Vault over the network.
        

    All of the above is assuming that no dependencies are interfering, there might be intermediary resources or dependencies that need access to the Key Vault as well. Ensure all dependencies that might be trying to fetch the certificate have the appropriate access.

    Hopefully, this resolves your issue. Let me know!

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.