Share via

What permission is needed exactly to allow an App Service to import a Certificate from Key Vault?

David 81 Reputation points
Nov 23, 2022, 3:13 PM

I have a Bicep template where I create an App Service in which I need to link a SSL certificate that exists in Key Vault (both in same resource group).

The Key Vault has Azure RBAC enabled.

I use the following to Bicep template to link the SSL certificate from Key Vault to the App Service: 

resource certEncryption 'Microsoft.Web/certificates@2018-02-01' = {  
  name: '${resourcePrefix}-cert-encryption'  
  location: location  
  properties: {  
    keyVaultId: resourceId('myResourceGroup', 'Microsoft.KeyVault/vaults', keyVaultName)  
    keyVaultSecretName: '${resourcePrefix}-cert-encryption'  
    serverFarmId: hostingPlan.id  
    password: 'SecretPassword'  
  }  
  dependsOn: [  
    webApi  
  ]  
}

But it fails with the following message:

The service does not have access to '/subscriptions/3449f-xxxx/resourcegroups/rgabptrialt/providers/microsoft.keyvault/vaults/my-test-vault' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.

This isn't really telling a lot...

What permission do I need to grant exactly? And to what? And where and how do I even grant these permissions?

Do I have to create a Managed Identity and link that in my App Service? And what Permissions/Roles do I need exactly?

Or do I need to do something else to make this work?

I couldn't really find any good info on how to do this.

What do I have to do exactly to make this work?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,443 questions

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Tom Burgess 26 Reputation points
    Nov 6, 2023, 11:37 AM

    agree, the documentation on this is appalling

    There is some documentation here https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex#import-a-certificate-from-key-vault

    However you suggest adding the service principal in the access policy, you actually need to add the object ID of that service principal when using Bicep. Your Key Vault also has to bypass AzureServices if you are blocking the public endpoint. The object ID you need is 

    3e468937-40ee-4cfc-a8c9-63fa72476001
    1 person found this answer helpful.
    0 comments
  2. Tom Burgess 26 Reputation points
    Nov 6, 2023, 11:37 AM

    agree, the documentation on this is appalling

    0 comments
  3. Diego Pozzi 0 Reputation points
    Nov 24, 2023, 3:38 PM

    "...In the end I managed to get it working by adding "Microsoft Azure App Service" to my Key Vault, assigning it a custom role that basically has all Key Vaults permissions that I could find..."

    I have the very same issue, could you provide the exact list of permissions are required for the custom role to be able to import the certificate from the vault to the Function?

    0 comments
  4. Rob 0 Reputation points
    Nov 28, 2023, 4:25 AM

    Importing a certificate from Key Vault to your App Service requires the Get permission for Secrets and Certificates.

    If using legacy Vault Access Policy, create a policy for 'Microsoft Azure App Service' service principal (bfa0a7c-a6b6-4736-8310-5855508787cd)

    If using RBAC, grant access for the Managed Identity of the App Service using Object Id.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.