What permission is needed exactly to allow an App Service to import a Certificate from Key Vault?

David 76 Reputation points

I have a Bicep template where I create an App Service in which I need to link a SSL certificate that exists in Key Vault (both in same resource group).

The Key Vault has Azure RBAC enabled.

I use the following to Bicep template to link the SSL certificate from Key Vault to the App Service:

resource certEncryption 'Microsoft.Web/certificates@2018-02-01' = {  
  name: '${resourcePrefix}-cert-encryption'  
  location: location  
  properties: {  
    keyVaultId: resourceId('myResourceGroup', 'Microsoft.KeyVault/vaults', keyVaultName)  
    keyVaultSecretName: '${resourcePrefix}-cert-encryption'  
    serverFarmId: hostingPlan.id  
    password: 'SecretPassword'  
  dependsOn: [  

But it fails with the following message:

The service does not have access to '/subscriptions/3449f-xxxx/resourcegroups/rgabptrialt/providers/microsoft.keyvault/vaults/my-test-vault' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.

This isn't really telling a lot...

What permission do I need to grant exactly? And to what? And where and how do I even grant these permissions?

Do I have to create a Managed Identity and link that in my App Service? And what Permissions/Roles do I need exactly?

Or do I need to do something else to make this work?

I couldn't really find any good info on how to do this.

What do I have to do exactly to make this work?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,360 questions
{count} votes

4 answers

Sort by: Most helpful
  1. Tom Burgess 21 Reputation points

    agree, the documentation on this is appalling

    There is some documentation here https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex#import-a-certificate-from-key-vault

    However you suggest adding the service principal in the access policy, you actually need to add the object ID of that service principal when using Bicep. Your Key Vault also has to bypass AzureServices if you are blocking the public endpoint. The object ID you need is

    0 comments No comments

  2. Tom Burgess 21 Reputation points

    agree, the documentation on this is appalling

    0 comments No comments

  3. Diego Pozzi 0 Reputation points

    "...In the end I managed to get it working by adding "Microsoft Azure App Service" to my Key Vault, assigning it a custom role that basically has all Key Vaults permissions that I could find..."

    I have the very same issue, could you provide the exact list of permissions are required for the custom role to be able to import the certificate from the vault to the Function?

    0 comments No comments

  4. Rob 0 Reputation points

    Importing a certificate from Key Vault to your App Service requires the Get permission for Secrets and Certificates.

    If using legacy Vault Access Policy, create a policy for 'Microsoft Azure App Service' service principal (bfa0a7c-a6b6-4736-8310-5855508787cd)

    If using RBAC, grant access for the Managed Identity of the App Service using Object Id.