Thank you for sharing the information. From above description and error I was able to reproduce the issue in my lab too. With reader role I was able to view certificate but was not able to Add it.
- However after digging through it seems like it was not Azure Key Vault but Azure App Services which don't go hand in hand with RBAC. As per: Authorize App Service to read from the vault:
By default, the App Service resource provider doesn't have access to your key vault. To use a key vault for a certificate deployment, you must authorize read access for the resource provider to the key vault. Currently, a Key Vault certificate supports only the Key Vault access policy, not RBAC model.
The above statement is in ref to Azure App services. Also as per Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control
To use RBAC, instead of assigning the newly created Azure App Service, you should assign Key Vault Secrets User role to global Microsoft Azure App service
Once followed I was able to import the cert to my App Service from Key Vault:
Do let me know if you have any further queries.
Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.