Azure Key Vault RBAC permissions required for APIM to retreive a cert?

Question

Hi I have a Azure API manager setup and want to add a custom domain. We have deployed Azure Key Vault and uploaded a certificate. We have deployed Key Vault with the recommended "role-based access control" We have given the APIM managed identity "Key Vault Reader" access with rbac. When we try to add the custom domain and certificate to APIM we get an error: "failed to access KeyVault Secret xxxxxxx using managed service identity (http://aka.ms/apimmsi) of Api Management service. Check if Managed Identity YYYYY and Object ID ZZZZZZZ has GET permissions on secrets in the KeyValuyt Access Policies. What does this error mean? We don't have Key vault access policys configured (not recommended) What RBAC role should I give the APIM managed identity to use the certificate? Thanks

Answer 1

Hi SKT,

Try applying the following:

• Key Vault Secrets User

Cited from https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#using-azure-rbac-secret-key-and-certificate-permissions-with-key-vault

Another note is Key Vault Reader gives the following:

• Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model.

If this is helpful please accept answer.