Share via

Problem using AZ cli to set Application Gateway Listener Certificate from Key Vault

Clive Crocker - Admin (CMC) 0 Reputation points
2024-03-05T21:58:04.6966667+00:00

I have a certificate in a key vault which I wish to use in the Azure Application Gateway.

I see this cannot be done via the GUI so have used the script in the MS article.

https://learn.microsoft.com/en-gb/azure/application-gateway/key-vault-certs?WT.mc_id=Portal-Microsoft_Azure_HybridNetworking#key-vault-azure-role-based-access-control-permission-model

But when I run the following I get the error below (My-... are substituted with the accurate names.

$secret = Get-AzKeyVaultSecret -VaultName "My-KeyVault" -Name "My-New-Certificate"

the error is :

Get-AzKeyVaultSecret: Operation returned an invalid status code 'Forbidden'

Code: Forbidden

Message: Client address is not authorized and caller is not a trusted service.

Client address: 10.0.0.12 from unknown subnet

This is from the Azure Portal CLI.

I have set the managed identity for the AG, and that identity has Key Vault Certificate User rights, although that's only likely to be appropriate for the renewal process.

The problem is my CLI (10.0.0.12, wherever that address comes from) is not in the list of approved addresses. I have public addresses to filter access but how do I grant access from within the portal CLI?

I'm looking to use PS with the AZ module on my local PC (which has public access network auth) but it's not really what I want...

Can you guide me on the best approach?

Thanks

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,448 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,213 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2024-03-06T00:24:02.5833333+00:00

    @Clive Crocker - Admin (CMC) ,

    In the Key Vault's Firewall you'll find Vnet-based rules and IP-based rules, and there are some limitations as you can see here: https://docs.microsoft.com/en-us/azure/key-vault/general/network-security#key-vault-firewall-enabled-private-link.

    IP-based rules don't support private IP's and 10.x.x.x is within that Private space. If you need to have that IP added to the Key Vault's firewall, you will need to add a Vnet-based rule for that Vnet in the Key Vault's Firewall.

    Let me know if this helps address your question.

    0 comments
  2. Clive Crocker 66 Reputation points
    2024-03-07T11:26:44.3966667+00:00

    Hi Marilee

    Thanks for your response.

    The problem is that although I have a VN in the environment which I could connect, I don't have (or see one) the Azure CLI network (10.0.0.x) so adding a Vnet-based rule doesn't seem appropriate (considering I dont have that Vnet.Am I missing something here?

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.