App service import cert permission error

Question

App service import cert permission error

Anupam Kumar 0 Microsoft Employee

Hi

I am attempting to get certificates from keyvault to an app service, by default, it lists one certificate from the keyvault which contains multiple certs. I ran this command which provides read permissions for certificates and secrets to Microsoft Azure App Service :
Set-AzKeyVaultAccessPolicy -VaultName '<keyvault>' -ObjectId <object id> -PermissionsToCertificates Get -PermissionsToSecrets Get

The object id is of the application mentioned in https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex#import-a-certificate-from-key-vault .

I still am unable to add rest of the certs from the keyvault, it throws error:

Failed to import key vault certificate: Error: The service does not have access to Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.

Could you help me understand which permission is needed for the service and why is it able to read one cert out of many from the keyvault on service creation?

1 answer

Your answer

Answer 1

Andriy Bilous 11,821 MVP Volunteer Moderator

Hello Anupam Kumar

By default, the App Service resource provider doesn't have access to your key vault. To use a key vault for a certificate deployment, you must authorize read access for the resource provider to the key vault.

Currently, the Azure portal does not allow you to configure an App Service certificate in Key Vault to use the RBAC model. You can, however, use Azure CLI, Azure PowerShell, or an ARM template deployment to perform this configuration. For more information, see Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control.

Resource provider	Service principal AppId	Key vault secret permissions	Key vault certificate permissions
Microsoft Azure App Service or Microsoft.Azure.WebSites	- abfa0a7c-a6b6-4736-8310-5855508787cd, which is the same for all Azure subscriptions	Get	Get
Microsoft Azure App Service or Microsoft.Azure.WebSites	- `abfa0a7c-a6b6-4736-8310-5855508787cd`, which is the same for all Azure subscriptions	Get	Get

https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex#authorize-app-service-to-read-from-the-vault

Diego Tunon 0 Reputation points

2024-11-22T16:13:49.82+00:00

Hi Andriy

¿Is this information updated? I just reviewed the docs that it seems like RBAC access is already supported.
Diego Tunon 0 Reputation points

2024-11-22T18:49:18.2333333+00:00

Hi! I was able to solve the issue by executing the following command:

az role assignment create --role "Key Vault Certificate User" --assignee "abfa0a7c-a6b6-4736-8310-5855508787cd" --scope /subscriptions/{subscription-id}/resourcegroups/{resource-group-name}

The role can be changed with a custom role that has get permissions, and the id [abfa0a7c-a6b6-4736-8310-5855508787cd] is the resource provider mentioned in the azure docs.

https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2CRBAC

Share via

App service import cert permission error

1 answer

Your answer