I have figured out an alternative which is a bit of a pain to manage but it achieves what I need.
Here are the steps I followed if anyone needs a rough guide,
- Register your Cloud Service (Extended Support) as an application in Entra. e.g. CloudService1
- Create a self signed certificate on your local machine, export the .cer without the private key and upload it to the application you created in step 1
- Use the name of your application to assign permissions to the Azure services you require. For me this was database (CREATE USER [CloudService1] FROM EXTERNAL PROVIDER ), and the keyvault through RBAC
- Navigate to, or create a keyvault to store the certificate for your cloud service. Import the pfx using the private key.
- Next you need to link this to your Cloud Service, you do this through the ARM template adding a section to osProfiles/secrets
{
"sourceVault": {
"id": "/subscriptions/<SUB_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.KeyVault/vaults/<VAULT_NAME>"
},
"vaultCertificates": [
{
"certificateUrl": "<SECRET_IDENTIFIER_OBTAINED_BY_CLICKING_ON_THE_SECRET_IN_THE_KEYVAULT"
}
]
}
- After you have deployed with this arm template addition the certificate should show. If you have everything working your Cloud service should have access like any other Managed Identity application.
Would still be interested to know if its in the pipeline though as it would be easier to manage rather than doing all this for each Cloud Service.