Share via

Permission issues with Web App connecting to Key Vault

Viktoria 10 Reputation points
2025-03-07T17:13:33.9833333+00:00

When deploying our web app application, we knew that we wanted to import certificates to web app from Key vault. However, we've managed to get a lot of issues along the way and wanted to see if there is someone else who has run in to the same issues and have some feedback/helpful ways to move forward.

First things first:
Deployment method: Bicep w. service principal
Permission Model Key Vault: Access Policy
Applications: Web App (Linux, App Service plan) & Key Vault

First time we tried to deploy, we got into the issue where our only error was:

The service does not have access to '/subscriptions/<our-subscription>/resourcegroups/<our-resource-group>/providers/microsoft.keyvault/vaults/<our-keyvault>' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.

When looking online we stumbled onto another MS thread that had this exact issue (see issue here) and we switched from using RBAC permission model to using Access Policy instead.
Even though we switched to access-policy and assigned our managed identity to the kv , we still couldn't get it to work.
Then we tried with Assigning 'Microsoft Azure App Service' role, which makes the workflow work. The only trouble we have with this is that we have to assign the role manually in the Azure platform and not by using Bicep.

Whenever we've tried to create an access policy using the id for 'Microsoft Azure App Service' (abfa0a7c-a6b6-4736-8310-5855508787cd), we only get it to show up like picture below and "unknown" (which in turn results in us not being able to add certficate to web app from key vault.

User's image

Has anyone experienced the same issue or have a workaround for this?

Since this is a complicated workflow we want to make sure that we can document as much as possible in our code.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akhilesh Vallamkonda 15,345 Reputation points Moderator
    2025-03-12T21:29:24.0833333+00:00

    Hi @Viktoria

    Thank you for reaching Microsoft Q&A!
    Currently, Key Vault certificate supports only the Key Vault access policy, not RBAC model.

    May I know what Certificate permissions you have added in your Vault access policy?
    Please refer the Q&A post which refers the same issue and Troubleshooting Azure Key Vault access policy issues

    0 comments
  2. Ben Nichols 16 Reputation points
    2025-12-19T09:15:22.84+00:00

    I think ive found the solution. When deploying via bicep you need to specify the ObjectID not the principleID/ApplicationID.

    For me this was cb91c976-28cf-4f7c-9482-0d07aa95e17e, but I suspect this is unique per tenant, as the principal will be provisioned as an object within the tenant. I manually assigned it initially (via abfa0a7c-a6b6-4736-8310-5855508787cd) then looked up the object in entra:

    User's image

    This gave me the object ID. Then the IAM permissions were correctly assigned by bicep:

    User's image

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.