RBAC KeyVault Certificate Reader granted to Web App but still has no access to KV SSL Certs

Question

RBAC KeyVault Certificate Reader granted to Web App but still has no access to KV SSL Certs

Richard Freytag 106

I've granted my Web App RBAC roles: Key Vault Certificate Reader, Key Vault Secret Reader, and Key Vault Certificate Officer (just for debugging). I have configured the Key Vault firewall to let any of my managed services access. My certificates all work if I load them directly into my Web App. Every SSL certificate validates. But none of them can be added. I get the error ...

"The service does not have access to '/subscriptions/<GUID>/resourcegroups/<RESOURCE GROUP NAME>/providers/micxrosoft.keyvault/vaults/<NAME OF KEY VAULT>' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."

I've looked at the docs and of course CoPilot and ChatGPT and I seem to have done the necessaries. What am I missing please?

VEMULA SRISAI 3,010 Reputation points Microsoft External Staff Moderator

2025-10-31T00:20:10.8366667+00:00
Hello Richard Freytag,

Thank you for reaching out. Based on the error and your configuration, the issue occurs because App Service SSL certificate import from Key Vault requires specific permissions that differ from the RBAC roles you assigned.

Go to the Azure Portal.

Navigate to your Key Vault.

Under 'Settings', select 'Access policies'. Click '+ Add Access Policy'. Configure from template: select the appropriate permission model based on your use case, e.g., Secret Management. Under 'Select principal', search for Microsoft.Azure.WebSites and select it. Click 'Add' and then 'Save' to apply the changes.

If that still doesn't work, please follow the below :

You might not need this principal if you're trying to import a certificate to an Azure App Service. The Microsoft.Azure.WebSites permission should be sufficient.

Check your Identity:

Ensure that your Azure App Service has a system-assigned managed identity enabled. This identity is what will be used to authenticate against the Key Vault.

Troubleshoot your network Check If your Key Vault is configured with Virtual Network Service Endpoints or Private Endpoints

For your reference:

Install a TLS/SSL Certificate for Your App - Azure App Service | Microsoft Learn

Please let me know If you need any additional information or further assistance on this.
VEMULA SRISAI 3,010 Reputation points Microsoft External Staff Moderator

2025-11-03T02:15:14.97+00:00

Hello Richard Freytag ,

Just checking in to see if the steps helped resolve the issue. Were you able to add the access policy for Microsoft.Azure.WebSites, enable the managed identity on your App Service, and confirm the Key Vault networking settings?

If you’re still facing the same error, let me know
Richard Freytag 106 Reputation points

2025-11-03T17:32:24.45+00:00

Hi Vemula Srisai,

Thank you for your initial message and follow-up.

I am using RBAC through Access Control (IAM). Lots of docs and online advice relate only to 'Access Policies' which I don't think apply once I'm using IAM plus RBAC.

I am assigning Key Vault Secrets User to the Web App Service's managed identity. That means the Web App Service should have the proper role to access the Key Vault.

Also I -am- testing this with the key vault open to the Internet (switched off after testing!). So I don't think the network is the problem. The Key Vault firewall is set to 'Allow trusted Microsoft services to bypass this firewall.'
Richard Freytag 106 Reputation points

2025-11-03T17:49:56.0966667+00:00

I should add that it is possible to 'Validate' the SSL certificate from the Web App Service. It's 'Add'-ing the certificate from the Key Vault that fails. I am attempting to add Let's Encrypt RSA256 (2048 & 4096 bit), ECDSA P-256, and ECDSA P-384 certificates; all fail at the 'Add' attempt.

All of the above cert types work when uploaded directly into the Web App Service instead of from Key Vault.

In the past I encountered this trying to apply the ECDSA certs to Front Door. Apparently only RSA certs are supported on Front Door.

Any further thoughts and advice welcome!
VEMULA SRISAI 3,010 Reputation points Microsoft External Staff Moderator

2025-11-05T02:19:43.68+00:00

Richard Freytag Can you try assigning Key Vault Certificate User to your App Service managed identity and confirm if RSA certificates can now be added?
Richard Freytag 106 Reputation points

2025-11-05T17:08:01.3533333+00:00
Hi Vemula,

I have:

opened my KeyVault IAM interface,

selected "add role"

highlighted 'Key Vault Certificate User' and clicked NEXT

clicked 'managed identity'

selected the identity of my Web App Service

applied the result and checked the assigned roles on the Key Vault and see that my Web App Service has been granted 'Key Vault Certificate User'.

On the Web App Service I then attempt to 'manually' add my SSL Certificate *.pfx from the Key Vault and get all the way past SSL Certificate Validation ...

Fails to 'Add' the SSL Certificate from the Key Vault with the error ...

The service does not have access to '/subscriptions/<GUID>/resourcegroups/<my resource group name>/providers/microsoft.keyvault/vaults/<my key vault name>' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.

No change from my previous cases.

I think it is time to escalate this to a Team chat please.

Thank you,

Richard Freytag
VEMULA SRISAI 3,010 Reputation points Microsoft External Staff Moderator

2025-11-06T05:30:00.19+00:00

Richard Freytag Thank you for the detailed update and for confirming the steps you’ve taken. Since the Web App Service already has the Key Vault Certificate User role assigned but the error still persists,

For further assistance Please share the requested details in private message.
Sina Salam 26,661 Reputation points Volunteer Moderator

2025-11-06T10:25:33.4066667+00:00

Hello Richard Freytag,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you are having issue with RBAC KeyVault Certificate Reader granted to Web App but still has no access to KV SSL Certs.

Having read through all you have done, importing a Key Vault certificate into App Service is done by the App Service resource provider (the Microsoft.Azure.WebSites service principal), not by the Web App’s managed identity, so you must grant the service principal the proper Key Vault data-plane permission (or give the App Service resource provider an access policy). Also: ECDSA (ECC) certificates cannot be imported from Key Vault into App Service (you must upload a PFX manually) though, it may work in some circumstances.

Therefore, you will need to confirm Key Vault mode (RBAC vs Access Policies) you don't need both. Run the az keyvault show check. - https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-access-policy and after then, grant the App Service resource provider the correct Key Vault access (RBAC role or access policy) at the vault scope, not just to the web app managed identity. Use abfa0a7c-a6b6-4736-8310-5855508787cd as the principal to target in your assignment. - https://stackoverflow.com/questions/56498178/missing-microsoft-azure-websites-service-principal and if certificate is ECDSA P-384 or P-521, import will fail, you will either obtain RSA or P-256 or upload PFX directly to App Service. - https://learn.microsoft.com/en-us/azure/container-apps/key-vault-certificates-manage Finally, check networking on the Key Vault and make sure you allow trusted Microsoft services or configure private connectivity. - https://learn.microsoft.com/en-us/azure/data-factory/data-access-strategies

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.
Richard Freytag 106 Reputation points

2025-11-07T16:57:10.9233333+00:00
Hi Sina Salam and Vemula Srisai,

BTW, for my AI advisor I use ChatGPT because CoPilot is not yet answering questions with the specificity required.

My understanding is the 'managed identities' are the preferred way to assign roles in IAM RBAC to resources. ChatGPT advises...

QUOTE
When you should use a Managed Identity

The resource (e.g., App Service, Function, VM) runs inside Azure.

It needs to access another Azure resource (like Key Vault, Storage, SQL, etc.).

You want no credentials in code — Azure handles tokens automatically.

Both provider and subscriber resources are within the same Azure Tenant.
ENDQUOTE

That specifically describes my case so I am using managed identities (please see first attached screenshot).

Also, please note that I am definitely trying to import RSA256 (2048-bit) SSL Certs. They work when uploaded directly from my filesystem into my Web App. The RSA256 (2048-bit) SSL Cert does NOT load from my Key Vault.

The second screenshot shows that my Web App HAS both the Key Vault Certificates User and Key Vault Secrets User (just in case, will prune later once this is sorted). (See attached 2nd screenshot)

Assuming you are correct and I am misunderstanding you, what in the above recounting am I misunderstanding please?

Thanks,

Richard Freytag
VEMULA SRISAI 3,010 Reputation points Microsoft External Staff Moderator

2025-11-10T01:41:10.14+00:00

Thank you for the detailed update it seems the issue may be with how the certificate is stored or the Key Vault permissions.
Richard Freytag 106 Reputation points

2025-11-10T14:02:05.6333333+00:00

I am able to import the Key Vault SSL Certificates onto my Front Door but not onto my Web App Service. Correct and identical RBAC permissions have be used in both cases. Storage is identical.

????
Sina Salam 26,661 Reputation points Volunteer Moderator

2025-11-10T16:08:00.7133333+00:00

@VEMULA SRISAI Why do you convert answers to comment, if you're new go and learn how to. Answers can be more than two or ten in some cases. If he is your customer then lock the page. Be careful, and I don't think you can answer everyone.

2 answers

Your answer

VEMULA SRISAI 3,010 Reputation points Microsoft External Staff Moderator

2025-10-31T00:20:10.8366667+00:00

Hello Richard Freytag,

Thank you for reaching out. Based on the error and your configuration, the issue occurs because App Service SSL certificate import from Key Vault requires specific permissions that differ from the RBAC roles you assigned.

Go to the Azure Portal.

Navigate to your Key Vault.

Under 'Settings', select 'Access policies'. Click '+ Add Access Policy'. Configure from template: select the appropriate permission model based on your use case, e.g., Secret Management. Under 'Select principal', search for Microsoft.Azure.WebSites and select it. Click 'Add' and then 'Save' to apply the changes.

If that still doesn't work, please follow the below :

You might not need this principal if you're trying to import a certificate to an Azure App Service. The Microsoft.Azure.WebSites permission should be sufficient.

Check your Identity:

Ensure that your Azure App Service has a system-assigned managed identity enabled. This identity is what will be used to authenticate against the Key Vault.

Troubleshoot your network Check If your Key Vault is configured with Virtual Network Service Endpoints or Private Endpoints

For your reference:

Install a TLS/SSL Certificate for Your App - Azure App Service | Microsoft Learn

Please let me know If you need any additional information or further assistance on this.
VEMULA SRISAI 3,010 Reputation points Microsoft External Staff Moderator

2025-11-03T02:15:14.97+00:00

Hello Richard Freytag ,

Just checking in to see if the steps helped resolve the issue. Were you able to add the access policy for Microsoft.Azure.WebSites, enable the managed identity on your App Service, and confirm the Key Vault networking settings?

If you’re still facing the same error, let me know
Richard Freytag 106 Reputation points

2025-11-03T17:32:24.45+00:00

Hi Vemula Srisai,

Thank you for your initial message and follow-up.

I am using RBAC through Access Control (IAM). Lots of docs and online advice relate only to 'Access Policies' which I don't think apply once I'm using IAM plus RBAC.

I am assigning Key Vault Secrets User to the Web App Service's managed identity. That means the Web App Service should have the proper role to access the Key Vault.

Also I -am- testing this with the key vault open to the Internet (switched off after testing!). So I don't think the network is the problem. The Key Vault firewall is set to 'Allow trusted Microsoft services to bypass this firewall.'
Richard Freytag 106 Reputation points

2025-11-03T17:49:56.0966667+00:00

I should add that it is possible to 'Validate' the SSL certificate from the Web App Service. It's 'Add'-ing the certificate from the Key Vault that fails. I am attempting to add Let's Encrypt RSA256 (2048 & 4096 bit), ECDSA P-256, and ECDSA P-384 certificates; all fail at the 'Add' attempt.

All of the above cert types work when uploaded directly into the Web App Service instead of from Key Vault.

In the past I encountered this trying to apply the ECDSA certs to Front Door. Apparently only RSA certs are supported on Front Door.

Any further thoughts and advice welcome!
VEMULA SRISAI 3,010 Reputation points Microsoft External Staff Moderator

2025-11-05T02:19:43.68+00:00

Richard Freytag Can you try assigning Key Vault Certificate User to your App Service managed identity and confirm if RSA certificates can now be added?
Richard Freytag 106 Reputation points

2025-11-05T17:08:01.3533333+00:00

Hi Vemula,

I have:

opened my KeyVault IAM interface,

selected "add role"

highlighted 'Key Vault Certificate User' and clicked NEXT

clicked 'managed identity'

selected the identity of my Web App Service

applied the result and checked the assigned roles on the Key Vault and see that my Web App Service has been granted 'Key Vault Certificate User'.

On the Web App Service I then attempt to 'manually' add my SSL Certificate *.pfx from the Key Vault and get all the way past SSL Certificate Validation ...

Fails to 'Add' the SSL Certificate from the Key Vault with the error ...

The service does not have access to '/subscriptions/<GUID>/resourcegroups/<my resource group name>/providers/microsoft.keyvault/vaults/<my key vault name>' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.

No change from my previous cases.

I think it is time to escalate this to a Team chat please.

Thank you,

Richard Freytag
VEMULA SRISAI 3,010 Reputation points Microsoft External Staff Moderator

2025-11-06T05:30:00.19+00:00

Richard Freytag Thank you for the detailed update and for confirming the steps you’ve taken. Since the Web App Service already has the Key Vault Certificate User role assigned but the error still persists,

For further assistance Please share the requested details in private message.
Richard Freytag 106 Reputation points

2025-11-07T16:57:10.9233333+00:00

Hi Sina Salam and Vemula Srisai,

BTW, for my AI advisor I use ChatGPT because CoPilot is not yet answering questions with the specificity required.

My understanding is the 'managed identities' are the preferred way to assign roles in IAM RBAC to resources. ChatGPT advises...

QUOTE
When you should use a Managed Identity

The resource (e.g., App Service, Function, VM) runs inside Azure.

It needs to access another Azure resource (like Key Vault, Storage, SQL, etc.).

You want no credentials in code — Azure handles tokens automatically.

Both provider and subscriber resources are within the same Azure Tenant.
ENDQUOTE

That specifically describes my case so I am using managed identities (please see first attached screenshot).

Also, please note that I am definitely trying to import RSA256 (2048-bit) SSL Certs. They work when uploaded directly from my filesystem into my Web App. The RSA256 (2048-bit) SSL Cert does NOT load from my Key Vault.

The second screenshot shows that my Web App HAS both the Key Vault Certificates User and Key Vault Secrets User (just in case, will prune later once this is sorted). (See attached 2nd screenshot)

Assuming you are correct and I am misunderstanding you, what in the above recounting am I misunderstanding please?

Thanks,

Richard Freytag
VEMULA SRISAI 3,010 Reputation points Microsoft External Staff Moderator

2025-11-10T01:41:10.14+00:00

Thank you for the detailed update it seems the issue may be with how the certificate is stored or the Key Vault permissions.
Richard Freytag 106 Reputation points

2025-11-10T14:02:05.6333333+00:00

I am able to import the Key Vault SSL Certificates onto my Front Door but not onto my Web App Service. Correct and identical RBAC permissions have be used in both cases. Storage is identical.

????
Sina Salam 26,661 Reputation points Volunteer Moderator

2025-11-10T16:08:00.7133333+00:00

@VEMULA SRISAI Why do you convert answers to comment, if you're new go and learn how to. Answers can be more than two or ten in some cases. If he is your customer then lock the page. Be careful, and I don't think you can answer everyone.

Answer 1

VEMULA SRISAI 3,010 Microsoft External Staff Moderator

Hello Richard Freytag,

Could please select “Microsoft Azure App Service (Application)” as the member when assigning the Key Vault Certificate User role. This ensures App Service has the required permissions at the Key Vault level to read certificate details and complete the import process.

After assigning the role, you should be able to add the certificate without any error. User's image

Please let me know if you face any error after adding this role.

Answer 2

Dear Richard Freytag,

Carry out the below steps to resolve

Step 1: Make sure the certificate is RSA or P-256. ECDSA (P-384, P-521) cannot be imported into App Service from Key Vault. Reference: - https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate

Step 2: Use Azure CLI or Portal to assign Key Vault Certificate User role to the App Service global identity:

az role assignment create \
  --role "Key Vault Certificate User" \
  --assignee "abfa0a7c-a6b6-4736-8310-5855508787cd" \
  --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<key-vault-name>"

Reference: - https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide

Step 3: Azure Portal does not support RBAC-based certificate import for App Service. Use CLI:

az webapp config ssl import \
  --name <app-name> \
  --resource-group <resource-group> \
  --key-vault <key-vault-name> \
  --key-vault-certificate-name <cert-name>

Reference: - https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate

Step 4: Ensure Key Vault allows:

Trusted Microsoft services
No private endpoint restrictions during testing

Success.

Share via

RBAC KeyVault Certificate Reader granted to Web App but still has no access to KV SSL Certs

2 answers

Your answer