Failed to get app principal details - Certificate import from key vault

Question

Failed to get app principal details - Certificate import from key vault

Frank Hessen 1

Hi. I'm having issues importing a certificate from the key vault to an App Service. The App service is setup with system assigned identity and has get and list permissions on both secrets and certificates in the keyvault.

1 answer

Your answer

Answer 1

James Hamil 27,201 Microsoft Employee Moderator

Hi @Frank Hessen , this looks like a permissions issue. You may need more than just GET and LIST. Did you follow that link in the warning? I would look into Key Vault access policies to make sure you have the required permissions: https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal

Please let me know if this works. If not I can assist you further.

Best,
James

Frank Hessen 1 Reputation point

2021-09-22T05:36:17.237+00:00

Hi James,

I tried giving the identity all possible permissions in the keyvault and it still fails.

I took a closer look at the link and found this:
*After completing all prerequisites, now we are ready to deploy the certificate into a Web App. Currently, Azure portal doesn’t support deploying external certificate from Key Vault, you need to call Web App ARM APIs directly using ArmClient, Resource Explorer, or Template Deployment Engine. *

I find this kind of wierd as the certificate is displayed in the list after I click "Import" but fails when I go further to import it.
Frank Hessen 1 Reputation point

2021-09-22T08:55:58.397+00:00

Hi James,

Finally solved this and it turns out the owner of the subscription could use the import right away without any issues. My role was only contributor.

I think you should look into this and atleast improve the error messages.

Share via

Failed to get app principal details - Certificate import from key vault

1 answer

Your answer