Application gateway listener error when trying to use key vault certificate using managed identity and RBAC

Martin Cangar 31 Reputation points

I'm trying to setup a listener in application gateway to use a certificate from keyvault using managed identity.
But every time whne I choose in portal the managed identity and then select the key vault from the dropdown menu I get this error:
"This key vault doesn't allow access to the managed identity"

Here is what I set up (all resources are in same resource group "my-rg"):

KeyVault: my-keyvault
Certificate: my-cert
Application gateway: my-appgw
Managed identity: appgw-to-keyvault-managed-identity

Permission model for the KeyVault is set to: "Azure role-based access control"

Once the above resource were created I asigned the managed identity to the application gateway (did this using cli as I haven't found a way to do it in portal):
az network application-gateway identity assign --gateway-name my-appgw --resource-group my-rg --identity appgw-to-keyvault-managed-identity

After that I configured following role assigment for the managed identity "appgw-to-keyvault-managed-identity":

  • role "Key Vault Secrets User" for the key vault "my-keyvault"

After this setup I'm getting the above error when trying to choose the kay vault in the application gateway listener setting.

I was trying also following:

  • adding "Key Vault Certificates Officer" role for the managed identity towards the key vault
  • adding "Contributor" role for the managed identity towards the whole resource group.

None of these helped.

I wasn't able to find any instruction which woudl describe how to set this up for the application gateway.

Can someone let me know if I'm missing something in my setup?

Martin Cangar

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,179 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,007 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
714 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,482 questions
0 comments No comments
{count} vote

Accepted answer
  1. TTASE Crall 81 Reputation points

    I had the exact same problem.

    I found that I had to go to 'Access Policies' in Key Vault and change it from 'Azure role-based access control' to 'Vault access policy'. I then created a Vault Access Policy, selected my managed identity as the principal, and granted it the 'Get' and 'List' permissions for both Secrets and Certificates. This allowed me to select the certificate from Application Gateway's 'Add Listener' interface.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Olivier BOËL 11 Reputation points


    Just had the same issue. But found a workaround via CLI (az network application-gateway ssl-cert update..., az network application-gateway http-listener update...).
    According to [1], the first few steps to reference the Key Vault must be completed via ARM template, Bicep, CLI, or PowerShell.
    This might explain why portal says "This key vault doesn't allow access to the managed identity" when attempting to update listener and select a RBAC-managed key vault.
    Message should be updated to something like "Access to this key vault is secured by RBAC; please use CLI" or something similar.




    2 people found this answer helpful.
    0 comments No comments

  2. Martin Cangar 31 Reputation points

    at the end thios is how I solved it.

    Martin Cangar

    1 person found this answer helpful.
    0 comments No comments