I have a Bicep template where I create an App Service in which I need to link a SSL certificate that exists in Key Vault (both in same resource group).
The Key Vault has Azure RBAC enabled.
I use the following to Bicep template to link the SSL certificate from Key Vault to the App Service:
resource certEncryption 'Microsoft.Web/certificates@2018-02-01' = {
name: '${resourcePrefix}-cert-encryption'
location: location
properties: {
keyVaultId: resourceId('myResourceGroup', 'Microsoft.KeyVault/vaults', keyVaultName)
keyVaultSecretName: '${resourcePrefix}-cert-encryption'
serverFarmId: hostingPlan.id
password: 'SecretPassword'
}
dependsOn: [
webApi
]
}
But it fails with the following message:
The service does not have access to ‘/subscriptions/3449f-xxxx/resourcegroups/rgabptrialt/providers/microsoft.keyvault/vaults/my-test-vault’ Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.
This isn’t really telling a lot…
What permission do I need to grant exactly? And to what? And where and how do I even grant these permissions?
Do I have to create a Managed Identity and link that in my App Service? And what Permissions/Roles do I need exactly? Or do I need to do something else to make this work?
I couldn’t really find any good info on how to do this.
2
Answers
I think yes first you need to give permission in key vault
Ensure that the service principal has all the permissions. The only thing that worked for me though is adding the service principal 24681998-555f-4570-a559-2fced2d7e841 which shows up as Microsoft.Azure.WebSites. You can add this through the portal, by adding an access policy for Microsoft.Azure.WebSites or through arm with the GUID.I added the following principal to the Key Vault access policies: Microsoft Azure App Service (object id: your object id). Permission to get secrets is enough.
By performing similar the steps mentioned in the below answer
How to access key vault from azure app service
Please let me know if you have any doubts or question. Even if you are facing any issues.
I’ve imported a self-signed certificate (.pfx) in
keyvault -> secretsto authenticate.To resolve,
I tried in my environment by referring few steps from this article detailed by @Anuraj and modified accordingly to achieve the expected results.
Step-1: Setting up a Key Vault access policy:
key vaultfrom the portal and GotoAccess Policies.ssl certificateby configuring a template as per your requirement.I’ve selected
key,secret & certificate managementto enable the permissions as shown:Search for the "Name/objectID/AppID" for the respective service principal as keyvault has RBAC enabled.
Note: Register an app under
AzureAD -> App registrationsif needed.Step-2: Under
App Service -> Web Application -> Certificates, I’ve added the keyvault certificate ( self-signed certificate (.pfx) inkeyvault -> secrets).1.
2.
3.
Bind the SSL certificate by adding TLS/SSL settings and importing the key vault certificate when it has been added to key vault (.pfx).
Note: Make sure the certificate is in
.pfxformat to avoid any conflicts.And I ran below script and deployment got succeeded without any permission blockers.
Output: