admin管理员组

文章数量:1389750

I am trying to use RBAC to sync an SSL certificate from an key vault into a web app. I have given the web app the Key Vault Certificate User role but I am still getting this error:

Failed to import Key Vault Certificate for mbos.mercedes-benz due to error: The service does not have access to '/subscriptions/xxx/resourcegroups/xxx-rg/providers/microsoft.keyvault/vaults/xxx-kv' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.

The same web app has no issues accessing secrets from the same key vault using the Key Vault Secrets User role.

I am trying to use RBAC to sync an SSL certificate from an key vault into a web app. I have given the web app the Key Vault Certificate User role but I am still getting this error:

Failed to import Key Vault Certificate for mbos.mercedes-benz due to error: The service does not have access to '/subscriptions/xxx/resourcegroups/xxx-rg/providers/microsoft.keyvault/vaults/xxx-kv' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.

The same web app has no issues accessing secrets from the same key vault using the Key Vault Secrets User role.

  • azure
  • azure-web-app-service
  • ssl-certificate
  • azure-keyvault
  • azure-webapps
Share Improve this question edited Mar 14 at 15:29 leonheess asked Mar 14 at 10:52 leonheessleonheess 21.7k19 gold badges94 silver badges137 bronze badges
Add a comment  | 

1 Answer 1

Reset to default 0

Azure being Azure, for certificates specifically, you need to also give the `Key Vault Certificate User` to the global App Service resource provider (same resource for everyone):

  1. Go to you key vault

  2. Open Access control (IAM)

  3. Click Add role assignment

  4. Find the role Key Vault Certificate User

  5. Select Assign access to User, group, or service principal

  6. Add member 551735cb-c10c-40a3-8266-5d4a93fd07ce or abfa0a7c-a6b6-4736-8310-5855508787cd

  7. Click Review + Assign

Or via Azure CLI:

az role assignment create \
  --role "Key Vault Certificate User" \
  --assignee "abfa0a7c-a6b6-4736-8310-5855508787cd" \
  --scope "/subscriptions/{subscriptionid}/resourcegroups/{resource-group-name}/providers/Microsoft.KeyVault/vaults/{key-vault-name}"

Source: https://learn.microsoft/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Crbac%2Cazure-cli#authorize-app-service-to-read-from-the-vault

本文标签: How can I access an azure key vault certificate from a web app or an app serviceStack Overflow

版权声明:本文标题:How can I access an azure key vault certificate from a web app or an app service? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744661008a2618247.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。