![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 96%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMW%3C/text%3E%3C/svg%3E)
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,394 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Hello @Mark Windle,
Based on your description, I understand that you are trying to add a private key certificate to your App Service by importing it from Azure Key Vault. However, while you can view the certificate, you encounter an error when clicking "Add," which states:
"The service does not have access to '/subscriptions/xxxxxxxxxxx/resourcegroups/keyvault/providers/microsoft.keyvault/vaults/rdcvaulttesting' Key Vault. Please make sure that you have granted the necessary permissions to the service to perform the request operation."
I faced the same issue while performing this action in my tenant.
After investigating, I found that the problem isn't with Azure Key Vault itself but with Azure App Services, which do not fully support RBAC. As per: Authorize App Service to read from the vault:
By default, the App Service resource provider doesn't have access to your key vault. To use a key vault for a certificate deployment, you must authorize read access for the resource provider to the key vault. Currently, a Key Vault certificate supports only the Key Vault access policy, not RBAC model.
To resolve this issue, you need to assign the "Key Vault Certificate User" role to the Microsoft Azure App Service application (Object ID: 3f975d5d-2ff4-415d-9dc8-84cab13db1d5) in your Key Vault’s IAM (Access Control) settings.
Authorize App Service to read from the vault
- Navigate to Azure Key Vault → Access Control (IAM).
- Click Add role assignment.
- Select "
Key Vault Certificate User" role and click Next. - Under Select members, search for
Microsoft Azure App Serviceby name or enter the Object ID:3f975d5d-2ff4-415d-9dc8-84cab13db1d5. - Click Review + Assign to complete the role assignment.
Once this is done, go back to App Service Certificates and try adding the private key certificate again. After following these steps, I was able to successfully import the certificate into my App Service from Key Vault.
I hope this information is helpful. Please feel free to reach out if you have any further questions. If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".