Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,316 questions
In Azure, how to grant Application Gateway access to Certificates in Key Vault
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 92%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELR%3C/text%3E%3C/svg%3E)
Lee Reams
0
Reputation points
I have an application gateway AppGateway and a key vault KeyVault. My organization does not allow the use of a Vault Access Policy, I am required to use Role-based Access Control (RBAC).
I created a managed identity Gateway-KeyVault-identity. I assigned Gateway-KeyVault-identity as a managed identity on AppGateway, as confirmed by az network application-gateway show --name 'AppGateway' --resource-group 'AppGateway-RG' --query 'identity', and I added Gateway-KeyVault-identity to the Key Vault Certificates Officer and Key Vault Secrets User roles.
But the gateway still refuses to load certificates from the key vault. When I try to create a Listener, under Https Settings, I choose a Cert name, set Managed identity to Gateway-KeyVault-identity, and then select Key vault KeyVault. I get error message "This key vault doesn't allow access to the managed identity. If using role-based access control permission model instead of policy"
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 63%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBD%3C/text%3E%3C/svg%3E)
Bhasker Donthu 610 Reputation points Microsoft Vendor2024-11-13T16:14:57.0966667+00:00 Hello @Lee Reams,
Thank you for posting your query on Microsoft Q&A.
Looks like you've taken the correct steps to set up your Azure Application Gateway and Azure Key Vault with a user-assigned managed identity and RBAC, but you're still encountering issues when trying to load certificates from the Key Vault.
To provide the better solution for this issue, could you please double-check and confirm the following points:- To access Key Vault, you need to enable managed Identity on your Application Gateway. This means using assigned, as it does not support a system assigned one.
- Once created and assigned to the Application Gateway, you need to grant the identity rights on the Key Vault to read secrets (yes, secretes, not certificates). This permission can be set either with key vault access policies or Azure RBAC, depending on how you have Key Vault setup.
In your case, since you're using RBAC, assign the appropriate permissions through RBAC.
Sign in to comment
Sign in to answer