In Azure, how to grant Application Gateway access to Certificates in Key Vault

Lee Reams 0 Reputation points
2024-11-12T22:19:23.7966667+00:00

I have an application gateway AppGateway and a key vault KeyVault. My organization does not allow the use of a Vault Access Policy, I am required to use Role-based Access Control (RBAC).

I created a managed identity Gateway-KeyVault-identity. I assigned Gateway-KeyVault-identity as a managed identity on AppGateway, as confirmed by az network application-gateway show --name 'AppGateway' --resource-group 'AppGateway-RG' --query 'identity', and I added Gateway-KeyVault-identity to the Key Vault Certificates Officer and Key Vault Secrets User roles.

But the gateway still refuses to load certificates from the key vault. When I try to create a Listener, under Https Settings, I choose a Cert name, set Managed identity to Gateway-KeyVault-identity, and then select Key vault KeyVault. I get error message "This key vault doesn't allow access to the managed identity. If using role-based access control permission model instead of policy"

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,322 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,087 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Bhasker Donthu 765 Reputation points Microsoft Vendor
    2024-11-13T16:14:57.0966667+00:00

    Hello @Lee Reams,

    Thank you for posting your query on Microsoft Q&A.

    Looks like you've taken the correct steps to set up your Azure Application Gateway and Azure Key Vault with a user-assigned managed identity and RBAC, but you're still encountering issues when trying to load certificates from the Key Vault.
    typically, the mention error occurs when the Application Gateway's managed identity is not granted sufficient or correct permissions to access the Key Vault.

    To provide the better solution for this issue, could you please double-check and confirm the following points:

    1. To access Key Vault, you need to enable managed Identity on your Application Gateway. This means using User assigned, as it does not support a system assigned one.
    2. Once created and assigned to the Application Gateway, you need to grant the identity rights on the Key Vault to read secrets (yes, secretes, not certificates). This permission can be set either with key vault access policies or Azure RBAC, depending on how you have Key Vault setup.

    In your case, since you're using RBAC, assign the appropriate permissions through RBAC.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.