In Azure, how to grant Application Gateway access to Certificates in Key Vault

Lee Reams 0 Reputation points
2024-11-12T22:19:23.7966667+00:00

I have an application gateway AppGateway and a key vault KeyVault. My organization does not allow the use of a Vault Access Policy, I am required to use Role-based Access Control (RBAC).

I created a managed identity Gateway-KeyVault-identity. I assigned Gateway-KeyVault-identity as a managed identity on AppGateway, as confirmed by az network application-gateway show --name 'AppGateway' --resource-group 'AppGateway-RG' --query 'identity', and I added Gateway-KeyVault-identity to the Key Vault Certificates Officer and Key Vault Secrets User roles.

But the gateway still refuses to load certificates from the key vault. When I try to create a Listener, under Https Settings, I choose a Cert name, set Managed identity to Gateway-KeyVault-identity, and then select Key vault KeyVault. I get error message "This key vault doesn't allow access to the managed identity. If using role-based access control permission model instead of policy"

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,316 questions
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,083 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.