In Azure, how to grant Application Gateway access to Certificates in Key Vault
I have an application gateway AppGateway
and a key vault KeyVault
. My organization does not allow the use of a Vault Access Policy, I am required to use Role-based Access Control (RBAC).
I created a managed identity Gateway-KeyVault-identity
. I assigned Gateway-KeyVault-identity
as a managed identity on AppGateway
, as confirmed by az network application-gateway show --name 'AppGateway' --resource-group 'AppGateway-RG' --query 'identity'
, and I added Gateway-KeyVault-identity
to the Key Vault Certificates Officer
and Key Vault Secrets User
roles.
But the gateway still refuses to load certificates from the key vault. When I try to create a Listener, under Https Settings, I choose a Cert name, set Managed identity to Gateway-KeyVault-identity
, and then select Key vault KeyVault
. I get error message "This key vault doesn't allow access to the managed identity. If using role-based access control permission model instead of policy"