Allowing Azure CDN to access Azure KeyVault

Question

I'm trying to set up my Azure CDN endpoint to use HTTPS for the custom domain I already set up.

When I tried to point at the SSL cert in my Azure KeyVault, I got an error stating that I need to grant Azure CDN access to KeyVault. Any idea how I can do this -- hopefully through the Portal and NOT Powershell, though I have a feeling it'll end up requiring Powershell commands.

Basically, I'm trying to get my Azure CDN endpoint to use the SSL cert in my Azure KeyVault.

Anyway, I'd appreciate someone pointing to me an article or a set of instructions please. Thanks!

Answer 1

Instructions for enabling SSL with your own certificate stored in Azure KeyVault are described here:

https://docs.microsoft.com/en-us/azure/cdn/cdn-custom-ssl?tabs=option-2-enable-https-with-your-own-certificate#ssl-certificates.

Answer 2

There's something broken with this lately.

Azure tells you to do the thing that doesn't work: New-AzADServicePrincipal -ApplicationId "205478c0-bd83-4e1b-a9d6-db63a3e1e1c8" -Role Contributor

If you're curious as to what it actually does, it just gives the hidden Microsoft.AzureFrontDoor-Cdn the role Contributor in your subscription's IAM. You can view it in the portal:

It seems that the "Contributor" role no longer contains the necessary permissions to read keyvaults - namely the Microsoft.KeyVault/vaults/secrets/readMetadata/action permission.

I've noticed that:

• this permission is given to the built in Key Vault Secrets User role
• all the roles that seem "superior" to the secrets user like Key Vault Administrator don't work, it HAS to be Key Vault Secrets User

So what fixed it for me is going into my keyvault and giving MYSELF (not azure cdn) the permission to read and list secrets. Seems that even as owner and god-emperor of your azure instance you can't access secrets by default ("AT" is me in the screenshot):