'Deploy Web App certificate from Azure Keyvault and create SSL binding

I have been trying to figure out to fix the below problem while deploying Azure RM template.

New-AzureRmResourceGroupDeployment : 9:54:31 PM - Resource Microsoft.Web/certificates 'redacted' failed with message '{   "Code": "BadRequest",   "Message": "The service does not have access to '/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.keyvault/vaults/redacted' Key Vault. Please make sure that you have  granted necessary permissions to the service to perform the request operation.",   "Target": null,   "Details": [
    {
      "Message": "The service does not have access to  '/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.keyvault/vaults/redacted' Key Vault. Please make sure that you have  granted necessary permissions to the service to perform the request operation."
    },
    {
      "Code": "BadRequest"
    },
    {
      "ErrorEntity": {
        "ExtendedCode": "59716",
        "MessageTemplate": "The service does not have access to '{0}' Key Vault. Please make sure that you have granted necessary permissions to the service to perform  the request operation.",
        "Parameters": [          "/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.keyvault/vaults/redacted"
        ],
        "Code": "BadRequest",
        "Message": "The service does not have access to  '/subscriptions/redacted/resourcegroups/redacted/providers/microsoft.keyvault/vaults/redacted' Key Vault. Please make sure that you have  granted necessary permissions to the service to perform the request operation."
      }
    }   ],   "Innererror": null }' At line:1 char:1
+ New-AzureRmResourceGroupDeployment -Name redacted -ResourceGroupName  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet New-AzureRmResourceGroupDeployment : 9:54:31 PM - Template output evaluation skipped: at least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details. At line:1 char:1
+ New-AzureRmResourceGroupDeployment -Name redacted -ResourceGroupName  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet New-AzureRmResourceGroupDeployment : 9:54:31 PM - Template output evaluation skipped: at least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details. At line:1 char:1
+ New-AzureRmResourceGroupDeployment -Name redacted -ResourceGroupName  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [New-AzureRmResourceGroupDeployment], Exception
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupDeploymentCmdlet

I have created a web app and want to bind an SSL certificate stored as a secret from Azure Keyvault. At first, I have created a self-signed certificate and uploaded it to keyvault as a 'secret'. From the Azure Active Directory, I have created a web app and used the application ID to grant access to key vault.

Following deployment template was used:

Azure RM template for deploying web app certificate from keyvault

azuretemplatesweb-applicationsazure-active-directory


Solution 1:[1]

It seems that Resource Provider has no permission to access the Key Vault.

By default, 'Microsoft.Azure.WebSites' Resource Provider (RP) doesn't have access to the Key Vault specified in the template hence you need to authorize it by executing the following PowerShell commands before deploying the template.

The RP requires read access to KeyVault. ‘abfa0a7c-a6b6-4736-8310-5855508787cd’ is the RP service principal name and it remains same for all Azure subscriptions.

Login-AzureRmAccount Set-AzureRmContext -SubscriptionId AZURE_SUBSCRIPTION_ID Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd -PermissionsToSecrets get

Here is a similar case.

Solution 2:[2]

I found that I was using wrong application ID. The following step is the right one

Run the following command and replace application ID from the output Get-AzureRmADServicePrincipal -SearchString "Microsoft.Azure.WebSites"

Mostly likely application ID would still be the same.

Set-AzureRmKeyVaultAccessPolicy -VaultName KEY_VAULT_NAME -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd -PermissionsToSecrets get

I created an AppService and replaced abfa0a7c-a6b6-4736-8310-5855508787cd with application ID of my AppService which was wrong.

Solution 3:[3]

I was not able to add the policies through the Set-AzureRmKeyVaultAccessPolicy command due to an error in the console.

I was however able to resolve the issue through the Azure Web Interface by opening the KeyVault Access Control(IAM) and adding Key Vault Reader and Key Vault Secrets User roles to Microsoft.Azure.Websites

enter image description here

Solution 4:[4]

not a direct answer but will surely help

#Microsoft Azure App Service
#Name: Microsoft Azure WebSites    
$AppServicePrincipalId = "abfa0a7c-a6b6-4736-8310-5855508787cd"
$KeyVaultSecretsUserRoleId = "4633458b-17de-408a-b874-0445c86b69e6"
$AppServicePrincipalObjectId = az ad sp show --id $AppServicePrincipalId --query objectId
az role assignment create --assignee-object-id $AppServicePrincipalObjectId --role $KeyVaultSecretsUserRoleId --scope $keyVaultScope --subscription $subscriptionName --assignee-principal-type "ServicePrincipal"


az webapp config hostname add --webapp-name $webAppName --resource-group $resourceGroupName --hostname $hostname
$sslResult = (az webapp config ssl import --resource-group $resourceGroupName --name $webAppName --key-vault $keyVaultName --key-vault-certificate-name $certificateName | convertfrom-json)
az webapp config ssl bind --certificate-thumbprint $sslResult.thumbprint --ssl-type SNI --name $webAppName --resource-group $resourceGroupName

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1
Solution 2 doubledecker
Solution 3 apostolov
Solution 4 Tiju John

Related Questions

Use of incomplete types in templates

How to include HTML partials using Vite?

Components in default.vue get removed after being compiled in Nuxt

migrate template from velocity to freemarker

Sum function with return type large enough to hold result

gtest - testing template class

Why are unqualified names from nondependent base classes favored over template parameters

Has the C++ standard committee considered templated namespaces?

Load outlook email template (.oft) via win32com

JavaScript template engine - extract placeholder name from template

When does instantiation happens for explicit instantiation of a function template

org.springframework.dao.EmptyResultDataAccessException: Incorrect result size: expected 1, actual 0

Exporting class template with out-of-body definitions from DLL with MinGW-w64

C++ check inheritance at compile time

render html strings in flask templates [duplicate]