Azure-docs: Instructions are a bit ambiguous
I'm trying to follow the instructions on this page via the Portal but am not having much luck. On the "Add multi-site listener" blade I select the Key Vault but it shows a "The key vault must have GET permissions on the secret" error; I have created a policy to grant Get certificate permissions for the user-assigned Managed Identity. Am I doing something wrong? Does the App Gateway need a role assignment on the Key Vault as well?
Does the lack of explicit portal instructions mean that you can only (currently) do this using PowerShell (https://docs.microsoft.com/en-us/azure/application-gateway/configure-keyvault-ps)?
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 4c416d5e-5bfd-c641-e9bb-324dcb921acc
- Version Independent ID: 8739a044-d471-c432-3ed1-503539408ae8
- Content: SSL termination with Azure Key Vault certificates
- Content Source: articles/application-gateway/key-vault-certs.md
- Service: application-gateway
- GitHub Login: @vhorne
- Microsoft Alias: victorh
philipstreet-hiscox
All 5 comments
@philipstreet-hiscox Thanks for the feedback! I would use PowerShell, as we have clearly outlined instructions for configuring this via PowerShell.
To add instructions for the portal, I have assigned this issue to the content author to evaluate and update as appropriate.
TravisCragg-MSFT
on 16 Dec 2019
@philipstreet-hiscox the user assigned identity only requires get permissions on the secrets. no additional role assignments are required. In the PowerShell example you can see this line:
Set-AzKeyVaultAccessPolicy -VaultName $kv -PermissionsToSecrets get -ObjectId $identity.PrincipalId
BartVanBerkel
on 8 Jan 2020
It says in "2. Configure your key vault" that it's recommended to store certificates as Certificates in the KV, not as Secrets. And in so doing, it would be '-permissionstocertificates get' that is required.
ChrisSommers
on 9 Jan 2020
vhorne
on 20 Feb 2020
Encountering this as well, seems a little misleading as I'm given a list of certificates, not secrets. Also, I have already granted GET permission to the user managed identity that is being used.
Something doesn't seem right here.
atrauzzi
on 9 May 2020
Related issues
Agazoth
·
3Comments
monteledwards
·
3Comments
behnam89
·
3Comments
jharbieh
·
3Comments
bdcoder2
·
3Comments