Reputation: 883
Azure - Add private certificate - error with Key vault key and permissions
Basically I'm trying to add a private certificate (.pfx file) to an Integration Account. I'm using the new portal.
What I've done/created:
- Resource Group
- Integration Account
- Key Vault
- Active Directory
- Give permissions to my user to all keys and secrets using command Set-AzureRmKeyVaultAccessPolicy
Whenever I go to my Integration Account > Certificates > Add > choose [Certificate Type]="Private", the comboboxes Resource Group and Key Vault get filled automatically but the Key Name throws the following error:
Communication with key vault [MY_KEY_VAULT] failed. Please authorize logic apps to perform operations on key vault by granting access for the logic apps service principal '7cd684f4-8a78-49b0-91ec-6a35d38739ba' for 'list', 'get', 'decrypt' and 'sign' operations.
Weird stuff is that the ObjectID 7cd684f4-8a78-49b0-91ec-6a35d38739ba does not belong to my AD but to my company AD.
Upvotes: 1
Views: 3053
Answers (3)
Reputation: 7625
The Guid given in the error message is a bit misleading. It refers to the Azure Logic Apps service account.
You can resolve the issue by giving the user 'Azure Logic Apps' the required permissions in the KeyVault
Upvotes: 3
Reputation: 34
The error message you have copied clearly says that the authorization step is missing. Need to authorize the Logic Apps to perform operations on Key Vault by granting access to the Logic Apps service principal ('7cd684f4-8a78-49b0-91ec-6a35d38739ba').
Execute the Set access policy given above.
I have copied the error you have posted for reference.
"Communication with key vault [MY_KEY_VAULT] failed. Please authorize logic apps to perform operations on key vault by granting access for the logic apps service principal '7cd684f4-8a78-49b0-91ec-6a35d38739ba' for 'list', 'get', 'decrypt' and 'sign' operations"
Upvotes: -1
Reputation: 34
Need to set access policy
When you create private certificate, follow these steps:
Upload key to key vault
Set access policy, where logic apps service principal '7cd684f4-8a78-49b0-91ec-6a35d38739ba'
Set access policy:
Set-AzureRmKeyVaultAccessPolicy -VaultName 'IntegrationAccountVault1' -ServicePrincipalName $servicePrincipal -PermissionsToKeys decrypt, sign, get, listIn integration account, use add certificate and select private certificate from dropdown. Associate key with the corresponding public certificate.
Upvotes: 2
Related Questions
- Azure key vault creation error: VaultAlreadyExists - I can't find the existing vault
- error while trying to decrypt using azure vault certificate key: "Operation returned an invalid status code 'Forbidden'"
- Azure Key Vault Certificate: the key was not found
- Error creating key vault certificate in Azure CLI
- Can't use azure key vault ('New-AzureKeyVault' is not recognized) ('keyvault' is not an azure command)
- Azure key vault: access denied
- Azure Key Vault: unable to get a cert from kv when deployed
- Adding a certificate to azure VM from Key Vault
- Cannot add a key to Azure Key Vault in PowerShell - 'Unauthorized'
- Create Azure Key Vault C# error remote server returned an error: (403) Forbidden