CODEWITHSUNDEEP
azureazure-powershellazure-keyvaultazure-rm-template
Identity
Identity

Reputation: 1673

Issue with KeyVault reference in ARM template

I am trying to create a master key vault, which will contain all certificates to authenticate as a certain user.

I have 2 service principals => One for my app, One for deployment. The idea is that the deploy service principal gets access to the Key Vault and adds the certificate located there to the Store of the web applications.

I have created the service principal and I have given him all permissions on the key vault. Also I have enabled access secrets in ARM templates for that key vault.

Using powershell I am able to login as the Deploying SP and retrieving the secret (certificate).

However this does not work when deploying the ARM template with a reference to the key vault. I got the following error:

New-AzureRmResourceGroupDeployment : 11:16:44 - Resource Microsoft.Web/certificates 'test-certificate' failed with message '{
  "Code": "BadRequest",
  "Message": "The service does not have access to '/subscriptions/98f06e7e-1016-4088-843f-62690f3bb306/resourcegroups/rg-temp/providers/microsoft.keyvault/vaults/master-key-vault' Key 
Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.",
  "Target": null,
  "Details": [
    {
      "Message": "The service does not have access to '/subscriptions/xxxx/resourcegroups/xxx/providers/microsoft.keyvault/vaults/master-key-vault' Key 
Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."
    },

My ARM template looks like this:

    {
     "type":"Microsoft.Web/certificates",
     "name":"test-certificate",
     "apiVersion":"2016-03-01",
     "location":"[resourceGroup().location]",
     "properties":{
        "keyVaultId":"[resourceId('rg-temp', 'Microsoft.KeyVault/vaults', 'master-key-vault')]",
        "keyVaultSecretName":"kv-certificate-test",
        "serverFarmId":"[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
     }
  },

Is this a bug? Because I am able to retrieve the certificate using the Deploy SP with: 

 $key = Get-AzureKeyVaultSecret -VaultName "master-key-vault" -Name "testenvironmentcertificate"

This is my ARM template: (note, the Key vault lives in another resource group than the resources in the ARM template)

{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
    {
     "type":"Microsoft.Web/certificates",
     "name":"test-certificate",
     "apiVersion":"2016-03-01",
     "location":"[resourceGroup().location]",
     "properties":{
        "keyVaultId":"/subscriptions/xxx/resourceGroups/rg-temp/providers/Microsoft.KeyVault/vaults/xxx",
        "keyVaultSecretName":"testcert",
        "serverFarmId":"[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
     }
  },
    {
        "name": "wa-test1",
        "type": "Microsoft.Web/sites",
        "location": "[resourceGroup().location]",
        "apiVersion": "2016-08-01",
        "dependsOn": [
            "[concat('Microsoft.Web/serverfarms/', 'asp-test')]"
        ],
        "tags": {
            "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/asp-test')]": "Resource",
            "displayName": "wa-test1"
        },
        "properties": {
            "name": "wa-test1",
            "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
        }
    },
    {
        "name": "asp-test",
        "type": "Microsoft.Web/serverfarms",
        "location": "[resourceGroup().location]",
        "apiVersion": "2014-06-01",
        "dependsOn": [],
        "tags": {
            "displayName": "appServicePlan"
        },
        "properties": {
            "name": "asp-test",
            "sku": "Free",
            "workerSize": "Small",
            "numberOfWorkers": 1
        }
    }
]
}

Upvotes: 3

Views: 8503

Answers (3)

apostolov
apostolov

Reputation: 1646

I was not able to add the policies through the Set-AzureRmKeyVaultAccessPolicy command due to an error in the console.

I was however able to resolve the issue through the Azure Web Interface by opening the KeyVault Access Control(IAM) and adding Key Vault Reader and Key Vault Secrets User roles to Microsoft.Azure.Websites

enter image description here

I wrote the same answer here as well.

Upvotes: 0

Sunny Sharma
Sunny Sharma

Reputation: 4934

I tried all the answers but they didn't work. Here's what worked for me:

setting the access permissions for the two service principals on the key vault:

enter image description here


Read more here:

https://devsdaily.com/key-vault-failed-to-sync-the-certificate-the-service-does-not-have-access-to-key-vault/

Upvotes: 0

4c74356b41
4c74356b41

Reputation: 72151

I believe you are missing a permission for a Resource Provider to access Key Vault, so the WebApp is using its own Resource Provider to do that, you need to grant that RP access to key vault:

Set-AzureRmKeyVaultAccessPolicy -VaultName KEYVAULTNAME -PermissionsToSecrets get `
   -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd

Reference:

https://azure.github.io/AppService/2016/05/24/Deploying-Azure-Web-App-Certificate-through-Key-Vault.html

Upvotes: 7

Related Questions