Reputation: 1310
Azure key vault - WebApp is not visible in select principal
We have 2 subscriptions
- Development
- UAT
We are able to assign webapp to allow access to key vault to get credentials and its working fine thru Key Vault -> Access Policies -> Add New -> Select Principal
With UAT subscription, WebApp is not listed when we want to select it to allow access to read credentials. I can see APIM is listed but not the webapp.
I checked with app service plan, other default configuration, all looks same.
Are there any more rule applied to the list?
Upvotes: 7
Views: 2759
Answers (2)
Reputation: 1310
Identity status in Azure portal was in "Off" mode Webapp -> Settings -> Identity
I changed it to "On" and saved it.
Now i can see webapp inside select principal option.
Upvotes: 20
Reputation: 28204
Web app and Key vault should be in the same tenant when you enable the access policy of key vault for your web app. Taken from this doc.
When you create a new key vault in a subscription, it is automatically tied to the default Azure Active Directory tenant ID for that subscription. All access policy entries are also tied to this tenant ID. When you move your Azure subscription from tenant A to tenant B, your existing key vaults are inaccessible by the principals (users and applications) in tenant B. To fix this issue, you need to:
- Change the tenant ID associated with all existing key vaults in this subscription to tenant B.
- Remove all existing access policy entries.
- Add new access policy entries that are associated with tenant B.
For example, if you have key vault 'myvault' in a subscription that has been moved from tenant A to tenant B, here's how to change the tenant ID for this key vault and remove old access policies.
Select-AzSubscription -SubscriptionId YourSubscriptionID
$vaultResourceId = (Get-AzKeyVault -VaultName myvault).ResourceId
$vault = Get-AzResource –ResourceId $vaultResourceId -ExpandProperties
$vault.Properties.TenantId = (Get-AzContext).Tenant.TenantId
$vault.Properties.AccessPolicies = @()
Set-AzResource -ResourceId $vaultResourceId -Properties $vault.Properties
If you want to know moving resources to a new resource group or subscription, read here.
Upvotes: 1
Related Questions
- "Key vault reference error" in azure web app configuration setting
- Key Vault reference in Azure App Service doesn't resolve
- Not able to get Azure Key-Vault working in app when deployed to Azure
- Azure Application Access Only Key Vault Keys
- Web App Azure Portal - Key Vault Reference shows not connected
- “Key vault access denied” in azure web app configuration setting
- Unable to connect to Azure Key Vault from Azure Web App
- Azure Key Vault portal not showing secrets
- Azure key vault. How to set which web app uses what key vault?
- Azure Key Vault certificate not syncing automatically with web app