Azure Blueprint - Creating Web certificate from Key Vault secret gives access denied error

Question

We got this big azure blueprint template that creates a lot of artifacts for us. One of the artifacts is the Azure Key Vault. The Key Vault gets created and the needed secrets are in there.

One of the other artifacts he tries to create is an Microsoft.Web/certificates. We try to create that with the below json

 {
    "name": "create-certificate",
    "kind": "template",
    "properties": {
        "template": {
            "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
            "contentVersion": "1.0.0.0",
            "parameters": {
                "name": {
                    "type": "string"
                },
                "location": {
                    "type": "string"
                },
                "vaultName": {
                    "type": "string"
                },
                "serverFarmId": {
                    "type": "string"
                }
            },
            "resources": [
                {
                    "type": "Microsoft.Web/certificates",
                    "name": "[parameters('name')]",
                    "apiVersion": "2016-03-01",
                    "location": "[parameters('location')]",
                    "properties": {
                        "keyVaultId": "[resourceId('Microsoft.KeyVault/vaults', parameters('vaultName'))]",
                        "keyVaultSecretName": "Origin-Certificate",
                        "serverFarmId": "[parameters('serverFarmId')]"
                    }
                }
            ]
        },
        "resourceGroup": "TD-RG",
        "parameters": {
            "name": {
                "value": "[concat(parameters('environmentSuffix'), '-Orgin')]"
            },
            "location": {
                "value": "[parameters('location')]"
            },
            "vaultName": {
                "value":"[concat(parameters('environmentSuffix'), '-Vault')]"
            },
            "ServerFarmId": {
                "value": "[artifacts('create-service-plan').outputs.ServerFarmId]"
            }
        },
        "dependsOn": ["create-service-plan", "create-key-vault"]
    }   
}

So it nicely waits that we first create an service plan and the key vault and then tried to read the orgin certificate from the key vault secret. The error that we then get is:

The service does not have access to '{KEY VAULT PATH}' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.

Searching the internet we found that we can give extra permissions to the key vault. With things like the following powershell command:

Set-AzureRmKeyVaultAccessPolicy -VaultName KEYVAULTNAME -PermissionsToSecrets get `
   -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd

Source of this script: Issue with KeyVault reference in ARM template

But the problem with this is, that the permissions are overwritten by the artifact definition that creates the key vault and so it can not be set trough Power shell. But I cannot get this right in the blueprint. For other users i already set permissions when we create the key vault and that works. But adding this like below doesn't work.

{
   "objectId": "abfa0a7c-a6b6-4736-8310-5855508787cd",
   "tenantId": "[parameters('tenantId')]",
   "permissions": {
     "secrets": [
       "get"
     ]
   }
 }

So now it stay's a riddle how to create an key vault and use an secret in the next artifact.

Azure Blueprint - Creating Web certificate from Key Vault secret gives access denied error

Answers (1)

Related Questions