Unable to import key vault certificate to app service - Failed to get App Service Service principal details

Question

I have a SSL cert in my Azure key vault that I am trying to import to the correct App Service.

I am the owner of the Azure subscription and I have given the App Service GET and LIST permissions for certificates on the vault.

On my App Service I click TLS/SSL settings > Private Key Certificates (.pfx) > Import Key Vault Certificate

This is the message I receive

Another owner on the subscription is able to complete this process successfully. So I am not sure why I am not able to when we both have owner roles on the subscription?

Is anyone able to offer any suggestions please?

Answer 1

When you are trying the operation from Azure Portal and you are a Owner of the Subscription, then Azure by default adds a access policy for the Azure APP Service Resource Provider and you do not further require to add the any access policies for the Web App.

Example:

I created a Web App with system managed identity and a Key vault with the below added Access Policies. I am an Owner of the Subscription and a User in the Azure Active Directory.

When , I perform the import certificate operation in the TLS/SSL Settings, the access policy get automatically updated with the Azure App Service Service Principal Credential.

In your case its not able to find the details of the Resource Provider Service Principal. As a Solution you can try adding Microsoft.Azure.CertificateRegistration (i.e. ObjectId : ed47c2a1-bd23-4341-b39c-f4fd69138dd3) , Microsoft Azure App Service (Internal) (i.e. ObjectId : 505e3754-d8a9-4f8b-97b6-c3e48ac7a543) & Microsoft Azure App Service (i.e. ObjectId : f8daea97-62e7-4026-becf-13c2ea98e8b4) in access policy for key vault.

Note: If the Issue is still not resolved , Please reach out to Azure Support for better assistance.