Azure API Managment User Assigned Identity Custom Domain KeyVault
I have the following issue:
Steps (Azure portal):
- Create Azure APIM (Devloper sku, internal vnet, no system assigned managed identity!)
- Create own Managed identity (user managed identity) - UAI
- Create KeyVault
- UAI: Create Role Assignment for UIA and KeyVault with Reader role and Scope KeyVault
- KeyVault: Create KeyVault Access Policy for UAI with "Get", "List" for Secrets and Certs
- APIM: Assign UAI to APIM instance (no SystemAssigned Identity!)
- KeyVault: Upload a cert to KeyVault for custom domain name
- APIM: Try to create custom domain name in APIM, select Cert from KeyVault and then click add
Issue: Portal asks me to grant Get/List to APIM instance. Why ? UAI should have that already! If I click yes on the dialog that asks if I want to grant that policy an error occurs.
SystemAssigned Identity works by the way.
Did I miss something here ?
Solution
UI does not support that at the moment, but it is possible through API, see "identityClientId" and "keyVaultId" here: https://learn.microsoft.com/en-us/rest/api/apimanagement/2021-01-01-preview/api-management-service/create-or-update#hostnameconfiguration
- YAML strings including special characters % and & were not printed correctly for Windows environment
- Terraform Error while trying to use Azure Key Vault Private Endpoint Resource
- How do I get a certificate (public and private key) into a windows container in AKS?
- Error while running Terraform Import Command to import Azure Key Vault
- Using azuresigntool in an Azure DevOps pipeline
- How to pass secrets downloaded from Azure KeyVault as parameters to an Azure Function?
- Can we get secret value using dbutil in databricks from across envrionment?
- Use of HttpClient with a DelegatingHandler in Azure Durable Orchestrations
- ClickOnce signing via Azure Key Vault
- How to load secrets.json for the Local environment instead of Development in ASP.NET Core?
- Azure key vault certificate throws bad parameter error
- How to add new secrets (from Azure Key Vault) to the variable group in Azure Devops
- Retrieve Secret from Azure Key Vault fails in .NET Aspire, but works with curl
- Creating RSA Public Key From String throws exception
- Azure functions - where to store configuration values
- Is it possible to create multiple Key Vaults in the same resource group?
- Uses SQL connection strings from Azure Keyvault in Azure functions
- Azurerm: KeyVault Nested Item should contain 2 or 3 segments, got 10
- Key Vault Secret issue - Firewall is turned on and your client IP address is not authorized to access this key vault
- Need guidance on how to create Access Policy for Key Vault in a different group from ARM Template deployment
- Terraform set data source of key vault based on variable
- Link private endpoint connection with Azure Keyvault using ARM template
- Create Azure Key Vault backed secret scope in Databricks with AAD Token
- Azure KeyVault Secret near expiry list to email as a notification
- Azure Key Vault Signature Format
- Access policies not available
- How to use an RSA key for Duende Identity Server v7
- Expanding variable group resource data: failed to get Azure key value.Failed to query service connection API
- KQL query to list the secrets and keys in keyvault that are expired or going to expire in 7 days
- Azure Managed HSM: Decrypt in C# using encryption result from Azure CLI