Azure API Managment User Assigned Identity Custom Domain KeyVault
I have the following issue:
Steps (Azure portal):
- Create Azure APIM (Devloper sku, internal vnet, no system assigned managed identity!)
- Create own Managed identity (user managed identity) - UAI
- Create KeyVault
- UAI: Create Role Assignment for UIA and KeyVault with Reader role and Scope KeyVault
- KeyVault: Create KeyVault Access Policy for UAI with "Get", "List" for Secrets and Certs
- APIM: Assign UAI to APIM instance (no SystemAssigned Identity!)
- KeyVault: Upload a cert to KeyVault for custom domain name
- APIM: Try to create custom domain name in APIM, select Cert from KeyVault and then click add
Issue: Portal asks me to grant Get/List to APIM instance. Why ? UAI should have that already! If I click yes on the dialog that asks if I want to grant that policy an error occurs.
SystemAssigned Identity works by the way.
Did I miss something here ?
2025 Update:
Since last time this functionality has been rolled out a while ago in Azure Portal, see for reference: https://learn.microsoft.com/en-us/azure/api-management/configure-custom-domain?tabs=key-vault#set-a-custom-domain-name---portal Setting up custom hostname with certificate coming from Key Vault is beneficial since Portal will take care of setting up necessary permissions (https://learn.microsoft.com/en-us/answers/questions/1536911/azure-key-vault-rbac-permissions-required-for-apim)
Previous answer:
UI does not support that at the moment, but it is possible through API, see "identityClientId" and "keyVaultId" here: https://learn.microsoft.com/en-us/rest/api/apimanagement/2021-01-01-preview/api-management-service/create-or-update#hostnameconfiguration
- Azure API Managment User Assigned Identity Custom Domain KeyVault
- az keyvault key create error when creating symmetric key
- Spring-Boot using key vault by manage-identity
- Is it possible to store the Microsoft RSA Root Certificate Authority 2017 certificate in Key Vault?
- KeyVault Template - Multiple AccesPolicies
- Azure Key Vault Not Accessible before Build() in .NET 6 Container App
- Private KeyVault secret reference from Function Apps in multiple VNets in the same resource group
- Service Connection permissions error when trying to access Azure Key vault secrets from within an Azure DevOps pipeline with the task AzureKeyVault@2
- Transfer encrypted dataprotection keys from a windows vm to azure keyvault
- How can I Get Started Using Certificates to Authenticate my APIs Using Azure Key Vault?
- YAML strings including special characters % and & were not printed correctly for Windows environment
- referencing different subscription resource
- Is Key Vault the cause of 500 error App Service
- Terraform Error while trying to use Azure Key Vault Private Endpoint Resource
- How do I get a certificate (public and private key) into a windows container in AKS?
- Error while running Terraform Import Command to import Azure Key Vault
- Using azuresigntool in an Azure DevOps pipeline
- How to enable logging and speed up startup time for Azure App Configuration?
- How to pass secrets downloaded from Azure KeyVault as parameters to an Azure Function?
- Can we get secret value using dbutil in databricks from across envrionment?
- Use of HttpClient with a DelegatingHandler in Azure Durable Orchestrations
- ClickOnce signing via Azure Key Vault
- How to load secrets.json for the Local environment instead of Development in ASP.NET Core?
- Azure key vault certificate throws bad parameter error
- How to add new secrets (from Azure Key Vault) to the variable group in Azure Devops
- Retrieve Secret from Azure Key Vault fails in .NET Aspire, but works with curl
- Creating RSA Public Key From String throws exception
- Azure functions - where to store configuration values
- How the application hosted in the Azure Virtual Machine will fetch the keys and secrets from the Azure Key vault?
- Is it possible to create multiple Key Vaults in the same resource group?