I am trying to use RBAC to sync an SSL certificate from an key vault into a web app. I have given the web app the Key Vault Certificate User role but I am still getting this error:
Failed to import Key Vault Certificate for mbos.mercedes-benz.com due to error: The service does not have access to '/subscriptions/xxx/resourcegroups/xxx-rg/providers/microsoft.keyvault/vaults/xxx-kv' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.
The same web app has no issues accessing secrets from the same key vault using the Key Vault Secrets User role.
Azure being Azure, for certificates specifically, you need to also give the `Key Vault Certificate User` to the global App Service resource provider (same resource for everyone):
Go to you key vault
Open Access control (IAM)
Click Add role assignment
Find the role Key Vault Certificate User
Select Assign access to User, group, or service principal
Add member 551735cb-c10c-40a3-8266-5d4a93fd07ce or abfa0a7c-a6b6-4736-8310-5855508787cd
Click Review + Assign
Or via Azure CLI:
az role assignment create \
--role "Key Vault Certificate User" \
--assignee "abfa0a7c-a6b6-4736-8310-5855508787cd" \
--scope "/subscriptions/{subscriptionid}/resourcegroups/{resource-group-name}/providers/Microsoft.KeyVault/vaults/{key-vault-name}"