Azure - Add private certificate - error with Key vault key and permissions

1
votes

Basically I'm trying to add a private certificate (.pfx file) to an Integration Account. I'm using the new portal.

What I've done/created:

  • Resource Group
  • Integration Account
  • Key Vault
  • Active Directory
  • Give permissions to my user to all keys and secrets using command Set-AzureRmKeyVaultAccessPolicy

Whenever I go to my Integration Account > Certificates > Add > choose [Certificate Type]="Private", the comboboxes Resource Group and Key Vault get filled automatically but the Key Name throws the following error:

Communication with key vault [MY_KEY_VAULT] failed. Please authorize logic apps to perform operations on key vault by granting access for the logic apps service principal '7cd684f4-8a78-49b0-91ec-6a35d38739ba' for 'list', 'get', 'decrypt' and 'sign' operations.

Weird stuff is that the ObjectID 7cd684f4-8a78-49b0-91ec-6a35d38739ba does not belong to my AD but to my company AD.

3
azurecertificateazure-keyvault

3 Answers

2
votes

Need to set access policy

When you create private certificate, follow these steps:

  1. Upload key to key vault

  2. Set access policy, where logic apps service principal '7cd684f4-8a78-49b0-91ec-6a35d38739ba'

    Set access policy:

     Set-AzureRmKeyVaultAccessPolicy -VaultName 'IntegrationAccountVault1' -ServicePrincipalName $servicePrincipal -PermissionsToKeys  decrypt, sign, get, list

  3. In integration account, use add certificate and select private certificate from dropdown. Associate key with the corresponding public certificate.

3
votes

The Guid given in the error message is a bit misleading. It refers to the Azure Logic Apps service account.

You can resolve the issue by giving the user 'Azure Logic Apps' the required permissions in the KeyVault

enter image description here

-1
votes

The error message you have copied clearly says that the authorization step is missing. Need to authorize the Logic Apps to perform operations on Key Vault by granting access to the Logic Apps service principal ('7cd684f4-8a78-49b0-91ec-6a35d38739ba').

Execute the Set access policy given above.

I have copied the error you have posted for reference.

"Communication with key vault [MY_KEY_VAULT] failed. Please authorize logic apps to perform operations on key vault by granting access for the logic apps service principal '7cd684f4-8a78-49b0-91ec-6a35d38739ba' for 'list', 'get', 'decrypt' and 'sign' operations"