Issue with KeyVault reference in ARM template

3
votes

I am trying to create a master key vault, which will contain all certificates to authenticate as a certain user.

I have 2 service principals => One for my app, One for deployment. The idea is that the deploy service principal gets access to the Key Vault and adds the certificate located there to the Store of the web applications.

I have created the service principal and I have given him all permissions on the key vault. Also I have enabled access secrets in ARM templates for that key vault.

Using powershell I am able to login as the Deploying SP and retrieving the secret (certificate).

However this does not work when deploying the ARM template with a reference to the key vault. I got the following error:

New-AzureRmResourceGroupDeployment : 11:16:44 - Resource Microsoft.Web/certificates 'test-certificate' failed with message '{
  "Code": "BadRequest",
  "Message": "The service does not have access to '/subscriptions/98f06e7e-1016-4088-843f-62690f3bb306/resourcegroups/rg-temp/providers/microsoft.keyvault/vaults/master-key-vault' Key 
Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.",
  "Target": null,
  "Details": [
    {
      "Message": "The service does not have access to '/subscriptions/xxxx/resourcegroups/xxx/providers/microsoft.keyvault/vaults/master-key-vault' Key 
Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."
    },

My ARM template looks like this:

    {
     "type":"Microsoft.Web/certificates",
     "name":"test-certificate",
     "apiVersion":"2016-03-01",
     "location":"[resourceGroup().location]",
     "properties":{
        "keyVaultId":"[resourceId('rg-temp', 'Microsoft.KeyVault/vaults', 'master-key-vault')]",
        "keyVaultSecretName":"kv-certificate-test",
        "serverFarmId":"[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
     }
  },

Is this a bug? Because I am able to retrieve the certificate using the Deploy SP with: 

 $key = Get-AzureKeyVaultSecret -VaultName "master-key-vault" -Name "testenvironmentcertificate"

This is my ARM template: (note, the Key vault lives in another resource group than the resources in the ARM template)

{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
    {
     "type":"Microsoft.Web/certificates",
     "name":"test-certificate",
     "apiVersion":"2016-03-01",
     "location":"[resourceGroup().location]",
     "properties":{
        "keyVaultId":"/subscriptions/xxx/resourceGroups/rg-temp/providers/Microsoft.KeyVault/vaults/xxx",
        "keyVaultSecretName":"testcert",
        "serverFarmId":"[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
     }
  },
    {
        "name": "wa-test1",
        "type": "Microsoft.Web/sites",
        "location": "[resourceGroup().location]",
        "apiVersion": "2016-08-01",
        "dependsOn": [
            "[concat('Microsoft.Web/serverfarms/', 'asp-test')]"
        ],
        "tags": {
            "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/asp-test')]": "Resource",
            "displayName": "wa-test1"
        },
        "properties": {
            "name": "wa-test1",
            "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
        }
    },
    {
        "name": "asp-test",
        "type": "Microsoft.Web/serverfarms",
        "location": "[resourceGroup().location]",
        "apiVersion": "2014-06-01",
        "dependsOn": [],
        "tags": {
            "displayName": "appServicePlan"
        },
        "properties": {
            "name": "asp-test",
            "sku": "Free",
            "workerSize": "Small",
            "numberOfWorkers": 1
        }
    }
]
}
2
azureazure-powershellazure-keyvaultarm-templateazure-template
can you share the template? you can remove the sensitive information4c74356b41
i have edited my question :)Identity
ok, at the first glance this looks fine, I'm not sure what might be wrong, can you create another key vault and just use your subscription admin to deploy the template (and verify the admin has got all the rights to the keyvault and keyvault allows for template deployments?)?4c74356b41
I have tried to create a new Key vault via Powershell, using my subscription admin user. Also I have added the certificate to the key vault via powershell. When I try to deploy the ARM template is still get the same error. However, when retrieving the secret with PowerShell, I got a result...Identity

2 Answers

7
votes

I believe you are missing a permission for a Resource Provider to access Key Vault, so the WebApp is using its own Resource Provider to do that, you need to grant that RP access to key vault:

Set-AzureRmKeyVaultAccessPolicy -VaultName KEYVAULTNAME -PermissionsToSecrets get `
   -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd

Reference:

https://azure.github.io/AppService/2016/05/24/Deploying-Azure-Web-App-Certificate-through-Key-Vault.html

0
votes

I tried all the answers but they didn't work. Here's what worked for me:

setting the access permissions for the two service principals on the key vault:

enter image description here


https://devsdaily.com/key-vault-failed-to-sync-the-certificate-the-service-does-not-have-access-to-key-vault/