I am receiving the following error while trying to execute a resource group deployment.
LinkedAuthorizationFailed
"The client '' with object id '' has permission to perform action 'Microsoft.Web/certificates/write' on scope /subscriptions/<subscriptionid1>/resourcegroups/<rgname1>/providers/Microsoft.Web/certificates/certificatename'; however, it does not have permission to perform action 'write' on the linked scope(s) '/subscriptions/<subscriptionid2>/resourceGroups/<rgname2>/providers/Microsoft.KeyVault/vaults/keyvault01'."
The ARM template is trying to fetch a certificate from a Keyvault which resides in a different subscription. The template is being deployed using a Service Principal and has got reader permission on the KeyVault.
This works fine if I set contributor role or a custom role with "Microsoft.KeyVault/vaults/write" permission on the Keyvault for the service principal. I have ensured that Microsoft.Azure.WebSites have GET permission and "Enable Access to Azure Resource Manager for template deployment" checked.
The ARM template is similar to what you can see here: https://github.com/Azure/azure-quickstart-templates/tree/master/201-web-app-certificate-from-key-vault
Any ideas on why this fails with 'reader' role. granting write on Keyvault sounds like assigning more privileges than required.
Microsoft.KeyVault/vaults/secrets/readpermission to actually do this – 4c74356b41