Deploy a Web App certificate from Key Vault secret and use it for creating SSL binding - LinkedAuthorizationFailed

0
votes

I'm trying to add a custom domain with an SSL-binding to a web app with an ARM-template. I can do it manually in the Azure Portal but I want it to work with an ARM-template.

The certificate is in a key vault which is not in the same resource group as the web app. I have no problem accessing ordinary secrets from the key vault in my release pipeline like databaseconnectionstrings. The problem is when I try to access certificates. I have GET permissions to the keyvault certificates.

I'm using this github template https://github.com/Azure/azure-quickstart-templates/tree/master/201-web-app-certificate-from-key-vault

This is the error I get when I try to deploy the ARM-template with a release pipeline.

"error": {
  "code": "LinkedAuthorizationFailed",
  "message": "The client 'xxxx' with object id 'xxxx' has permission to perform action 'Microsoft.Web/certificates/write' on scope '***/providers/Microsoft.Web/certificates/xxxxx'; however, it does not have permission to perform action 'write' on the linked scope(s) '/subscriptions/xxxx/resourceGroups/xxx/providers/Microsoft.KeyVault/vaults/xxxxx'."
}

2
azureazure-web-app-serviceazure-pipelinesazure-keyvaultarm-template

2 Answers

0
votes

You could try increasing the permissions the Azure DevOps service connection has on the key vault certificates under Access Policies, maybe start with all certificate permissions as a troubleshooting step to confirm it's permission related, then reduce as required, may just need Get and Create?

0
votes

I solved it by creating 4 resources in the ARM template. A certificate, an app service plan, a web app and a hostname binding. Just like this github azure-quickstart-template https://github.com/Azure/azure-quickstart-templates/tree/master/201-web-app-custom-domain-and-ssl.

The key for me was modifying the certificate resource by adding a pxfBlob and removing the key vault properties, see the code below. The certificatePfx is a securestring which is set in the release pipeline from the keyVault. 

{
  "type": "Microsoft.Web/certificates",
  "name": "[parameters('certificateName')]",
  "apiVersion": "2016-03-01",
  "location": "[resourceGroup().location]",
  "properties": {
    "name": "[parameters('webAppName')]",
    "serverFarmId": "[concat(resourceId('Microsoft.Web/serverFarms', parameters('appServicePlanName')))]",
    "hostNames": [
      "parameters('hostname_wildcard')",
      "parameters('hostname_domain')"
    ],
    "pfxBlob": "[parameters('certificatePfx')]"
  },
  "dependsOn": [
    "[concat('Microsoft.Web/sites/',parameters('webAppName'))]"
  ]
},