I am trying to import a certificate from a Key Vault to an App Service to configure SSL in the Azure Government Cloud. When I do this I get an error stating:
Failed to get App Service Service principal details.
I am getting a similar error when I try to do this through an ARM template which it what caused me to try this manually. I have tried giving my App Service a managed identity and giving that identity access to the key vault. I have tried a technique that worked in the regular Azure Cloud of giving "Microsoft Azure App Service" account permission to the key vault but that doesn't seem to exist in the Government Cloud.
I would have expected this to simply work and allow me to configure my SSL correctly on the app service so I don't need to manage the certificates individually on every app service.
You have to enable in the Identity of your app services that can be assigned through the azure permissions, then you have to go to the KeyVault and grant the permissions to the App Services.
https://learn.microsoft.com/en-us/azure/app-service/media/app-service-managed-service-identity/msi-blade-system.png
More information:
https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity
https://learn.microsoft.com/es-es/azure/key-vault/tutorial-net-create-vault-azure-web-app
https://azure.microsoft.com/en-us/resources/samples/app-service-msi-keyvault-dotnet/
I eventually found the solution to the issue.
Following the directions found here:
https://github.com/Azure/azure-quickstart-templates/tree/master/201-web-app-certificate-from-key-vault
I tried to authorize the 'Microsoft.Azure.WebSites' Resource Provider as described in the link, but that GUID doesn't exist in the Government Cloud.
This link however does give you the equivalent GUID for the Government Cloud:
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/azure-government/documentation-government-services-webandmobile.md#app-services
After using the script from the first link with the GUID value from the second link I was able to get both deployments and manual SSL added.
Related
One of our app services has a system assigned identity:
We wanted to start using Azure keyvault and use this identity to give this app service access.
Unfortuntatly the identity cannot be found:
Did anybody had a similar problem before?
I tried to find the system assigned identity in other places like Azure Ad but it could not be found there either.
I tried using systen assigned identities for other app services we have and it worked for those. So the problem is only present for that specific one.
I tried to reproduce the same in my environment and got the results successfully as below:
I created an Azure App Service and turned-on System Managed Identity:
Copy the Object ID and you will find the application in Azure Enterprise Applications as below:
Now, I created an Azure Key Vault and created access policy:
Search with the ObjectID of the Application as below:
The access policy created successfully using Service Principal as below:
I have a SSL cert in my Azure key vault that I am trying to import to the correct App Service.
I am the owner of the Azure subscription and I have given the App Service GET and LIST permissions for certificates on the vault.
On my App Service I click TLS/SSL settings > Private Key Certificates (.pfx) > Import Key Vault Certificate
This is the message I receive
Another owner on the subscription is able to complete this process successfully. So I am not sure why I am not able to when we both have owner roles on the subscription?
Is anyone able to offer any suggestions please?
When you are trying the operation from Azure Portal and you are a Owner of the Subscription, then Azure by default adds a access policy for the Azure APP Service Resource Provider and you do not further require to add the any access policies for the Web App.
Example:
I created a Web App with system managed identity and a Key vault with the below added Access Policies. I am an Owner of the Subscription and a User in the Azure Active Directory.
When , I perform the import certificate operation in the TLS/SSL Settings, the access policy get automatically updated with the Azure App Service Service Principal Credential.
In your case its not able to find the details of the Resource Provider Service Principal. As a Solution you can try adding Microsoft.Azure.CertificateRegistration (i.e. ObjectId : ed47c2a1-bd23-4341-b39c-f4fd69138dd3) , Microsoft Azure App Service (Internal) (i.e. ObjectId : 505e3754-d8a9-4f8b-97b6-c3e48ac7a543) & Microsoft Azure App Service (i.e. ObjectId : f8daea97-62e7-4026-becf-13c2ea98e8b4) in access policy for key vault.
Note: If the Issue is still not resolved , Please reach out to Azure Support for better assistance.
I'm trying to set up my Azure CDN endpoint to use HTTPS for the custom domain I already set up.
When I tried to point at the SSL cert in my Azure KeyVault, I got an error stating that I need to grant Azure CDN access to KeyVault. Any idea how I can do this -- hopefully through the Portal and NOT Powershell, though I have a feeling it'll end up requiring Powershell commands.
Basically, I'm trying to get my Azure CDN endpoint to use the SSL cert in my Azure KeyVault.
Anyway, I'd appreciate someone pointing to me an article or a set of instructions please. Thanks!
Instructions for enabling SSL with your own certificate stored in Azure KeyVault are described here:
https://learn.microsoft.com/en-us/azure/cdn/cdn-custom-ssl?tabs=option-2-enable-https-with-your-own-certificate#ssl-certificates.
There's something broken with this lately.
Azure tells you to do the thing that doesn't work:
New-AzADServicePrincipal -ApplicationId "205478c0-bd83-4e1b-a9d6-db63a3e1e1c8" -Role Contributor
If you're curious as to what it actually does, it just gives the hidden Microsoft.AzureFrontDoor-Cdn the role Contributor in your subscription's IAM. You can view it in the portal:
It seems that the "Contributor" role no longer contains the necessary permissions to read keyvaults - namely the Microsoft.KeyVault/vaults/secrets/readMetadata/action permission.
I've noticed that:
this permission is given to the built in Key Vault Secrets User role
all the roles that seem "superior" to the secrets user like Key Vault Administrator don't work, it HAS to be Key Vault Secrets User
So what fixed it for me is going into my keyvault and giving MYSELF (not azure cdn) the permission to read and list secrets. Seems that even as owner and god-emperor of your azure instance you can't access secrets by default ("AT" is me in the screenshot):
When I try to import my ASC certificate to a web app, I get the following error:
Failed to add App Service certificate to the app, Check error for more details. Error Details: The service does not have access to 'path to key vault' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.
I've granted my account "owner" level admin of all my resources.
What should I do?
Key Vault uses services principals for authentication when an access policy is assigning, ensure that the application is registered on Azure in order to generate a valid Service Principal for access policies. Are you using any cmdlet for importing the certificate?
I just tried the import operation (same process) via the Portal, and it seem to work fine.
Take a look the document - az keyvault certificate import https://learn.microsoft.com/cli/azure/keyvault/certificate?view=azure-cli-latest#az-keyvault-certificate-import) - Authorization in Key Vault uses a combination of Role based access control (RBAC) and Azure Key Vault access policies.
I've created an ARM template that uploads an SSL certificate to Azure. I can run the ARM template from my local machine and it succeeds without any errors.
I then log into VSTS to set up a release template to perform the same task. I select the same template and provide the same parameters, but when I deploy the release it errors with a 401. The only information I can get by looking into the logs is that the request is denied because authorization failed.
I updated the permissions for the Service Principal account that VSTS is using to match my own (Owner, Contributor) of the resource group I'm deploying to and I get the same error. I then, temporarily, updated its permissions to Owner, Contributor of the entire subscription, and it still failed.
I'm beginning to suspect that this is an issue with Service Principal accounts in general, but I can't find any documentation to confirm or refute this claim.