We have 2 subscriptions
Development
UAT
We are able to assign webapp to allow access to key vault to get credentials and its working fine thru Key Vault -> Access Policies -> Add New -> Select Principal
With UAT subscription, WebApp is not listed when we want to select it to allow access to read credentials.
I can see APIM is listed but not the webapp.
I checked with app service plan, other default configuration, all looks same.
Are there any more rule applied to the list?
Identity status in Azure portal was in "Off" mode
Webapp -> Settings -> Identity
I changed it to "On" and saved it.
Now i can see webapp inside select principal option.
Web app and Key vault should be in the same tenant when you enable the access policy of key vault for your web app. Taken from this doc.
When you create a new key vault in a subscription, it is automatically
tied to the default Azure Active Directory tenant ID for that
subscription. All access policy entries are also tied to this tenant
ID. When you move your Azure subscription from tenant A to tenant B,
your existing key vaults are inaccessible by the principals (users and
applications) in tenant B. To fix this issue, you need to:
Change the tenant ID associated with all existing key vaults in this subscription to tenant B.
Remove all existing access policy entries.
Add new access policy entries that are associated with tenant B.
For example, if you have key vault 'myvault' in a subscription that has been moved from tenant A to tenant B, here's how to change the tenant ID for this key vault and remove old access policies.
Select-AzSubscription -SubscriptionId YourSubscriptionID
$vaultResourceId = (Get-AzKeyVault -VaultName myvault).ResourceId
$vault = Get-AzResource –ResourceId $vaultResourceId -ExpandProperties
$vault.Properties.TenantId = (Get-AzContext).Tenant.TenantId
$vault.Properties.AccessPolicies = #()
Set-AzResource -ResourceId $vaultResourceId -Properties $vault.Properties
If you want to know moving resources to a new resource group or subscription, read here.
Related
Have my Azure VM scale set on subscription1 of tenantA & assigned user managed identity which also belongs to subscription1 of tenantA.
Now I have keyvault on subscription2 of tenantA(same tenant). The keyvault hold secrets which the apps on Azure VM scale set on subscription1 needs to access.
It is possible to add managed identity Azure VM scale set on subscription1 to the access policy of the keyvault on subscription2 of same tenant as per the below answer.
Is it possible to add managed identity Azure VM scale set on subscription1 to the access policy of the keyvault on subscription2 of different directory/tenant?
Yes.
A Managed Identity creates a service principal in the Azure AD tenant of its subscription.
That service principal can be granted access to anything within that Azure AD tenant, including all subscriptions linked to it.
I have an Azure Application Gateway in subscription A and a wildcard ssl cert in a Keyvault in subscription B, both under the same tenant. Is it possible to link this certificate to this application gateway?
Continuing on from #andriy-bilous, creating a Managed Identity for an Azure Application Gateway so you can draw down certificates from your Azure Key Vault is pretty simple.
Create the Managed Identity:
Go to Azure Portal.
Select the search bar at the top, then search for and select "Managed Identities".
Select Create.
Enter your new managed identity the relivant Resource Group and Region, and a unique Name.
Now, Review + create, then Create.
Assign the rights to the Managed Identity in your Key Vault:
Go to your Key Vault.
Under Settings, select Access policies.
Select + Add Access Policy.
Under the Secret permissions dropdown, select Get.
Next to Select principal, select None selected.
Search for the Managed Indentity you just created, and Select.
Finally, click Add and you're done.
Head on over to your Application Gateway, and there will be a Managed Idenity for the Key Vault and setup your HTTPS certificates.
Also, as you've aleady got a VNET setup, adding your Key Vault to the VNET via a Private Endpoint is a great idea.
Yes it is possible.
Application Gateway integration with Key Vault requires a three-step configuration process:
Create a user-assigned managed identity
Configure your key vault
Configure the application gateway
https://learn.microsoft.com/en-us/azure/application-gateway/key-vault-certs#how-integration-works
We ran into the same issue. As of Nov 2021, based on the documentation, the Key Vault instance must be in the same subscription as Application Gateway.
Azure Application Gateway currently supports only Key Vault accounts in the same subscription as the Application Gateway resource. Choosing a key vault under a different subscription than your Application Gateway will result in a failure.
I’m trying to get a certificate for my App Service I’m deploying from Key Vault using this template (https://github.com/Azure/azure-quickstart-templates/tree/master/webapp-keyvault-ssl). Part of this requires creating a Key Vault access policy which grants the Microsoft.Azure.Websites service principal (ID abfa0a7c-a6b6-4736-8310-5855508787cd) get on the Secrets. This works in my subscription just fine, but wasn’t working in the customer’s subscription. We could run the Set-AzKeyVaultAccessPolicy command referencing the service principal’s ID, and it executed without error, but the access policy does not actually get created. When I did a get-azAdServicePrincipal -DisplayNameBeginsWith ‘Microsoft.Azure.Websites’ nothing is returned. Yet when I look in the audit log for the KeyVault I can see a user with ID abfa0a7c-a6b6-4736-8310-5855508787cd trying to log in, so somewhere this identity must exist(?)
Is there something I need to do to enable/create this default (Microsoft.Azure.Websites) service principal? I checked my MSDN account and see the same behavior, in that this principal is not present.
Can deploy this template in a subscription where the Microsoft.Azure.Websites principal exists, but when the principal does not exist, the template deployment will fail.
#Gets the service principal (missing in problem subscription)
get-azAdServicePrincipal -DisplayNameBeginsWith 'Microsoft.Azure.Websites'
#Sets the keyvault access policy for the built in service principal
set-azKeyVaultAccessPolicy -VaultName keyVaultName -ServicePrincipalName "abfa0a7c-a6b6-4736-8310-5855508787cd" -PermissionsToSecrets get
‘abfa0a7c-a6b6-4736-8310-5855508787cd’ is the Resource Provider service principal name and it remains same for all Azure subscriptions. And its display name in service principal is 'Microsoft Azure App Service', not 'Microsoft.Azure.Websites'.
Try with
Get-AzADServicePrincipal -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd
to see if it exists.
If it doesn't exist, check the resource provider of your subscription.
I am trying to use azure keyvault in my MVC application to get storage account keys. This MVC application is hosted in different azure subscriptions with storage accounts belonging to those subscriptions. Is it possible to have a one Azure Keyvault resource in any subscription and serve keys for storage accounts residing in different subscriptions?
Yes it is possible.
You will need to make identities for the apps using the Key Vault in the Azure AD tenant where the Key Vault's subscription is. And then assign permissions to access the vault to those service principals.
Then you can put the client id, client secret and tenant id to the apps that need to access the Key Vault. They should then be able to call it, since they have an identity that is allowed access. Key Vault uses an HTTP API so whether the apps and the vault are in the same subscription/data center/cloud provider is irrelevant.
Hi you can use below to do via azure CLI
az webapp config ssl import -n 'webappname' -g 'webappresourcegroup' --key-vault "/subscriptions/[provide subscriptionID]/resourceGroups/[Provide resource group Name]/providers/Microsoft.KeyVault/vaults/[Provide Vault Name] --key-vault-certificate 'Provide certificate Name'
Using Azure KeyVault I have set up a ResourceGroup, KeyVault and Key by following this guide:
https://azure.microsoft.com/en-gb/documentation/articles/key-vault-get-started/
I have set up the application client in Active Directory. However when I try to use:
Set-AzureKeyVaultAccessPolicy
I get the following error when granting permissions to the Service Principal account:
"Cannot find the Active Directory object 'clientId' in tenant 'tenantId'. Please make sure that the user of application service principal you are authorizing is registered in the current subscription's Azure Active directory."
The clientId is correct as this was copied from the application configuration page in the portal. The tenant Id is the tenant ID for the current subscription.. but not for the active directory.
The problem seems to be that the tenant ID for the Active Directory is different to the tenant ID for the subscription I'm using. How do I change the tenant ID of my Active Directory in the Azure Portal to match the subscription tenant ID?
The tenant ID refers to the unique identifier of the Azure AD directory. Every Azure subscription is associated with a directory (or "tenant").
It sounds like you've created the application in a different directory from the directory that is associated with the Azure subscription in which you've created the Key Vault.
When registering the applications, when you go to the "Active Directory" section of the Azure Management portal, be sure to choose the same directory as the one to which you subscription (the subscription where you created the Azure Key Vault) is associated.
There is two things wrong with the documentation you can find on https://learn.microsoft.com/en-us/azure/key-vault/key-vault-get-started#a-idauthorizeaauthorize-the-application-to-use-the-key-or-secret
1) The -ServicePrincipalName parameter should NOT (as the example in the link suggests) be the Client Id (Guid), but the AD Apps Identifier Uri (you can find that on the properties page of the AD App)
2) If you did not create your AD App using the portal, but created it from Powershell Azure Resource Manager scripts, there is no Service Principal created for your AD App yet. You have to do this using the New-AzureRmADServicePrincipal cmdlet, before running Set-AzureRmKeyVaultAccessPolicy.
In total, you should then have
$app = New-AzureRmADApplication -DisplayName "Test" -HomePage "http://myapp.contoso.com" -IdentifierUris "http://myapp.contoso.com" -Password "password"
New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId
Set-AzureRmKeyVaultAccessPolicy -VaultName "vaultname" -ServicePrincipalName "http://myapp.contoso.com" -PermissionsToSecrets Get
You can also find the discussion regarind this on https://social.msdn.microsoft.com/Forums/azure/en-US/ae8d2782-ecf7-4d35-9859-d4455e65a668/setazurermkeyvaultaccesspolicy-cannot-find-the-active-directory-object-in-tenant-?forum=AzureKeyVault