Problem setting up the right permissions for CDN to access your Key vault RRS feed

  • Question

  • To use custom urls with TLS for a CDN endpoint, the Azure portal says the following:

    You need to setup the right permissions for CDN to access your Key vault:
    1) Register Azure CDN as an app in your Azure Active Directory (AAD) via PowerShell using this command: New-AzureRmADServicePrincipal -ApplicationId "205478c0-bd83-4e1b-a9d6-db63a3e1e1c8".
    2) Grant Azure CDN service the permission to access the secrets in your Key vault. Go to “Access policies” from your Key vault to add a new policy, then grant “Microsoft.Azure.Cdn” service principal a “get-secret” permission.

    The problem is, this principal does not exist for my subscription. 

    Unable to find user with spn '205478c0-bd83-4e1b-a9d6-db63a3e1e1c8'
    Unable to get object id from principal name.

    Is there another principal that can be used, was this changed in the past?

    Adding the certificate no gives me the following:

    We don't have permission to access this secret. Go to "Access policies" in your Key Vault account to give Azure CDN permission to get secrets.

    Friday, December 20, 2019 4:12 PM

All replies

  • Remember to create the service principle as you described in step 1. Those commands need to be run from Azure PowerShell. Once you have created the service principle, you will be able to add it via the portal. 

    Once created, The principal should be under "Microsoft.Azure.CDN" or under ID "205478c0-bd83-4e1b-a9d6-db63a3e1e1c8"

    Friday, December 20, 2019 9:50 PM