locked
Failed to sync the certificate.: The service does not have access to '…vault' Key Vault RRS feed

  • Question

  • We are unable to Sync an existing Key Vault to an App Service or Import App Service Certificate via App Service | TLS/SSL settings | Private Key Certificates (.pfx). Both operation attempts result in similar errors:

    Failed to [sync | add] the certificate.: The service does not have access to '…vault' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.

    We followed this article to create an identity for the app service and grant it the necessary privileges. That didn't work so we increased the permissions to all permissions and gave it an Owner role as an attempt to rule out permissions as a problem. Still didn't work. This is happening for two resources across two different subscriptions. What are we missing?

    Failure trying to import app service certificate:

    Failure trying to sync certificate with key vault:

    Friday, November 22, 2019 8:10 PM

Answers

  • For those that may come across this problem:

    1. You may try to add an Access Policy for "Microsoft Azure App Service" in your key vault. That didn't solve all the problems for us, so we ended up with:

    2. You may have to buy a new SSL certificate by creating a new App Service Certificate and Key Vault because the two may get out of sync during the renewal process. Microsoft acknowledged this is a problem and offered to pay for the new SSL certificate for us.

    3. For our non-production environment we're trying out the relatively new App Service Managed Certificate which only lasts 6 months but doesn't appear to have the complexity of 3 Azure resources that may get out of sync. We were unable to upload the PFX from one subscription to another which is a whole other set of bugs and problems.

    • Marked as answer by kratka Monday, December 16, 2019 5:18 AM
    Monday, December 16, 2019 5:18 AM

All replies

  • Hi, 

    When you import the certificate in App Service from KV, an access policy is created for an application called "Microsoft.Azure.Websites". 

    Syncing of the certificate actually takes place using under this context and not the application's managed identity context.  I received the same error when I removed this access policy. 

    Check if you have the access policy defined in your KV as shown in the screenshot. 


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Monday, November 25, 2019 9:03 AM
  • Thank you for the reply. None of our key vaults have this access policy. I attempted to create it but cannot specify Microsoft.Azure.Websites as a principal for an access policy. How can this value be set?

    Monday, November 25, 2019 2:39 PM
  • Hi, 

    We cannot create this policy manually. This policy was created automatically for me when I imported a certificate from the portal.

    I believe an access policy/permissions for the user who is initiating the import is also required. Can you try assigning owner permissions for the user who is initiating the import?

    For existing certificates, please initiate a new import.

    Note: Restarting the App service will sometimes flush the token cache and could resolve some issues with accessing KV.   


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Thursday, November 28, 2019 2:20 PM
  • Thank you for your thoughts. The user initiating the sync [and failing import as originally mentioned] is a subscription owner and therefore inherited key vault and app service owner. The app service is restarted often being part of a CI/CD pipeline, but I tried to restart it and the sync still failed. 
    Sunday, December 1, 2019 4:43 PM
  • Hi, 

    I understand. Can you send an email to azcommunity@microsoft.com with the details of your key vault and the app service along with your subscription ID?

    I will check the logs direclty from the backend to see why the sync is failing. 


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Monday, December 2, 2019 8:05 AM
  • For those that may come across this problem:

    1. You may try to add an Access Policy for "Microsoft Azure App Service" in your key vault. That didn't solve all the problems for us, so we ended up with:

    2. You may have to buy a new SSL certificate by creating a new App Service Certificate and Key Vault because the two may get out of sync during the renewal process. Microsoft acknowledged this is a problem and offered to pay for the new SSL certificate for us.

    3. For our non-production environment we're trying out the relatively new App Service Managed Certificate which only lasts 6 months but doesn't appear to have the complexity of 3 Azure resources that may get out of sync. We were unable to upload the PFX from one subscription to another which is a whole other set of bugs and problems.

    • Marked as answer by kratka Monday, December 16, 2019 5:18 AM
    Monday, December 16, 2019 5:18 AM