0

Scenario and desired result: I have an azure gateway with a WAF associated and i'd like to include HTTPS calls. To do so, I've asked for a domain that has been registered and associated to an azure app service certificate (without an arm template, but after the creation of the certificate, we have gone to certificate configuration and create a key vault). A public ip is associated to the gateway

enter image description here

  • First problem: In a first moment, when i was associating the certificate to a keyvault, for security and auto renewal, i've encountered the error discussed in this link: keyVaultCsmId.

    • Workaround was to create the keyvault with vault access policy, then i've switched back to RBAC

  • Second problem: Has showed in picture, I still can't associate the gateway to the specified keyvault and i have 2 new problems:

  1. Certificate (last box of the picture): since the azure app certificate has been configured, i'm not capable to list the name of the certificate so i don't know how to retrieve it and associate to the azure gateway
  2. If i follow the link configure key vault, i'm not sure that i'll be capable to unlock the situation and finally configure the gateway, since i'm missing the required permission.
# Get the Application Gateway we want to modify
$appgw = Get-AzApplicationGateway -Name MyApplicationGateway -ResourceGroupName MyResourceGroup
# Specify the resource id to the user assigned managed identity - This can be found by going to the properties of the managed identity
Set-AzApplicationGatewayIdentity -ApplicationGateway $appgw -UserAssignedIdentityId "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/MyResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/MyManagedIdentity"
# Get the secret ID from Key Vault
$secret = Get-AzKeyVaultSecret -VaultName "MyKeyVault" -Name "CertificateName"
$secretId = $secret.Id.Replace($secret.Version, "") # Remove the secret version so Application Gateway uses the latest version in future syncs
# Specify the secret ID from Key Vault 
Add-AzApplicationGatewaySslCertificate -KeyVaultSecretId $secretId -ApplicationGateway $appgw -Name $secret.Name
# Commit the changes to the Application Gateway
Set-AzApplicationGateway -ApplicationGateway $appgw

Questions:

  1. Is this the right way to associate the certificate with the domain to the gateway through the RBAC role?
  2. For which role should I ask to complete the task?
  3. Following the link suggested by azure, will allow me to fix the problem? (Sometimes happened that i was following the documentation and didn't fix the problem)
  4. How can i retrieve the certificate name if from the key vault it's stating:

The operation is not allowed by RBAC. If role assignments were recently changed, please wait several minutes for role assignments to become effective. You are unauthorized to view these contents.

Improve this question
1
  • Have you seen this blog: techcommunity.microsoft.com/blog/appsonazureblog/… An App Service Certificate is stored as a secret in Key Vault, so you need to export it and then reimport it as a certificate if you want to use it with App Gateway in this way. Additionally, App Service Certificate is quite expensive for what it is - have you considered using ACME and something like LetsEncrypt to generate a free SSL certificate? Commented Jul 25 at 15:24

1 Answer 1

Reset to default
0

There are a few things to make note of here. First off, you're App Gateway needs to have a system or user assigned managed identity. Please verify that that's the case. You should be able to see the identity by running the following:

az network application-gateway identity show --gateway-name <AppGatewayName> -g <ResourceGroupName>

Then, in your key vault, verify that it uses RBAC and not Access Policies. The roles you'll need to assign the managed identity are:

  • Key Vault Secret User

  • Key Vault Certificate User

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.