0

I have the following issue:

Steps (Azure portal):

  1. Create Azure APIM (Devloper sku, internal vnet, no system assigned managed identity!)
  2. Create own Managed identity (user managed identity) - UAI
  3. Create KeyVault
  4. UAI: Create Role Assignment for UIA and KeyVault with Reader role and Scope KeyVault
  5. KeyVault: Create KeyVault Access Policy for UAI with "Get", "List" for Secrets and Certs
  6. APIM: Assign UAI to APIM instance (no SystemAssigned Identity!)
  7. KeyVault: Upload a cert to KeyVault for custom domain name
  8. APIM: Try to create custom domain name in APIM, select Cert from KeyVault and then click add

Issue: Portal asks me to grant Get/List to APIM instance. Why ? UAI should have that already! If I click yes on the dialog that asks if I want to grant that policy an error occurs.

enter image description here

SystemAssigned Identity works by the way.

Did I miss something here ?

djflocko
  • 49
  • 1
  • 5
  • So the same setup with a System Assigned Identity works? User-Assigned for APIM is still in preview I believe, maybe that has something to do with it – Sam Mullinix Aug 18 '21 at 15:35

1 Answers1

0

UI does not support that at the moment, but it is possible through API, see "identityClientId" and "keyVaultId" here: https://learn.microsoft.com/en-us/rest/api/apimanagement/2021-01-01-preview/api-management-service/create-or-update#hostnameconfiguration

Vitaliy Kurokhtin
  • 7,205
  • 1
  • 19
  • 18
  • @djflocko was this sufficient for you? I'm trying the same thing but I also have firewall rules on my key vault. The combination of User assigned managed identity and firewall doesn't work for me. - User assigned managed identity + firewall on key vault: FAIL - System assigned managed identity + firewall on key vault: SUCCESS - User assigned managed identity + no firewall on key vault: SUCCESS See this this github issue: https://github.com/MicrosoftDocs/azure-docs/issues/86983 – t.amsing Jan 31 '22 at 10:15