Not able to import keyvault certificate in Azure function app

Question

I have two Certificates added under my keyvault (it is using Azure role-based access control permission model).

I need to import any of these certificate under Function app -> TLS/SSL Settings -> Private Key Certificates. For achieving it, I enabled Managed identity under Function app and gave all possible/expected access to my function app.

But even after providing all the required permission, it is throwing error that Azure Function app does not have access to Import certificate from key vault. (Failed to import Key Vault Certificate: /subscriptions/xxxxxxx-xxxxxxx-xxxxxxx/resourceGroups/xxx-xxxxxx-xxxxxxx/providers/Microsoft.KeyVault/vaults/xxxxx-xxxxxxx-xxxxxxxx. Error: The service does not have access to '/subscriptions/xxxxxxxx-xxxxxxxxx-xxxxxxxxxxx/resourcegroups/xxxxx0xxxxxxxx-xxxxxxx/providers/microsoft.keyvault/vaults/xxxxx-xxxxxxx-xxxxxxxx' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.)

I have tried searching similar issues and solutions on stackoverflow and MSDN, but no luck. Azure Function app and Azure key vault are in same subscription, different resource groups.

Can anyone please give any solution or hint to fix this issue?

[Image](https://i.imgur.com/ZjskRWC.png) - In the Key Vault > Access policies > Have you added the user who is accessing the function app and key vault and also access policy permissions to the managed identity of that function app. — Pravallika KV, Dec 20 '22 at 11:05
@PravallikaKothaveerannagari, I was using Azure RBAC based permission model, so Access policies were not into the picture. Anyway, I got to know from MSDN that, Certificates are not supported with RBAC permission model. So, I have moved to access policy based permission model and solved my issue by providing Get, List access to Microsoft Azure App Service, Microsoft.Azure.CertificateRegistration and my user from which I am using Azure portal. It fixed my issue. — Yash Mochi, Dec 20 '22 at 12:49

score 1 · Accepted Answer · answered Dec 20 '22 at 12:55

Azure Role based access policies does not support Certificate as per MSDN.

So, I had to move to Azure Access Polices based KeyVault. By providing Get/List access to my user, Microsoft Azure App Service and Microsoft.Azure.CertificateRegistration, I have resolved this issue.

Not able to import keyvault certificate in Azure function app

1 Answers1