I recently changed our Azure Key Vault to use role-based access control (RBAC), and now I'm having trouble importing certificates to our App Services. Following the official guide, I assigned the Azure App Service principal (ID: abfa0a7c-a6b6-4736-8310-5855508787cd) the Certificate User role a few days ago. However, I'm still encountering an error that states: 'The operation is not allowed by RBAC. If role assignments were recently changed, please wait several minutes for role assignments to become effective.' I also attempted to assign the Key Vault Administrator role and managed identity roles for the specific app service, but none of these actions seem to resolve the issue. Does anyone have any advice on how to successfully import the certificate?
4 Answers
I'm importing through the portal. The steps are: Certificates > Bring Your Own Certificates > Add Certificate > Import from Key Vault.
When I ran into a similar issue while switching to RBAC, I found that the role assignment needs to be applied directly to the Key Vault and not inherited from a higher level resource group. Check if the permissions are set directly on the Key Vault. Also, the App Service needs to access the certificate secret, so ensure the identity can read it. Lastly, confirm that your vault is entirely in RBAC mode without any legacy access policies still in place.
Make sure you actually have access to the Key Vault yourself. Even though you’re doing it through the portal, you still need at least the Certificate User role. Plus, your App Service might need either the Secret Reader or Keys Reader role, since the private key for the certificate is stored as a secret.
How exactly are you trying to import the certificates? Are you going through the Azure portal or are you using infrastructure as code (IaC)?
Related Questions
How to Build a Custom GPT Journalist That Posts Directly to WordPress
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads