[solved]Key vault permissions with System Identiti...
# help-with-otherm
Matt Wise
01/29/2024, 5:12 PMWhat role does the App need? when using RBCA roles (Azure AD)
Right now the app has
- Key Vault Secrets User (this should be enough imo for the connection string...)
- Key Vault Certificate User
- Key Vault Reader
Not sure what I am missing 😦
Matt Wise
01/29/2024, 5:12 PMIdentity
System assigned managed identity
Status
AccessToKeyVaultDenied
Error details
Key Vault reference was not able to be resolved because site was denied access to Key Vault reference's vault.
p
Prenders
01/30/2024, 9:27 AMHey Matt, I'm not sure if this is of any use at all, but I had to explicitly add 'Get' and 'List' for Secrets to allow me to read them.
That said, this is to get Azure DevOps to read Key Vault into its App Settings, as opposed to the web app directly.
Might need a similar approach.
https://cdn.discordapp.com/attachments/1201575496006238340/1201821073088446504/image.png?ex=65cb3618&is=65b8c118&hm=da1125356ce068c7a90afe05f7506d02a5e17bc4a292716cd8d26649832a9409&
Prenders
01/30/2024, 9:28 AMI set those under 'Access Policies'.
m
Matt Wise
01/30/2024, 9:35 AMCheers, mate I am trying to use Access controls (IAM) and as usual with Azure it works fine once you ask someone...
p
Prenders
01/30/2024, 9:45 AMAmazing. Yeah I'm just reading around Access Policy vs RBCA. Looks like I should revisit my setup to use that when I get time.
m
Maarten
02/01/2024, 8:17 AMYou can't use a RBAC Keyvault set up for Managed Certificates (SSL) this only supports the old permissions. The only role your app should require is Keyvault Secrets User
Maarten
02/01/2024, 8:18 AMDid you add both your Deployment Slot and your normal app?
m
Matt Wise
02/01/2024, 9:20 AMI do need to check the slot actually now you mention it