azure-keyvaultazure-api-managementazure-managed-identityapimazure-custom-domain
Azure API Managment User Assigned Identity Custom Domain KeyVault
I have the following issue:
Steps (Azure portal):
- Create Azure APIM (Devloper sku, internal vnet, no system assigned managed identity!)
- Create own Managed identity (user managed identity) - UAI
- Create KeyVault
- UAI: Create Role Assignment for UIA and KeyVault with Reader role and Scope KeyVault
- KeyVault: Create KeyVault Access Policy for UAI with "Get", "List" for Secrets and Certs
- APIM: Assign UAI to APIM instance (no SystemAssigned Identity!)
- KeyVault: Upload a cert to KeyVault for custom domain name
- APIM: Try to create custom domain name in APIM, select Cert from KeyVault and then click add
Issue: Portal asks me to grant Get/List to APIM instance. Why ? UAI should have that already! If I click yes on the dialog that asks if I want to grant that policy an error occurs.
SystemAssigned Identity works by the way.
Did I miss something here ?
Solution
UI does not support that at the moment, but it is possible through API, see "identityClientId" and "keyVaultId" here: https://learn.microsoft.com/en-us/rest/api/apimanagement/2021-01-01-preview/api-management-service/create-or-update#hostnameconfiguration
- A keyvault created with access policy using BICEP creates compound identity
- Diagnostic setting not included in Azure Portal ARM template export
- AddDataProtection().PersistKeysToAzureBlobStorage().ProtectKeysWithAzureKeyVault() getting httpVerb Error while accessing the blob storage
- Azure Key Vault Disabled public access, how to access it through the portal via internet
- Encryption with Azure Key Vault CryptographyClient - where is encrypt/decrypt happenning? my backend or Azure server side
- Grant Azure Devops ARM Service Connection access to Key Vault
- Adding ARM template for virualNetworkRules for key vault
- How to access Azure Key Vault secrets as *configuration values transparently* in a ASP.NET Core Web App which is deployed to Azure App Services?
- How can we get tenant id, client id and client secret for Azure Function App?
- How to activate Managed HSM and configure encryption with customer-managed keys stored in Azure Key Vault Managed HSM using Terraform
- Mock EncryptAsync method and return EncryptResult from Azure.Security.KeyVault.Keys.Cryptography
- Is it possible to use an Azure KeyVault with RBAC on an Azure Pipeline Agent?
- AKV10032: Invalid issuer error when connecting to Azure Key Vault from App Service
- VB.NET Error after calling Dim secret = Await client.GetSecretAsync
- How to Set Separate Database Connection Strings for Azure App Service Deployment Slots
- Create an API Connection to Azure KeyVault using Service Principal Authentication through ARM template
- Azure SQL database not available on first connection attempt
- Azure KeyVault: Azure.Identity.CredentialUnavailableException: DefaultAzureCredential failed to retrieve a token from the included credentials
- Azure DevOps Pipeline Error: Password Not an Integer in snowsql Command
- Unable to Retrieve Multiple Secrets from Azure Key Vault in Azure DevOps Pipeline
- How can I retrieve the KeyVault URIs from Azure AppConfig in C# without retrieving the Secret Value?
- Azure KeyVault Certificate with non-exportable key can still export the key through KeyVault Secret
- How to use properly Azure app configuration with key vault reference in a function app?
- Unable to set access policy to key vault for an application in Azure CLI
- The cost of a deleted Azure Key Vault with Purge Protection enabled
- Azure Key Vault Certificates does not have the Private Key when retrieved via IKeyVaultClient.GetCertificateAsync
- Terraform - How to get App Service object id for azurerm key vault access policy?
- Cannot Access Azure Key Vault from Python script via 'os.environ["VAULT_URL]" - Key Error: "VAULT_URL"
- Find list of Vnets/Subnets that access a key vault in azure
- Getting error "AZUREKEYVAULT not found" while trying to sign the jar using jarsigner with Azure Key Vault Java 17/21