Insufficient Permissions for Import Certificate into Key Vault

Carolyn Schroeder 186

I am an external user for one of my client accounts. I have owner permissions. I am trying to import a certificate into a key vault. The key vault has the Vault Access Policy. As the owner, I have full access to this resource. However, when I try to import a certificate, I am getting an insufficient permission error. I have tried to add an Access Policy but can't find a principal to assign it to.

2 answers

Deepanshukatara-6769 7,045 Reputation points

2024-05-30T06:44:32.6+00:00
Hi Carolyn,

Verify Access Policies: Double-check the access policies configured on the Key Vault. As an owner, you should have full access, but you may need a explicit permission for importing

Add Explicit permission in Access Policy: If necessary, add an access policy explicitly granting permissions for importing certificates. To do this:

Go to the Azure portal and navigate to the Key Vault.

Select "Access policies" from the left menu.

Click on "Add Access Policy."

Choose the appropriate permissions (e.g., "Import" for certificates).

In the "Select principal" section, you may need to search for and select the application or your object ID

Click "Add" to save the access policy.

Please check below images for reference

Please check this doc for ref https://video2.skills-academy.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal

kindly accept answer if it helps,

Thanks

Deepanshu
Please sign in to rate this answer.
Carolyn Schroeder 186 Reputation points

2024-05-30T06:52:09.6133333+00:00

I have gone through all of these steps but am unable to find a suitable principal. I have tried my name, email and web app name but none of these works.

Deepanshukatara-6769 7,045 Reputation points

2024-05-30T07:12:46.8333333+00:00

Ok so most likely don't have enough rights in Azure AD (EntraID). Even if you have rights to edit the Key Vault, it doesn't mean you have rights to list users for example. You may not be able to find a user in that view by typing their full username in the search field.

So to fix this you need at least directory reader role

The built-in Azure AD roles are reasonably broad by nature but probably the best fit would be the Directory Readers role, which is more restrictive than Global Readers.

Please check this https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#directory-reader...

Carolyn Schroeder 186 Reputation points

2024-05-30T07:37:10.8966667+00:00

I have tried to add a role but do not have sufficient permissions to add a group.

Deepanshukatara-6769 7,045 Reputation points

2024-05-30T09:38:50.13+00:00

Ok then please check with person who has privileged permissions like Global admin, he/she can help with required permission to add your object ID with directory read permissions.

Carolyn Schroeder 186 Reputation points

2024-05-30T11:06:03.5533333+00:00

There is only my client who has a Microsoft account for this subscription and myself who is a guest owner. Who has the privileged permissions?

Deepanshukatara-6769 7,045 Reputation points

2024-05-30T11:18:58.82+00:00

May be the client can answer better on this check with them once that who can help you with providing access at Azure AD level in client tenant
Sign in to comment
Carolyn Schroeder 186 Reputation points

2024-05-30T12:05:25.8166667+00:00

This is just too small a shop to use Azure Key Vault. I was able to add a custom domain and secure it by directly importing the app service certificate
Please sign in to rate this answer.
Deepanshukatara-6769 7,045 Reputation points

2024-05-30T12:22:11.3666667+00:00

So you mean you were able to add certificate in to KV and then use same certificate for SSL binding in Azure web apps.

Can you please confirm if our answer or comments was helpful to you in anyway so that we can mark it as answer which in turn can help wider community

Thanks

Deepanshu

Carolyn Schroeder 186 Reputation points

2024-05-30T12:28:23.9133333+00:00

No, I did not add the certificate to KV. I was able to secure the SSL binding by directly importing the certificate as described in https://video2.skills-academy.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex

Sadly your comments were not helpful. We are too small a shop. My client is not familiar enough with Azure to act as a Global Admin.

Deepanshukatara-6769 7,045 Reputation points

2024-05-30T12:58:06.56+00:00

Ok but since it is a not best practice to use directly we always recommend using through keyvault anyways no problem , I hope will take this scenario as exception since you mentioned it is vey small . lastly , thankyou for your comments , have a good day ahead , bye
Sign in to comment

Share via

Insufficient Permissions for Import Certificate into Key Vault

2 answers