Allowing Azure CDN to access Azure KeyVault
Question
I'm trying to set up my Azure CDN endpoint to use HTTPS for the custom domain I already set up.
When I tried to point at the SSL cert in my Azure KeyVault , I got an error stating that I need to grant Azure CDN access to KeyVault . Any idea how I can do this -- hopefully through the Portal and NOT Powershell, though I have a feeling it'll end up requiring Powershell commands.
Basically, I'm trying to get my Azure CDN endpoint to use the SSL cert in my Azure KeyVault .
Anyway, I'd appreciate someone pointing to me an article or a set of instructions please. Thanks!
2 answers
solution1
3 ACCPTED 2020-02-21 03:24:28
Instructions for enabling SSL with your own certificate stored in Azure KeyVault are described here:
solution2
1
There's something broken with this lately.
Azure tells you to do the thing that doesn't work: New-AzADServicePrincipal -ApplicationId "205478c0-bd83-4e1b-a9d6-db63a3e1e1c8" -Role Contributor
If you're curious as to what it actually does, it just gives the hidden Microsoft.AzureFrontDoor-Cdn the role Contributor in your subscription's IAM. You can view it in the portal:
It seems that the "Contributor" role no longer contains the necessary permissions to read keyvaults - namely the Microsoft.KeyVault/vaults/secrets/readMetadata/action permission.
I've noticed that:
- this permission is given to the built in
Key Vault Secrets Userrole - all the roles that seem "superior" to the secrets user like
Key Vault Administratordon't work, it HAS to beKey Vault Secrets User
So what fixed it for me is going into my keyvault and giving MYSELF (not azure cdn) the permission to read and list secrets. Seems that even as owner and god-emperor of your azure instance you can't access secrets by default ("AT" is me in the screenshot):
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.