Azure permission requirements
While there are multiple ways to configure and meet permissions requirements, to successfully provision certificates to Azure Key Vault and Web Application, Venafi recommends the following:
- Certificate key/pair must be present
- Application Registration must be created (which is the "user", also referred to as Application ID)
- Azure Key Vault and Azure Service Management API permissions must be granted to the Application Registration
- The Contributor Role must be granted to the Application Registration in the Service Plan resource
- The Contributor Role must be granted to the Application Registration in the Resource Group to which the Web Application belongs
- The Contributor Role and Key Vault Contributor Role must be granted to the Application Registration for the Key Vault
- The Application Registration and Microsoft Azure App Service must be added as principles to the Key, Secret and Certificate Management policy in the Access Policy of the Key Vault
TIP When integrating Azure with Trust Protection Platform, you might encounter the following error message:
Error: Failed to bind a key vault certificate to the web application. No default Subscription has been designated. Check your Azure account Subscriptions and select a default one.
This error is typically occurs when you use an Application ID / Principle that does not have the proper permissions set. Verify the permissions settings and try again.