TLDR; How to fix Failed to sync the certificate.: The service does not have access to ‘*’ Key Vault
Hello! You may want to read this post if you have come across one of the following errors related to Key Vault:
- Failed to update all the resources with the latest certificate
- Failed to sync the certificate.: The service does not have access to ‘*’ Key Vault
- Resource Microsoft.Web/certificates “[XXX]” failed with message { “Code”: “BadRequest”, “Message”: “The service does not have access to ‘/subscriptions/[subscription]/resourcegroups/[resource-group-name]/providers/microsoft.keyvault/vaults/[vault-name]’ Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.
- Failed to add App Service certificate to the app, Check error for more details. Error Details: The service does not have access to ‘XXX’ Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.
Background:
I came across a similar challenge recently.
We have an App Service Certificate purchased from Microsoft Azure Portal, and stored in a Key-Vault.
The same certificate was then imported and bound to many app services.
The App Services Certificate was configured to auto-renew and it was expected to be synced once it renews, but surprisingly – it just expired.
What Happened
When I investigated – I found that the App Service Certificate was renewed sometimes back before the expiry date, but it did not sync for some reason.
I, obviously, tried googling for solutions. Few of the links I explored:
- https://stackoverflow.com/questions/60862073/unable-to-import-app-service-certificate-after-subscription-transfer
- https://github.com/MicrosoftDocs/azure-docs/issues/49371
- https://social.msdn.microsoft.com/Forums/vstudio/en-US/4ead2233-d599-4218-bece-cf7ed972ff4a/app-service-certificate-does-not-have-access-to-key-vault-certificate-implementation-issue-on-app?forum=windowsazurewebsitespreview
- https://stackoverflow.com/questions/42134416/issue-with-keyvault-reference-in-arm-template
- https://stackoverflow.com/questions/51053572/deploy-web-app-certificate-from-azure-keyvault-and-create-ssl-binding
I tried the suggestions but nothing worked for me. Then I decided to contact Microsoft Azure Support.
In the process, I found a potential solution. I appreciate they have initial trouble-shooting cards available on the support page.
Though I read it, I didn’t help. Then I realized that step #2 has some contents in markdown:
I tried fixing the markdown for appropriate message and I got this:
The two Service Principals above need to be granted with mentioned permissions.
These two service principals are default Resource Provider principals and their object-Ids are supposed to be common for everyone.
How to fix the permissions on the key-vault
- Navigate to your key-vault
- Click on “Access policies”
- “Add Access Policy” if you do not have the two given service principals added already.
- Assign the permissions for the two service principals as in the table below:
| Service Principal | Secret Permissions | Certificates |
| Microsoft Azure App Service | Get | Get |
| Microsoft.Azure.CertificateRegistration | Get,List,Set,Delete | Get,List |
- Save the access policy changes.
- Navigate to App Service Certificate in question
- click on “Rekey and Sync”
- click on “Sync”. Make sure your certificate is listed under “Linked Private Certificate”.
- After the sync the existing certificate should be renewed.
Summary
To fix the app service certificate sync issues – you need to fix the permissions on the key vault for the two service principals and then Sync the certificate once. Please refer to the post above for the details of the service principals.
Thanks for reading this article on DevsDaily.com. 🙂