I am trying to create a master key vault, which will contain all certificates to authenticate as a certain user.

I have 2 service principals => One for my app, One for deployment. The idea is that the deploy service principal gets access to the Key Vault and adds the certificate located there to the Store of the web applications.

I have created the service principal and I have given him all permissions on the key vault. Also I have enabled access secrets in ARM templates for that key vault.

Using powershell I am able to login as the Deploying SP and retrieving the secret (certificate).

However this does not work when deploying the ARM template with a reference to the key vault. I got the following error:

New-AzureRmResourceGroupDeployment : 11:16:44 - Resource Microsoft.Web/certificates 'test-certificate' failed with message '{ "Code": "BadRequest", "Message": "The service does not have access to '/subscriptions/98f06e7e-1016-4088-843f-62690f3bb306/resourcegroups/rg-temp/providers/microsoft.keyvault/vaults/master-key-vault' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.", "Target": null, "Details": [ { "Message": "The service does not have access to '/subscriptions/xxxx/resourcegroups/xxx/providers/microsoft.keyvault/vaults/master-key-vault' Key Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation." },

My ARM template looks like this:

    {
     "type":"Microsoft.Web/certificates",
     "name":"test-certificate",
     "apiVersion":"2016-03-01",
     "location":"[resourceGroup().location]",
     "properties":{
        "keyVaultId":"[resourceId('rg-temp', 'Microsoft.KeyVault/vaults', 'master-key-vault')]",
        "keyVaultSecretName":"kv-certificate-test",
        "serverFarmId":"[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
     }
  },

Is this a bug? Because I am able to retrieve the certificate using the Deploy SP with:

 $key = Get-AzureKeyVaultSecret -VaultName "master-key-vault" -Name "testenvironmentcertificate"

This is my ARM template: (note, the Key vault lives in another resource group than the resources in the ARM template)

{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
    {
     "type":"Microsoft.Web/certificates",
     "name":"test-certificate",
     "apiVersion":"2016-03-01",
     "location":"[resourceGroup().location]",
     "properties":{
        "keyVaultId":"/subscriptions/xxx/resourceGroups/rg-temp/providers/Microsoft.KeyVault/vaults/xxx",
        "keyVaultSecretName":"testcert",
        "serverFarmId":"[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
     }
  },
    {
        "name": "wa-test1",
        "type": "Microsoft.Web/sites",
        "location": "[resourceGroup().location]",
        "apiVersion": "2016-08-01",
        "dependsOn": [
            "[concat('Microsoft.Web/serverfarms/', 'asp-test')]"
        ],
        "tags": {
            "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/asp-test')]": "Resource",
            "displayName": "wa-test1"
        },
        "properties": {
            "name": "wa-test1",
            "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
        }
    },
    {
        "name": "asp-test",
        "type": "Microsoft.Web/serverfarms",
        "location": "[resourceGroup().location]",
        "apiVersion": "2014-06-01",
        "dependsOn": [],
        "tags": {
            "displayName": "appServicePlan"
        },
        "properties": {
            "name": "asp-test",
            "sku": "Free",
            "workerSize": "Small",
            "numberOfWorkers": 1
        }
    }
],
"outputs": {}
}