Key Vault resource RBAC permissions and app service imported certs?

[shanrath]

Discussed in #465

^{Originally posted by Jehoel April 4, 2022}

When using keyvault-acmebot (instead of appservice-acmebot) with Azure App Services, I see that I need to go (App Service) > TLS/SSL Settings > Private Key Certificates > Import Key Vault certificate.
The drop-down list shows the thumbprint of the certificate, suggesting that this import procedure will need to be repeated every time the certificate's thumbprint changes (i.e. every time the certificate is renewed).
...or is it re-imported automagically?

To riff off of the above question:

According to the documentation for importing the Key Vault certificates for app service bindings here , the app service resource provider well known service principal abfa0a7c-a6b6-4736-8310-5855508787cd should be authorized on the Key Vault. (with read secrets and read certs).
Adding that SP to the resource with rbac does not appear to work.
The documentation also mentions

Currently, Key Vault Certificate only supports Key Vault access policy but not RBAC model.

This lack of support between app service and Key Vault rbac permissions also appears to be mentioned in the documentation on configuring Key Vault rbac permissions

The deployed template for this repo provisions the Key Vault seems to use the RBAC model by default, which doesn't seem to allow the certificate binding import and sync for app service.

Will the rest of the setup still work if the vault is switched to access policy type and a Managed Identity for the functions is enabled + authorized?
Or would you suggest a different workaround to keep using the rbac Key Vault permissions?

[shibayan]

Questions about App Service and Key Vault should be directed to Azure support. I can only answer questions about Acmebot.

[shanrath]

Will the rest of the setup still work if the vault is switched to access policy type and a Managed Identity for the functions is enabled + authorized?
Or would you suggest a different workaround to keep using the rbac Key Vault permissions?

I eventually used policy based authorization on Key Vault, and listed the managed identity of the deployed azure function in it with certificate permissions similar to the KV certificate officer role
( see this migration guide , but in reverse ).

It looks similar to the setup that was previously used in the ARM template before the RBAC model was enabled.

The App service well known SP guid can then be added to the key vault policy with 'secret' and 'certificate' get permission to automatically update app service TLS bindings from Key Vault.