Application Gateway “Key Vault Doesn’t Allow Access to the Managed Identity” Error Despite Proper RBAC Role Assignments

Question

Application Gateway “Key Vault Doesn’t Allow Access to the Managed Identity” Error Despite Proper RBAC Role Assignments

Gavin 20

I’m using a Standard_v2 Application Gateway to serve HTTPS for a web app deployed on an Azure VM. I’ve attached a user-assigned managed identity to the Application Gateway using the Identity blade in the portal. My Key Vault is configured in Azure RBAC mode (not the legacy access policies). I’ve assigned the following roles to the gateway’s managed identity at the Key Vault resource scope:

Key Vault Administrator (which includes both certificate and secret read permissions)

Key Vault Certificates Officer

Key Vault Secrets Officer

There are no deny assignments or resource locks, and I’ve waited several hours for all role assignments to propagate. Despite all of this, when I try to configure an HTTPS listener on the Application Gateway to “choose a certificate from Key Vault,” I receive the error:

“This key vault doesn’t allow access to the managed identity.”

What additional configuration or troubleshooting steps could resolve this issue?

I’ve verified that both the Key Vault and Application Gateway are in the same subscription and tenant.

The managed identity shown in the Application Gateway matches the one receiving the RBAC assignments in Key Vault.

Activity logs in Key Vault show no further authorization failures.

Has anyone encountered this persistent error under similar conditions? Any insights or recommendations would be greatly appreciated.I’m using a Standard_v2 Application Gateway to serve HTTPS for a web app deployed on an Azure VM. I’ve attached a user-assigned managed identity to the Application Gateway using the Identity blade in the portal. My Key Vault is configured in Azure RBAC mode (not the legacy access policies). I’ve assigned the following roles to the gateway’s managed identity at the Key Vault resource scope:

Key Vault Administrator (which includes both certificate and secret read permissions)

Key Vault Certificates Officer

Key Vault Secrets Officer

There are no deny assignments or resource locks, and I’ve waited several hours for all role assignments to propagate. Despite all of this, when I try to configure an HTTPS listener on the Application Gateway to “choose a certificate from Key Vault,” I receive the error:

“This key vault doesn’t allow access to the managed identity.”

What additional configuration or troubleshooting steps could resolve this issue?

I’ve verified that both the Key Vault and Application Gateway are in the same subscription and tenant.

The managed identity shown in the Application Gateway matches the one receiving the RBAC assignments in Key Vault.

Activity logs in Key Vault show no further authorization failures.

Has anyone encountered this persistent error under similar conditions? Any insights or recommendations would be greatly appreciated.

UJTyagi-MSFT 930 Reputation points Microsoft Employee

2025-04-11T04:30:25.55+00:00
Hi @Gavin

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

From your description it seems your configuration seems to be correct. However, it seems the application gateway secret request call is not getting accepted on the key vault.

It could be that application gateway is not making a call using the managed identity itself

or there could be Network based restrictions.

Can you kindly confirm the diagnostic settings configuration under the key vault and confirm if you have any log analytics workspace configured to collect the Key vault logs.

If there is log analytics workspace configured, then kindly go to log section and run below queries for last 24 hours to see if application gateway managed identity logs are getting registered.

AzureDiagnostics | where ResourceProvider == "MICROSOFT.KEYVAULT" AZKVAuditLogs | where HttpStatusCode >= 300 and not(OperationName == "Authentication" and HttpStatusCode == 401)

If you see any logs there for application gateway managed identity or ip address.

If there are no logs it could be a Network level issue, in that case Kindly check the networking configuration on key vault and see if it is Allow public access from all networks

if you are choosing second option, see if the application gateway public Ip is allowed or application gateway subnet is added if you are using service endpoint.

If you are using Private end point connections, ensure that the application gateway virtual network is associated with private end point and correct DNS configuration is in place

Kindly refer the below links for more details :

https://learn.microsoft.com/en-us/azure/key-vault/general/how-to-azure-key-vault-network-security?tabs=azure-portal

https://learn.microsoft.com/en-us/azure/key-vault/general/network-security?source=recommendations

Kindly write back if you have any further queries.

Regards

Ujjawal Tyagi
Praveen Bandaru 2,665 Reputation points Microsoft External Staff

2025-04-11T18:50:38.0233333+00:00

Hello Gavin
Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Accepted answer

0 additional answers

Your answer

Praveen Bandaru 2,665 Reputation points Microsoft External Staff

2025-04-11T18:50:38.0233333+00:00

Hello Gavin
Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 1

Praveen Bandaru 2,665 Microsoft External Staff

Hello Gavin

I understand that you are trying to add the certificate in the application gateway from the key vault, but it is failing.

If you want to add a certificate from the key vault, you can use the "vault access policy".

Select the managed identity as the principal and grant it the 'Get' and 'List' permissions for both Secrets and Certificates.

Check the below screen shot for more understanding:

User's image

We tested it in our environment, and it is working for us. If you still encounter the issue after testing this step, please try to share a screenshot of the error.

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Praveen Bandaru 2,665 Reputation points Microsoft External Staff

2025-04-11T20:00:23.8166667+00:00

Hello Gavin

I have converted my comment into an answer. Please review and accept the answer.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

Share via

Application Gateway “Key Vault Doesn’t Allow Access to the Managed Identity” Error Despite Proper RBAC Role Assignments

0 additional answers

Your answer