New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Application Gateway: Integration with Key Vault does not work #33157
Comments
@DanijelMalik , Thanks for your feedback. We are looking into this query and will update you as soon as possible. |
@DanijelMalik , Could please provide us with the powershell output for this error. Which look similar to this, |
@DanijelMalik , Just checking whether you got some time to view the previous response. |
@DanijelMalik, Since we have not heard back from you we will now proceed to close this thread. If there are further questions regarding this matter, please tag me in your reply. We will gladly reopen the issue and continue the discussion. |
Same issue here. |
For me this was resolved by enabling soft deletion on the key vault. There is an existing issue about this requirement not being documented: #34382 |
Hi, I'm experiencing the same issue. What seems to be the problem is that although the keyvault allows access from the appGw subnet (via the Firewalls and virtual networks settings blade in the keyvault configuration); and the appGw subnet is being input to New-AzApplicationGateway via the -GatewayIpConfigurations argument the appGw do not seem to be able to access the keyvault (the identity has access rights in the keyvault access policies as well). When I allow access to the keyvault from "all networks" it seems to work fine. Perhaps in the appGw creation process the keyvault is being accessed before the appGw is configured with the subnet and the keyvault then sees this access from somewhere else than the subnet? I'm running the powershell script locally but my IP has access to the key vault as well so that should not be the problem. |
I see the same issue |
I have the same issue. I'm using Azure CLI 2.0.76. My application gateway and key vault are in different resource groups in the same subscription. The key vault has soft delete enabled, can be accesses from all networks and has an access policy for the application gateway's assigned user assigned identity with the get secrets permission.
results in (abbreviated)
|
If I edit the application gateway HTTP listener in Azure Portal and try to get the SSL certificate from the key vault there, I get this error:
|
This worked for me too. Only change I made from failure to success was to allow all networks |
@wolfganggallo I'm getting this exact same error. My azure portal seems to be stuck in an error state now as well and does not let me make any changes. Did you manage to fix this? |
Att: @SubhashVasarapu-MSFT -- please reopen. I"m getting the same issue: "The 'UserAssignedIdentities' property keys should only be empty json objects, null or the resource exisiting property", and my -- keyvault in a different resource group and vnet. I think in my case the vnets are not peered, so there is no route between the APIM instance and the keyvault at runtime, but the Azure Portal UI will still list the keyvault as available to use, and allow it to be linked to the listener. I am going to create a temporary vnet peering to see if it resolves the issue so that I may remove the listener. My Appgw is currently broken as a result: UPDATE Yes, that's the problem. The Azure Portal will show you key vaults that are not actually available at runtime, and saving the listener's settings will break your Appgw. The quick fix is to go to the keyvault and temporarily open it to "all networks / internet" then re-save your listener. What you do then is up to you - copy the cert to a local keyvault, or add a vnet peering, or add the missing subnet. Ultimately the portal should validate the network accessibility between appgw and the kyvault. Bug. 2nd UPDATE Just to be clear: This completely BREAKS the Portal UI. AppGw CANNOT be fixed over the portal. Subsequent saves fail. |
I just hit this error as well in Portal UI. Soft delete is enabled. Allowing all networks work-around worked. Please reopen, being able to use the whitelist is good security. |
@SubhashVasarapu-MSFT Please reopen. We are coping with a similar same issue. Portal UI is completely broken. Every operations fails with the following message: |
@PgInsight @oising Did you only need to set the "Allow All Networks" to get the AppGw working again? We have a problem with the same symptoms, but we have the KeyVault in the same subnet, possibly a different root cause. I cannot do anything using UI, PowerShell, CLI or Resource Explorer. |
Setting all networks Allow on the KeyVault and we also needed to set the Soft Delete flag on the Key Vault using PowerShell cmd.
|
I had the same issue. However I was able to solve issue by removing the Key Vault certificate using PowerShell and not resource explorer using explorer showed the below error:
|
@SubhashVasarapu-MSFT This needs to be reopened. The App Gateway should never end up in a disabled/broken state like this -- I've hit the same issue again. How can this be escalated? This is not a documentation issue. This is a product quality issue. To summarize: When configuring a listener to use an SSL certificate in a remote keyvault, the portal UI will let you configure the listener with a keyvault that is unavailable at runtime to the appgw due to network restrictions (not open to internet, selected subnets only). After you do this, the App Gateway portal interface is BROKEN for all listeners. |
I will be taking this forward to the respective team. |
@dfendit @Patrik-Berglund can you two provide some details on your setups/goal and the steps you take to hit the problem? |
@mscatyao The note makes it seem like you could do the following:
In other words: https://docs.microsoft.com/en-us/azure/application-gateway/media/key-vault-certs/key-vault-firewall.png I can just check d) and not bother with adding the application gateway via b) and c). However, according to my tests and Microsoft support, this is not correct:
So there seems to be some improvement over the old status quo where we had to allow all networks, but the note https://user-images.githubusercontent.com/14315890/112624676-3abc7080-8e2e-11eb-8645-342bd48b8408.png is at best misleading, if not wrong. Furthermore, when trying to deploy an Application Gateway without networking access to the KeyVault, it ends up in a failed state with a generic error message that something went wrong. This could also be improved. |
I've been struggling with this issue for two days straight. The one difference I've found (not I have not seen mentioned here) is that when I use Here is a snippet from my app gateway ARM code.
I'm assigning a managed identity (already set up/provisioned) to the app gateway. The managed identity has Get and List permissions for the key vault. I'm then using the However, when I try to provision the app gateway in a different resource group than the key vault, it fails with this error message:
The Key Vault's Networking is set to "All Network's", it has soft delete enabled, and the Days to retain deleted vaults is set to 90. the App Gateway and Key Vault are in the same region (Central US). I am running the deployment as a user who has the "Owner" role, so I should have the appropriate permissions to deploy anything across the entire subscription. I've tried following the rather convoluted new guidance on how this should be done here and it does not work. More specifically, this section Where it claims: "The values of appGatewaySSLCertificateData and appGatewaySSLCertificatePassword are looked up from the key vault as described in the section Reference secrets with dynamic ID." I tried to call out to the key vault using template parameters:
And change my sslCertficates array in my ARM code with this code:
And it did not work. |
"when trying to deploy an Application Gateway without networking access to the KeyVault" @Martin-Idel-SI, what does this mean specifically? Do you mean key vault Networking is set to "Private endpoint and selected networks" instead of "All Networks" and the vnet/subnet that the app gateway lives in is not whitelisted for the key valut? |
@mgmccarthy If the app-gateway subnet is whitelisted - everything is working as expected on my end. |
what kind of access does app-gateway have to private endpoint for keyvault in your last line? I have also been testing it today and it simply does not work without adding the virtual network/subnet where application gateway lives in. |
@Martin-Idel-SI and @nikidandwani, turns out the root cause of my issue was the person who was responsible for creating and then uploading the certificate to key vault was doing it in PEM format, instead of PFX format. Apparently, app gateway's don't support PEM formatted certs, but key vault can have either one uploaded to it. After those certs were changed to PFX format and uploaded to key vault, everything worked as expected. Just to clarify what that means, this code in app gateway ARM:
Where kevVaultSecretId is this URL (I put it together as a variable at the top of the app gateway arm template):
works perfectly. Note, even though I'm pointing to "secrets" in the url path, it is picking up the certificates under the Certificates blade in key vault. |
It appears, anecdotally, that the transient error which renders an Application Gateway using Key Vault (both in a private network) inaccessible has been addressed? Does anyone know if Microsoft actively fixed this, or is it simply a case that the people on this thread do not tear-down & stand-up their environments often enough to have been affected by it? |
For me, it works like this:
Note that the private link consists of multiple parts:
Setup is done via terraform. |
Hey here! We have some other issues when we try to attach a self-signed certificate (PEM, X509) stored in KeyVault to Application Gateway in Listener.
Error: "statusMessage": "{\"status\":\"Failed\",\"error\":{\"code\":\"ResourceOperationFailure\",\"message\":\"The resource operation completed with terminal provisioning state 'Failed'.\",\"details\":[{\"code\":\"ApplicationGatewayKeyVaultSecretException\",\"message\":\"Problem occured while accessing and validating KeyVault Secrets associated with Application Gateway '/subscriptions/XYZ/resourceGroups/xyz-resource-group/providers/Microsoft.Network/applicationGateways/xyz-gateway-001'. See details below:\",\"details\":[{\"code\":\"ApplicationGatewaySslCertificateInvalidData\",\"message\":\"Data or Password for certificate /subscriptions/XYZ/resourceGroups/xyz-resource-group/providers/Microsoft.Network/applicationGateways/xyz-gateway-001/sslCertificates/xyz-listener-httpsvaultCert is invalid.\"}]}]}}", |
This is getting to be ridiculous. How am I meant to reconcile the above information with an email we just received (yes, our keyvault is configured to allow trusted services): |
Here is our setup: Certificate generated and signed in Azure Key Vault by an external CA, public access enabled on Keyvault (no network restrictions). EDIT Certificat was generated in PEM format. When trying to link keyvault with App Gateway, I have the same error as OP. To fix my issue: Application Gateway is too dumb to accept a non-password protected certificate (there is no password on a certificate created in Azure Keyvault, duh!), so we have to set a password to be able to use the certificate created in the Keyvault. I hope this will get fixed by Microsoft, what a lost of time to find this out... EDIT We tried a certificate generated with Azure Keyvault in PKCS12 format (first try was with a PEM generated certificate), it did work without having to export/add password/import. WOW |
Our team has bee banging heads against the wall for almost two days with this issue on V2_WAF. Doesn't help that deleting and provisioning an appgw takes 15 minutes each and the error messages usually just say "Failed" or "InternalServerError" without any more explanation. We finally solved it by allowing the Virtual Network for the AppGW in the KeyVault Networking Firewall. Some other conclusion: Our keyvault has a shorter retention policy from the 90 day, so that workaround used further up in this thread is likely no longer needed. |
This doc says that service endpoint is must: |
Thank you all for the feedback and sharing the details of the issue that you encountered. Based on your comments, we have updated the documentation to clarify the below points.
Apologies for the inconvenience. |
@SubhashVasarapu-MSFT can you close the issue? |
Is this functional in Azure Gov Virginia? Even with the Trusted Services setting, we're still having to temporarily open up the firewall on the key-vault in order for this to work. |
we are still seeing inconsistencies with leveraging the KV for Certs and the App GW. Especially when certs are not from the same KV or even manually uploaded into the AppGW. |
I also have this issue - with allow all networks, trusted services, soft delete enabled 90 days etc Most of my time of having the appgw deployed in code was troubleshooting and finding workarounds |
Am experiencing the same issue, i will try to read all the comments here and see if something will help. On a side note am using Terraform to deploy application gateway v2, key vault, keyvault ceriticate, keyvault secret and managed identity that is used to access keyvault. |
Yeah, we had "network all" and the correct permissions to certificates and secrets. However, I had initially uploaded a PEM with the key, cert and CA intermediates in it. Doing the same but with a PFX and AppGW worked fine without any other changes. My suggestion is the "pop-up" in the AppGW for adding from a keyvault gets a nice big "this only works with imported PFX files" message. |
Hello Team, Trying to consolidate down this thread, as it's a bit lengthy. We've updated the Key Vault documentation quite a bit to reflect network permissions and key vault permissions, so I hope those changes address the items covered in this thread. To clarify a few statements made on this thread:
If the documentation and items outlined in this thread do not work, please open a support case so we can determine root cause. This will allow us to ensure we get you up and running as well as enable us to document additional gotchas for configuring this setup. Thank you! #please-close |
Here's my setup
Deploying AppGW via ARM Template, deployment hangs and errors out after 30 minutes. If I enabled Service Endpoints and add the AppGW's subnet to the KeyVault Firewall, it works! Based on the documentation the AppGW should be able to talk to the KeyVault over its Private Endpoint, but that is not what I'm seeing in action. |
@nnellanspdl, it sounds like traffic is still trying to egress via public IP. I would verify DNS configuration is correct, with the Azure DNS zone associated to the VNET that contains Application Gateway. If you still see the issue, please open a support case so we can further investigate. Thanks! |
I had the same problem and now it's resolved. |
I ran into this issue, and found something else that'd be useful to be added to the documentation I had everything correct, except that the user account I was logged in with, didn't have the 'Get' Secret permission in the Key vault Access policies 😮💨 So it's not only the managed identity that requires the 'Get' permision, but also the user account that you are using ... |
Can anyone post a concrete example for Terraform or ARM as we are also struggling with Private Endpoint + RBAC. |
Just following up for posterity - we encountered this issue in GCC High today, and the fix was this solution. We had to forcibly remove the failed SSL cert via CLI, then remove the AGW permissions on the keyvault. Re-add permissions, then readd the cert. After getting the AGW out of the failed state, it worked as expected. |
According to this article we should be able to integrate Application Gateway with Key Vault but it doesn't seem to work as advertised. Any attempt to add Key Vault certificate leads to AppGW ending in a Failed state with the following message:
Long running operation failed with status 'Failed'. Additional Info:'Problem occured while accessing and validating KeyVault Secrets associated with Application Gateway
Managed Identity has access to Key Vault - I verified this from an Azure VM.
Any ideas what is causing this issue?
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: