I'm trying to configure a custom domain with Azure Front Door Premium because it is the only one that allows me to have a custom domain.
The main issue is the certificate. I have my own SSL certificate. Azure Front Door Premium allows to select an SSL certificate only from an Azure Key Vault. So, I created one and I added the certificate. Fine. When I try to add the new domain with this screen
I can select a Secret from the list. To add a certificate, now I have to add a secret in Azure Front Door from Azure Key Vault. So, I open the Secret I select the certificate and click Add.
Unfortunately, I get an error
Failed to create the secret 'azuksch-CelloSSL-latest'. Error: We don't have permission to access this secret. Go to "Access policies" in your Key Vault account to give Microsoft.AzureFrontDoor-Cdn permission to get secrets.
Following the 
So, I run
az ad sp create --id ad0e1c7e-6d38-4ba4-9efd-0bc77ba9f037
but I have the same issue when I try to add the secret in Azure Front Door. I googled a bit and I found that I have to run another command for Azure Front Door Premium
az ad sp create --id 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8
and selected all the options for all three dropdown list. Now, I have a lot of Access policies
Result: I always get the same error
Failed to create the secret 'azuksch-CelloSSL-latest'. Error: We don't have permission to access this secret. Go to "Access policies" in your Key Vault account to give Microsoft.AzureFrontDoor-Cdn permission to get secrets.
Can I fix it?
CodePudding user response:
The service principal that you initially created using id ad0e1c7e-6d38-4ba4-9efd-0bc77ba9f037 is for Azure Front Door not for Azure Front Door Premium.
So, it won’t give permissions for Microsoft.AzureFrontDoor-Cdn. The documentation that you are following is also related to Azure Front Door not Azure Front Door Premium.
As mentioned in this Microsoft Doc:
Registering service principal for Azure Front Door can only done once per tenant.
So, even you created service principal again using this id 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8 it won’t work as far as I understand. Try deleting the first service principal that you created using id ad0e1c7e-6d38-4ba4-9efd-0bc77ba9f037
Also, please check below note from Microsoft Doc:
Azure Front Door Standard/Premium (Preview) is currently in public preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
As it is still in preview, some features won’t work. So, for the workaround you can make use of Azure Front Door. To know how to add custom domain with Azure Front Door, go through this reference if it is helpful.