Common key vault errors in Application Gateway – Azure Application Gateway

This article helps you understand the details of key vault error codes you might encounter, including what is causing these errors. This article also contains steps to resolve such misconfigurations.


Use a secret identifier that doesn’t specify a version. This way, Azure Application Gateway will automatically rotate the certificate, if a newer version is available in Azure Key Vault. An example of a secret URI without a version is: https://myvault.vault.azure.net/secrets/mysecret/.

List of error codes and their details

The following sections cover various errors you might encounter. You can find the details in Azure Advisor, and use this troubleshooting article to fix the problems. For more information, see Create Azure Advisor alerts on new recommendations by using the Azure portal.


Azure Application Gateway generates logs for key vault diagnostics every four hours. If the diagnostic continues to show the error after you have fixed the configuration, you might have to wait for the logs to be refreshed.

Error code: UserAssignedIdentityDoesNotHaveGetPermissionOnKeyVault

Description: The associated user-assigned managed identity doesn’t have the “Get” permission.

Resolution: Configure the access policy of Key Vault to grant the user-assigned managed identity this permission on secrets.

  1. Go to the linked key vault in the Azure portal.
  2. Open the Access policies pane.
  3. For Permission model, select Vault access policy.
  4. Under Secret Management Operations, select the Get permission.
  5. Select Save.

 Screenshot that shows how to resolve the Get permission error.

For more information, see Assign a Key Vault access policy by using the Azure portal.

Error code: SecretDisabled

Description: The associated certificate has been disabled in Key Vault.

Resolution: Re-enable the certificate version that is currently in use for Application Gateway.

  1. Go to the linked key vault in the Azure portal.
  2. Open the Certificates pane.
  3. Select the required certificate name, and then select the disabled version.
  4. On the management page, use the toggle to enable that certificate version.

Screenshot that shows how to re-enable a secret.

Error code: SecretDeletedFromKeyVault

Description: The associated certificate has been deleted from Key Vault.

Resolution: To recover a deleted certificate:

  1. Go to the linked key vault in the Azure portal.
  2. Open the Certificates pane.
  3. Use the Managed deleted certificates tab to recover a deleted certificate.

On the other hand, if a certificate object is permanently deleted, you will need to create a new certificate and update Application Gateway with the new certificate details. When you’re configuring through the Azure CLI or Azure PowerShell, use a secret identifier URI without a version. This choice allows instances to retrieve a renewed version of the certificate, if it exists.

Screenshot that shows how to recover a deleted certificate in Key Vault.

Error code: UserAssignedManagedIdentityNotFound

Description: The associated user-assigned managed identity has been deleted.

Resolution: To use the identity again:

  1. Re-create a managed identity with the same name that was used previously, and under the same resource group. Resource activity logs contain more details.
  2. After you create the identity, go to Application Gateway – Access Control (IAM). Assign the identity the Reader role, at a minimum.
  3. Finally, go to the desired Key Vault resource, and set its access policies to grant Get secret permissions for this new managed identity.

For more information, see How integration works.

Error code: KeyVaultHasRestrictedAccess

Description: There’s a restricted network setting for Key Vault.

Resolution: You will encounter this error when you enable the Key Vault firewall for restricted access. You can still configure Application Gateway in a restricted network of Key Vault, by following these steps:

  1. In Key Vault, open the Networking pane.
  2. Select the Firewalls and virtual networks tab, and select Private endpoint and selected networks.
  3. Then, using Virtual Networks, add your Application Gateway’s virtual network and subnet. During the process, also configure ‘Microsoft.KeyVault’ service endpoint by selecting its checkbox.
  4. Finally, select Yes to allow Trusted Services to bypass Key Vault’s firewall.

Screenshot that shows how to work around the restricted network error.

Error code: KeyVaultSoftDeleted

Description: The associated key vault is in soft-delete state.

Resolution: In the Azure portal, search for key vault. Under Services, select Key vaults.

Screenshot that shows how to search for the Key Vault service.

Select Managed deleted vaults. From here, you can find the deleted Key Vault resource and recover it.

Screenshot that shows how to recover a deleted key vault.

Error code: CustomerKeyVaultSubscriptionDisabled

Description: The subscription for Key Vault is disabled.

Resolution: Your Azure subscription can get disabled for various reasons. To take the necessary action to resolve, see Reactivating a disabled Azure subscription.

Next steps

These troubleshooting articles might be helpful as you continue to use Application Gateway:

Source Article