Accessing Certificate from Azure Key Vault from Application gateway

[mani3887]

Describe the bug
We are looking to configure Azure Application Gateway Standard V2 to access TLS certificates stored in Azure Key Vault using a managed identity and RBAC roles (Key Vault Certificate User and Key Vault Secrets User). Despite assigning the correct roles and ensuring the setup is in the same region, the Application Gateway fails to access the Key Vault. The error message indicates that the Key Vault does not allow access to the managed identity, even though all configurations appear correct.

This behavior contradicts Azure’s recommended security model, which encourages using RBAC over access policies.

To Reproduce
Steps to reproduce the behavior:

1. Deploy Azure Application Gateway Standard V2 with a managed identity.
2. Assign RBAC roles (Key Vault Certificate User and Key Vault Secrets User) to the managed identity at the Key Vault scope and configure firewall rules as given in this documentation(https://learn.microsoft.com/en-us/azure/application-gateway/key-vault-certs)
3. Attempt to configure HTTPS listener with a certificate stored in Key Vault.
4. Observe failure to access the certificate with error: “Key Vault doesn’t allow access to the managed identity.”

• Any Azure support tickets associated with this issue. (2508050010000304)

[mani3887]

I am unable to add the Listener, I get this below error:

I executed the PS that is mentioned in this learning document:
https://learn.microsoft.com/en-us/azure/application-gateway/key-vault-certs

The question I had was, for the Listener TLS Certificate the KV access works fine. However for Listener it is not. I am not sure why that would be the case.