| title | titleSuffix | description | services | documentationcenter | author | manager | editor | ms.service | ms.workload | ms.tgt_pltfrm | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Cannot add custom domain by using Key Vault certificate |
Azure API Management |
Learn how to troubleshoot the issue in which you can't add a custom domain in Azure API Management by using a key vault certificate. |
api-management |
genlin |
dcscontentpm |
api-management |
mobile |
na |
article |
07/19/2019 |
tehnoonr |
This article describes the "Failed to update API Management service hostnames" error that you may experience when you add a custom domain for the Azure API Management service. This article provides troubleshooting steps to help you resolve the issue.
When you try to add a custom domain for your API Management service by using a certificate from Azure Key Vault, you receive the following error message:
- Failed to update API Management service hostnames. Request to resource 'https://vaultname.vault.azure.net/secrets/secretname/?api-version=7.0' failed with StatusCode: Forbidden for RequestId: . Exception message: Operation returned an invalid status code 'Forbidden'.
The API Management service does not have permission to access the key vault that you're trying to use for the custom domain.
To resolve this issue, follow these steps:
- Go to the Azure portal, select your API Management instance, and then select Managed identities. Make sure that the Register with Azure Active Directory option is set to Yes.
- In the Azure portal, open the Key vaults service, and select the key vault that you're trying to use for the custom domain.
- Select Access policies, and check whether there is a service principal that matches the name of the API Management service instance. If there is, select the service principal, and make sure that it has the Get permission listed under Secret permissions.
- If the API Management service is not in the list, select Add access policy, and then create the following access policy:
- Configure from Template: None
- Select principal: Search the name of the API Management service, and then select it from the list
- Key permissions: None
- Secret permissions: Get
- Certificate permissions: None
- Select OK to create the access policy.
- Select Save to save the changes.
Check whether the issue is resolved. To do this, try to create the custom domain in the API Management service by using the Key Vault certificate.
Learn more about API Management service:
- Check out more videos about API Management.
-
For other ways to secure your back-end service, see Mutual Certificate authentication.