How to convert existing API Management named values from Secret type to Key Vault reference

Shamod Wijerathne 20 Reputation points
2024-12-18T18:41:41.4533333+00:00

I have received Azure Advisor recommendations regarding API Management security enhancement, specifically stating that 'API Management secret named values should be stored in Azure Key Vault.' In our organization, we have multiple API Management instances where several named values are currently set to type 'Secret'. Instead of creating new named values, I would like to know if it's possible to modify the existing ones by changing their type from 'Secret' to 'Key Vault' directly through the Azure portal. Would this approach effectively address the Azure Advisor recommendation? Has anyone successfully implemented this specific scenario?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,342 questions
Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,238 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
939 questions
0 comments No comments
{count} votes

Accepted answer
  1. Shikha Ghildiyal 1,170 Reputation points Microsoft Employee
    2024-12-20T05:48:24.3933333+00:00

    Hi @Shamod Wijerathne ,

    Thanks for reaching out to Microsoft Q&A.

    Yes, its possible to modify the values. Please follow below steps -

    Caution

    When using a key vault secret in API Management, be careful not to delete the secret, key vault, or managed identity used to access the key vault.

    1. In the Azure portal, navigate to your API Management instance.
    2. Under APIs, select Named values > +Add.
    3. Enter a Name identifier, and enter a Display name used to reference the property in policies.
    4. In Value type, select Key vault.
    5. Enter the identifier of a key vault secret (without version), or choose Select to select a secret from a key vault. Important If you enter a key vault secret identifier yourself, ensure that it doesn't have version information. Otherwise, the secret won't rotate automatically in API Management after an update in the key vault.
    6. In Client identity, select a system-assigned or an existing user-assigned managed identity. Learn how to add or modify managed identities in your API Management service. Note The identity needs permissions to get and list secrets from the key vault. If you haven't already configured access to the key vault, API Management prompts you so it can automatically configure the identity with the necessary permissions.
    7. Add one or more optional tags to help organize your named values, then Save.
    8. Select Create. Add key vault secret value

    Reference Document- https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-properties?tabs=azure-portal

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.