APIM connection to KV via Managed Identity fails

Question

I'm following the setup described here: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-properties?WT.mc_id=Portal-fx&tabs=azure-cli

I setup APIM with a system managed identity, then go to KV, grant Key Vault Secrets user to the APIM identity, but when I try to set a named value to a secret in KV I get this error:

"Failed to create named value: One or more fields contain incorrect values:
System-Assigned Managed Identity is required to access keyvault secret, which is not enabled. For more information please see aka.ms/apimmsi."

However, it does not make any sense.

Any help appreciated.

Answer 1

Hi Marcelo Silva ,

The error typically means that the System Assigned Managed Identity is not enabled to access key vault secret. I've also seen some temporary issues that have caused this error to get thrown, so please try these steps:

1.) Please confirm that you have enabled the System Assigned Managed Identity.

2.) If it is already enabled, please disable and enable the managed identity from the portal to confirm it works. If you set the Status to "Off" and hit "Save", and then set it to "On" again and hit "Save" again, you may see the error disappear.

The error can sometimes be misleading though and I have also seen some cases where this happens when there is a firewall blocking the access, or if the named value exceeds the 4096 limit.
If the steps I suggested don't work, feel free to reach out to me on Teams if you would like to troubleshoot further.

-

If the information helped you, please Accept the answer. This will help us and improve searchability in the community for others who are researching similar issues.