Managed Identity -Reading key Vault secrets from Azure API management password-less
There are rising requirements in the Azure implementations to read key vault secrets from Azure API management. There are few ways these can be accomplished. There were implementations where a function app is built to read the keys from key vault in the earlier implementations.
There are new handy ways to read key vault secrets from API management without having to use any credentials.
- Use a named value by reading the secrets from the vault using System assigned identity
- Use APIM policies to read key vault secrets using system assigned identity
To achieve either of these, API management’s system assigned identity needs to be added in to the key vault with relevant access.
If access policy Key Vault is used, an access policy to list and read secret should be created for API management’s system assigned identity
If RBAC Key Vault is used, Key Vault Secret Reader role needs to be assigned to API management’s system assigned identity
Currently these don’t seem to be supporting User Assigned Identity.
Named value
Creating a named value is very handy to parameterize the policies for APIs. What if the value to be used is sensitive, there is an option to declare the named value as secret. But to take it one step above, if we don’t need the value to be physically available in the named value, but to read from a key vault. There is a new way to read secrets from key vault using API management’s system assigned identity.
Once it is configured, fetch secret actions should be performed on the named value to read it and make the data available for API.
Named value is used within the policies with the syntax: {{namedValue}}
Use Policies
Named value is very fixed to a secret, if there is a requirement to be able to pass a secret to the API management policies, named values might not be suitable. To solve these requirements we have to find a way to dynamically retrieve the secrets from key vault.
send-request policy can be used to send a request to key vault rest api and use system assigned managed identity to read secrets.
<send-request mode="new" response-variable-name="sampleSecretResponse" timeout="20" ignore-error="false"> <set-url>@("https://<kvName>.vault.azure.net/secrets/" + context.Variables["secretName"] + "?api-version=7.0")</set-url> <set-method>GET</set-method> <authentication-managed-identity resource="https://vault.azure.net" /> </send-request>
Response is then intercepted and secret value can be assigned to a variable, and used in the policies.
<set-variable name="secretValue" value="@{JObject secret = ((IResponse)context.Variables["sampleSecretResponse"]).Body.As<JObject>();return (string)secret.SelectToken("value");}" />
Conclusion:
Key vault secrets can be read from API management without using any back ends using the above methods. There is no need to use/store any credentials with the help of managed identity.