- Print
- Comment
- DarkLight
- PDF
Recycle APIM Subscription Keys
Article Summary
Share feedback
Thanks for sharing your feedback!
One of the tasks you might want to do with API Management is to recycle a key in API Management. This would be for a users subscription to a product.
I would like to recycle the key and they update a key vault secret to put the key value in there so it can be accessed when required.
Below is the powershell call to the function I created to do this. You can see I am supplying the product id, user id and they name of the key vault secret.
RefreshAPIMSubscriptionKeys -productId "My-APIM-Product" -userId "My-APIM-User" -secretName "My-KeyVault-Secret"
The full script to do this is below.
#Add APIM Subscription Keys to Key Vault
#Description:
#Currently the terraform provider for APIM subscription does not give you access to the primary key of the subscription. Instead
#we will use powershell to load the keys from APIM into Key Vault using the function below.
#Note this will recycle the keys we use internally and which are expected to be looked up at runtime
Import-Module Az.ApiManagement
#Read Variables from Environment Variables
$myResourceGroupName = 'My Resource Group'
$myApimServiceName = 'My APIM'
$myKeyVaultName = 'My Key Vault'
function RefreshAPIMSubscriptionKeys([string] $productId, [string] $userId, [string] $secretName)
{
$apimContext = New-AzApiManagementContext -ResourceGroupName $myResourceGroupName -ServiceName $myApimServiceName -ErrorAction Stop
$subscription = Get-AzApiManagementSubscription -Context $apimContext -ProductId $productId -UserId $userId -ErrorAction Stop
$subscriptionId = $subscription.SubscriptionId
Write-Host ($subscription | Format-List | Out-String)
Write-Host "Subscription Id: " $subscription.SubscriptionId
Write-Host "Subscription Name: " $subscription.Name
#If troubleshooting uncomment the below lines to see key values
#Write-Host "Existing Primary Key: " $subscription.PrimaryKey
#Write-Host "Existing Secondary Key: " $subscription.SecondaryKey
#Generate new Password
$newPrimaryKey = [System.Web.Security.Membership]::GeneratePassword(32,12)
$newSecondaryKey = [System.Web.Security.Membership]::GeneratePassword(32,12)
#If troubleshooting uncomment the below lines to see key values
#Write-Host 'New Primary Key: ' $newPrimaryKey
#Write-Host 'New Secondary Key: ' $newSecondaryKey
#Update APIM to change Subscription Keys
Set-AzApiManagementSubscription -Context $apimContext -SubscriptionId $subscriptionId -PrimaryKey $newPrimaryKey -SecondaryKey $newSecondaryKey
Write-Host 'Subscription: ' $subscription.SubscriptionId ' has been updated'
#Update Key Vault to add primary key to KV
$secureStringKey = ConvertTo-SecureString -String $subscription.PrimaryKey -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName $myKeyVaultName -Name $secretName -SecretValue $secureStringKey -ErrorAction Stop
Write-Host 'Key Vault:' $myKeyVaultName 'has had secret' $secretName 'updated'
}
RefreshAPIMSubscriptionKeys -productId "My-APIM-Product" -userId "My-APIM-User" -secretName "My-KeyVault-Secret"
Was this article helpful?