Recycle APIM Subscription Keys

One of the tasks you might want to do with API Management is to recycle a key in API Management. This would be for a users subscription to a product.

I would like to recycle the key and they update a key vault secret to put the key value in there so it can be accessed when required.

Below is the powershell call to the function I created to do this. You can see I am supplying the product id, user id and they name of the key vault secret.

RefreshAPIMSubscriptionKeys -productId "My-APIM-Product" -userId "My-APIM-User" -secretName "My-KeyVault-Secret"

The full script to do this is below.

#Add APIM Subscription Keys to Key Vault
#Description:
#Currently the terraform provider for APIM subscription does not give you access to the primary key of the subscription.  Instead
#we will use powershell to load the keys from APIM into Key Vault using the function below.
#Note this will recycle the keys we use internally and which are expected to be looked up at runtime

Import-Module Az.ApiManagement

#Read Variables from Environment Variables
$myResourceGroupName = 'My Resource Group'
$myApimServiceName = 'My APIM'
$myKeyVaultName = 'My Key Vault'

function RefreshAPIMSubscriptionKeys([string] $productId, [string] $userId, [string] $secretName)
{
    $apimContext = New-AzApiManagementContext -ResourceGroupName $myResourceGroupName -ServiceName $myApimServiceName -ErrorAction Stop
    $subscription = Get-AzApiManagementSubscription -Context $apimContext -ProductId $productId -UserId $userId -ErrorAction Stop
    $subscriptionId = $subscription.SubscriptionId
    Write-Host ($subscription | Format-List | Out-String)

    Write-Host "Subscription Id: " $subscription.SubscriptionId
    Write-Host "Subscription Name: " $subscription.Name

    #If troubleshooting uncomment the below lines to see key values
    #Write-Host "Existing Primary Key: " $subscription.PrimaryKey
    #Write-Host "Existing Secondary Key: " $subscription.SecondaryKey
    
    #Generate new Password
    $newPrimaryKey = [System.Web.Security.Membership]::GeneratePassword(32,12)    
    $newSecondaryKey = [System.Web.Security.Membership]::GeneratePassword(32,12) 
    
    #If troubleshooting uncomment the below lines to see key values
    #Write-Host 'New Primary Key: ' $newPrimaryKey   
    #Write-Host 'New Secondary Key: ' $newSecondaryKey

    #Update APIM to change Subscription Keys
    Set-AzApiManagementSubscription -Context $apimContext -SubscriptionId $subscriptionId -PrimaryKey $newPrimaryKey -SecondaryKey $newSecondaryKey
    Write-Host 'Subscription: ' $subscription.SubscriptionId ' has been updated'

    #Update Key Vault to add primary key to KV
    $secureStringKey = ConvertTo-SecureString -String $subscription.PrimaryKey -AsPlainText -Force
    Set-AzKeyVaultSecret -VaultName $myKeyVaultName -Name $secretName -SecretValue $secureStringKey -ErrorAction Stop
    Write-Host 'Key Vault:' $myKeyVaultName 'has had secret' $secretName 'updated'
}


RefreshAPIMSubscriptionKeys -productId "My-APIM-Product" -userId "My-APIM-User" -secretName "My-KeyVault-Secret"