Refresh APIM Subscription Keys and Update them in Key Vault

I have a scenario where by I have a Logic App which consumes an API from Azure APIM. When I make a change to the API or periodically I want to be able to cycle the apim subscription keys and have the Logic App pick up the new key with as little hastle as possible.

To achieve this, in my Logic App I will get the key from a secret in Key Vault and then use that when calling the API. To chane the subscription key in APIM and then update Key vault I can use some Powershell to do this. I can use the following Az commands to help me:

• Get-AzApiManagementSubscription - Will let me get the subscription based on the product and user
• Set-AzApiManagementSubscription - Will let me update the key
• Set-AzKeyVaultSecret - Will let me update the secret in Key Vault

In the below Powershell sample I have written a function which will refresh APIM and KeyVault. I can then call it for each of the subscriptions I want to change using the snippet:

RefreshAPIMSubscriptionKeys -productId "my-product" -userId "my-user" -secretName "mySecretName"

The full script is here:

$myResourceGroupName = "[My Resource Group]"
$myApimServiceName = "[My APIM Instance]"
$myKeyVaultName = "[My Key Vault]"

function RefreshAPIMSubscriptionKeys([string] $productId, [string] $userId, [string] $secretName)
{
    #Get the APIM Context
    $apimContext = New-AzApiManagementContext -ResourceGroupName $myResourceGroupName -ServiceName $myApimServiceName -ErrorAction Stop
    
    #Get the subscription from APIM
    $subscription = Get-AzApiManagementSubscription -Context $apimContext -ProductId $productId -UserId $userId -ErrorAction Stop
    
    #Create New Keys
    $newPrimaryKey = (New-Guid) -replace '-',''
    $newSecondaryKey = (New-Guid) -replace '-',''

    #Update APIM to change the keys on the subscription
    Set-AzApiManagementSubscription -Context $apimContext -SubscriptionId $subscriptionId -PrimaryKey $newPrimaryKey -SecondaryKey $newSecondaryKey -State Active  -ErrorAction Stop

    #Update Key Vault Secret
    $secureStringKey = ConvertTo-SecureString -String $newPrimaryKey -AsPlainText -Force
    Set-AzKeyVaultSecret -VaultName $myKeyVaultName -Name $secretName -SecretValue $secureStringKey -ErrorAction Stop
}

#Add General Logic App Subscription Key
RefreshAPIMSubscriptionKeys -productId "my-product" -userId "my-user" -secretName "mySecretName"

Using it in Azure DevOps

Next I want to add this to an Azure DevOps pipeline. This will allow me to run the script using the Azure CLI task and connect to Azure with the Service Principal. It will then read the parameters required from the pipeline variables and it will change the keys as part of my build and deploy process around changes to APIM.

#Read Variables from Environment Variables
$myResourceGroupName = $env:myResourceGroupName
$myApimServiceName = $env:myApimName
$myKeyVaultName = $env:keyVaultName

function RefreshAPIMSubscriptionKeys([string] $productId, [string] $userId, [string] $secretName)
{
    #Get the APIM Context
    $apimContext = New-AzApiManagementContext -ResourceGroupName $myResourceGroupName -ServiceName $myApimServiceName -ErrorAction Stop
    
    #Get the subscription from APIM
    $subscription = Get-AzApiManagementSubscription -Context $apimContext -ProductId $productId -UserId $userId -ErrorAction Stop
    
    #Create New Keys
    $newPrimaryKey = (New-Guid) -replace '-',''
    $newSecondaryKey = (New-Guid) -replace '-',''

    #Update APIM to change the keys on the subscription
    Set-AzApiManagementSubscription -Context $apimContext -SubscriptionId $subscriptionId -PrimaryKey $newPrimaryKey -SecondaryKey $newSecondaryKey -State Active  -ErrorAction Stop

    #Update Key Vault Secret
    $secureStringKey = ConvertTo-SecureString -String $newPrimaryKey -AsPlainText -Force
    Set-AzKeyVaultSecret -VaultName $myKeyVaultName -Name $secretName -SecretValue $secureStringKey -ErrorAction Stop
}

#Add General Logic App Subscription Key
RefreshAPIMSubscriptionKeys -productId "my-product" -userId "my-user" -secretName "mySecretName"

Hopefully this gives you a great approach to manage changing the keys and making those changes available to your Logic Apps.