Loading, please wait...

A to Z Full Forms and Acronyms

What is Azure API Management - How to do Subscription Key rotation

Mar 17, 2022 Azure API Management, 17002 Views
Azure API Management - Subscription Key rotation

Azure API Management — Subscription Keys Rotation

Recently I have been dealing with one of the Security restrictions for Azure API Management where the requirement was to set Subscriptions keys to be rotated every 30days. From Azure Portal→ opening API Management and then clicking on the regenerate option is not feasible on a real-time basis as Azure Admins have to mark their calendar and sometimes if the change day is coming during the weekend then someone may forget. In Order to deal with this situation, it is always recommended to Automate using Automation Accounts.

How do we rotate the keys?

Lets first get the list of API Management Gateways which are available in your subscription or with your profile.

$ApiManagements = Get-AzApiManagement

Once you log in let's set the Context for the API Management where you are going to work (In case you have many API Management instances). However, in my case, I just have only 1 API Management instance.

$ApiManagementContext = New-AzApiManagementContext -ResourceId $ApiManagements.Id

Once you login to API Management we need to list all available Subscriptions and Products.

  • Get the list of Subscriptions/Products which are bind with API Management.
$ApiManagementSubscriptions = Get-AzApiManagementSubscription -Context $ApiManagementContext

$ApiManagementSubscriptions | Format-Table -Property ProductId, Scope, ResourceGroupName, PrimaryKey

  • If you just want to list all Primary Keys
$ApiManagementSubscriptions = Get-AzApiManagementSubscription -Context $ApiManagementContext | select primarykey -ExpandProperty primarykey

Now, let's start with our Automated Key rotation If someone wants to regenerate keys. Open your Azure API Management → Go to Subscriptions →Select specific key → click on ellipses … → It will open a new window. → then click on “Regenerate Primary Key”.

However our main Problem statement is when you are working in a secure environment, sometimes we cant track and we tend to forget to regenerate the keys at specified times. So how do I deal with this scenario?

 

  1. the first approach is to regenerate keys using PowerShell script, If you want to Regenerate Key only for a specific Product then please execute the below script.

         Below is the sample PowerShell script which will regenerate your associated Subscription/Product/Scope keys.

# Get API Management Services information

$ApiManagements = Get-AzApiManagement

foreach ($ApiManagement in $ApiManagements)
{
 #Setting Up Azure API Management Context to work. 
 $ApiManagementContext = New-AzApiManagementContext -ResourceId $ApiManagement.Id

# Get all API Management Subscriptions with specific ProductID
 $ApiManagementSubscriptions = Get-AzApiManagementSubscription -Context $ApiManagementContext -ProductId “unlimited”
 foreach ($ApiManagementSubscription in $ApiManagementSubscriptions)
 {
 # Regenerating Primary Key
 $PrimaryKey = (New-Guid) -replace ‘-’,’’
 
 #In Order to set a new value 
 $newvalue = Set-AzApiManagementSubscription -Context $ApiManagementContext -SubscriptionId $ApiManagementSubscription.SubscriptionId -PrimaryKey $PrimaryKey -State Active 
 $updatedvalue = Get-AzApiManagementSubscription -Context $ApiManagementContext -ProductId “unlimited” | select primarykey -ExpandProperty primarykey
 $updatedvalue
 }
}