Integration with Azure KeyVault

Currently, we store sensitive information in API Portal - Properties and use them as {{key}}

Provide integration of Azure KeyVault so that sensitive information can be stored in Azure KeyVault and allow using it inside API methods or policies like {{vault:key}}

By this feature, we will be able to centralize all the keys in the Azure KeyVault and use Properties only for non-sensitive information.

440 votes

Vote

(thinking…)

Microsoft

Forgot password?

Create a password

Signed in as (Sign out)

You have left! (?) (thinking…)

Puneet Ghanshani shared this idea · October 10, 2016 · Flag idea as inappropriate… · Admin →

planned · November 28, 2018

Show previous admin responses (2)

12 comments

Add a comment…

Attach a File

(thinking…)

Microsoft

Forgot password?

Create a password

Signed in as (Sign out)

Submitting...

An error occurred while saving the comment

Galin Iliev commented · January 13, 2020 10:53 · Flag as inappropriate

While we are working on a less laborious solution here is an example of how can be achieved with policy

https://github.com/Azure/api-management-policy-snippets/blob/master/examples/Look%20up%20Key%20Vault%20secret%20using%20Managed%20Service%20Identity.policy.xml

Submitting...
Apurv Chandra commented · September 19, 2019 04:08 · Flag as inappropriate

Key vault being the standard solution for certificates and sensitive information, anywhere these are required the capability should be there to pull it directly.

See it as planned, when is the this being released?

Submitting...
Chad commented · July 09, 2019 23:52 · Flag as inappropriate

An important item to track here would be to support the KeyVault Sign operation for HSM backed Certificates used for backend mutual authentication (AKA Private Key Non Exportable + RSA-HSM ). This would important so Backend gateway "client cert" credentials can be used for mutual authentication in FIPS compliant fashion with the native KeyVault integration.

Submitting...
Jeroen de Sitter commented · June 26, 2019 05:45 · Flag as inappropriate

I want to be able to create a named value and store a secret that cannot be retreived by anyone. Right now these named values can be read by anyone in the portal. We want to make them completely invisible after they are filled out.

Submitting...
Gert Vloo commented · February 11, 2019 12:24 · Flag as inappropriate

Is there some update on this request?
I would like to link a property to a key-vault, like how it is done in api-apps with the settings. That way the use of properties in policies stays the same and the costs of querying the key-vault are reduced.

Example: @Microsoft.KeyVault(SecretUri=https://KEYVAULTNAME.vault.azure.net/secrets/VERYSECREDPASSWORD)

Submitting...
Kris Akins commented · August 11, 2018 18:35 · Flag as inappropriate

Support for certificates is good, but will there general support for key vault secrets, such as JWT signing keys?

Submitting...
Jorge Cruz commented · April 11, 2018 12:31 · Flag as inappropriate

Include the ability to retrieve Secrets from key vault and leverage them within Azure APIM Policy

Submitting...
Anonymous commented · July 13, 2017 14:34 · Flag as inappropriate

include ARM template integration, it's a nightmare now having to do base64 encoding and pass files -- would be better to pass a keyvault URI or resource reference

Submitting...
Laurent Lesle commented · July 11, 2017 13:32 · Flag as inappropriate

+ key rotation

Submitting...
Alec Massey commented · March 07, 2017 06:29 · Flag as inappropriate

This is a definite must for Azure - AWS already offer this kind of integration

Submitting...
Dan Byrne commented · February 15, 2017 15:53 · Flag as inappropriate

We also request to have the API Management Subscription Keys stored in KeyVault for security purposes

Submitting...
Erik Oppedijk commented · January 27, 2017 01:21 · Flag as inappropriate

And please add a way to connect to different keyvaults, when using multiple tenants (dev/test/prod)

Submitting...