Reader roles should not be able to see subscription keys
Currently, users assigned the "Reader" or "Monitoring Reader" role are able to reveal subscription keys in the API Management portal. As is the case with other Azure products, secrets should not be accessible to members of these roles.
We will introduce a new version of the management API that would “hide” secrets from “reader” users. We will also introduce an explicit gesture to disable older versions of the API on a per API Management service instance basis.
Sander Knijn commented
I suggest Microsoft creates a new role 'API Management Publisher Rol - Read Only' and give similar permissions as 'API Management Service Reader Role' but with a NotAction on Microsoft.ApiManagement/service/products/subscriptions/read.
Its strange these easy things are not part of the product.
Sander Knijn commented
Created a support case for this: 120061224001636.
Anwser from Microsoft:
We have engaged the APIM Product Group team in order to gain some deeper insights into the reported issue.
They have provided an update that the ability to read subscription keys from products (an action which is defined as Microsoft.ApiManagement/service/products/subscriptions/read) is allowed by default for users having the 'API Management Service Reader Role'. Same is the case for navigating to the keys via APIs/Subscriptions.
As suggested in the service request verbatim, you can create a custom RBAC role and remove this action.
To answer your other query, the action Microsoft.ApiManagement/service/users/keys/read does not correspond to reading subscription keys. The 2 actions are completely different.
Every user has two "secrets", a primary and a secondary. These secrets are used to generate an encrypted SSO token that users can use to access the developer portal. These keys are not related to the subscription keys that users use to call the APIs. The /service/users/keys/read permission corresponds to the ability to read the user secrets, whereas the /service/products/subscriptions/read permission corresponds to reading subscription keys under products, which is allowed by default under this role.
Additionally, the Microsoft.ApiManagement/service/users/subscriptions/read permission corresponds to the ability to read subscriptions associated with users via the "Users" blade on the Portal, which is also allowed by default under this role.
So... in short you need to create your own custom role for this and will have to maintain this manually when new features are built. A built-in group is not available
Jeroen de Sitter commented
any idea when you will introduce this?