What is Azure API Management - How to do Subscription Key rotation
Azure API Management — Subscription Keys Rotation
Recently I have been dealing with one of the Security restrictions for Azure API Management where the requirement was to set Subscriptions keys to be rotated every 30days. From Azure Portal→ opening API Management and then clicking on the regenerate option is not feasible on a real-time basis as Azure Admins have to mark their calendar and sometimes if the change day is coming during the weekend then someone may forget. In Order to deal with this situation, it is always recommended to Automate using Automation Accounts.
How do we rotate the keys?
Lets first get the list of API Management Gateways which are available in your subscription or with your profile.
$ApiManagements = Get-AzApiManagement
Once you log in let's set the Context for the API Management where you are going to work (In case you have many API Management instances). However, in my case, I just have only 1 API Management instance.
$ApiManagementContext = New-AzApiManagementContext -ResourceId $ApiManagements.Id
Once you login to API Management we need to list all available Subscriptions and Products.
- Get the list of Subscriptions/Products which are bind with API Management.
$ApiManagementSubscriptions = Get-AzApiManagementSubscription -Context $ApiManagementContext
$ApiManagementSubscriptions | Format-Table -Property ProductId, Scope, ResourceGroupName, PrimaryKey
- If you just want to list all Primary Keys
$ApiManagementSubscriptions = Get-AzApiManagementSubscription -Context $ApiManagementContext | select primarykey -ExpandProperty primarykey
Now, let's start with our Automated Key rotation If someone wants to regenerate keys. Open your Azure API Management → Go to Subscriptions →Select specific key → click on ellipses … → It will open a new window. → then click on “Regenerate Primary Key”.
However our main Problem statement is when you are working in a secure environment, sometimes we cant track and we tend to forget to regenerate the keys at specified times. So how do I deal with this scenario?
- the first approach is to regenerate keys using PowerShell script, If you want to Regenerate Key only for a specific Product then please execute the below script.
Below is the sample PowerShell script which will regenerate your associated Subscription/Product/Scope keys.
# Get API Management Services information
$ApiManagements = Get-AzApiManagement
foreach ($ApiManagement in $ApiManagements)
{
#Setting Up Azure API Management Context to work.
$ApiManagementContext = New-AzApiManagementContext -ResourceId $ApiManagement.Id
# Get all API Management Subscriptions with specific ProductID
$ApiManagementSubscriptions = Get-AzApiManagementSubscription -Context $ApiManagementContext -ProductId “unlimited”
foreach ($ApiManagementSubscription in $ApiManagementSubscriptions)
{
# Regenerating Primary Key
$PrimaryKey = (New-Guid) -replace ‘-’,’’
#In Order to set a new value
$newvalue = Set-AzApiManagementSubscription -Context $ApiManagementContext -SubscriptionId $ApiManagementSubscription.SubscriptionId -PrimaryKey $PrimaryKey -State Active
$updatedvalue = Get-AzApiManagementSubscription -Context $ApiManagementContext -ProductId “unlimited” | select primarykey -ExpandProperty primarykey
$updatedvalue
}
}
Now if you see the new value for specific Product: Unlimited, earlier it was “e3bf7a2fa72245a78d66044aad98312f”
After running PowerShell script now we can see new value “2f4e8e597f8c488e899744adb28f5ccd”
- If anyone wants to regenerate all Product/Scope keys then you can modify line 11 and remove ‘-ProductId “Unlimited”’
- If you want to regenerate Primary and Secondary Key, then on line 16 please add “$SecondaryKey = (New-Guid) -replace ‘-’,’’
- Now let's try to schedule it to run at regular intervals. For this, I am going to use Azure Automation Account.
In this case, I have created a new Azure Automation account → Using certificate-based authentication.
Finally copied the same Powershell code under Runbook → with PowerShell Runtime Version 7.1(Preview).
Old Key: 827958f1d39c40efac72dXXXXXXX685
New Key: 5a93dafa8e704d05b4XXXXXXXd62a
And now you can simply schedule this to Regenerate keys on regular basis.