Azure API Management — Subscription Keys Rotation

4 min readMar 17, 2022

Recently I have been dealing with one of the Security restrictions for Azure API Management where the requirement was to set Subscriptions keys to be rotated every 30days.

From Azure Portal→ opening API Management and then clicking on regenerate option is not feasible on real time basis as Azure Admins have to mark their calendar’s and sometimes if the change day is coming during weekend then someone may forget. In Order to deal with this situation it is always recommended to Automate using Automation Accounts.

How do we rotate the keys?

Lets first get the list of API Management Gateways which are available in your subscription or with your profile.

$ApiManagements = Get-AzApiManagement

Once you login lets set the Context for the API Management where you are going to work (Incase if you have many API Management instances).

However in my case I just have only 1 API Management instance.

$ApiManagementContext = New-AzApiManagementContext -ResourceId $ApiManagements.Id

Once you login to API Management we need to list all available Subscriptions and Products.

Get list of Subscriptions/Products which are bind with API Management.

$ApiManagementSubscriptions = Get-AzApiManagementSubscription -Context $ApiManagementContext

$ApiManagementSubscriptions | Format-Table -Property ProductId, Scope, ResourceGroupName, PrimaryKey

If you just want to list all Primary Keys

$ApiManagementSubscriptions = Get-AzApiManagementSubscription -Context $ApiManagementContext | select primarykey -ExpandProperty primarykey

Now lets start with our Automated Key rotation, If someone wants to regenerate keys. Open your Azure API Management → Go to Subscriptions →Select specific key → click on ellipses … → It will open a new window. → then click on “Regenerate Primary Key”.

However our main Problem statement is when you are working on Secure environment, sometimes we cant track and we tend to forget regenerating the keys on specified times. So how do i deal with this scenario?

first approach is to regenerate keys using PowerShell script, If you want to Regenerate Key only for specific Product then please execute below script.

Below is the sample PowerShell script which will regenerate your associated Subscription/Product/Scope keys.

# Get API Management Services information
$ApiManagements = Get-AzApiManagement
foreach ($ApiManagement in $ApiManagements)
{
#Setting Up Azure API Management Context to work.
$ApiManagementContext = New-AzApiManagementContext -ResourceId $ApiManagement.Id
# Get all API Management Subscriptions with specific ProductID
$ApiManagementSubscriptions = Get-AzApiManagementSubscription -Context $ApiManagementContext -ProductId “unlimited”
foreach ($ApiManagementSubscription in $ApiManagementSubscriptions)
{
# Regenerating Primary Key
$PrimaryKey = (New-Guid) -replace ‘-’,’’

#In Order to set a new value
$newvalue = Set-AzApiManagementSubscription -Context $ApiManagementContext -SubscriptionId $ApiManagementSubscription.SubscriptionId -PrimaryKey $PrimaryKey -State Active
$updatedvalue = Get-AzApiManagementSubscription -Context $ApiManagementContext -ProductId “unlimited” | select primarykey -ExpandProperty primarykey
$updatedvalue
}
}

Now if you see the new value for specific Product: Unlimited, earlier it was “e3bf7a2fa72245a78d66044aad98312f”

After running powershell script now we can see new value “2f4e8e597f8c488e899744adb28f5ccd”

If anyone wants to regenerate all Product/Scope keys then you can modify line 11 and remove ‘-ProductId “Unlimited”’
If you want to regenerate Primary and Secondary Key, then on line 16 please add “$SecondaryKey = (New-Guid) -replace ‘-’,’’

2. Now lets try to schedule it to run on regular intervals. For this I am going to use Azure Automation Account.

In this case I have created a new Azure Automation account → Used certificate based authentication.

Finally copied the same Powershell code under Runbook → with PowerShell Runtime Version 7.1(Preview).