Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
36 lines (33 sloc) 2.23 KB
<!--
The policy defined in this file demonstrates how to retrieve a secret from Key Vault using Managed Identity for authentication.
This is useful when secrets or other secure data is required from Key Vault to use when calling backends or any other purpose.
This example shows how to retrieve the latest version of a secret called 'mysecret' from a Key Vault called 'msikvtest', which you should change to your own. All it does is call the Key Vault Rest API via send-request using the Managed Identity authorization method, and responds with the response of the Key Vault Rest API call using return-response.
Make sure to enable Managed Identities on your API Management instance, and add the appropriate Access Policy in Key Vault so that your API Management account's Managed Identity principal can access secrets. You can use the Azure CLI to find the name of the principal by using 'az ad sp show' and pass it the principal ID, and then use that name when configuring the Key Vault access policy.
NOTE - You should not use return secrets in your responses when running in production as this expose your secrets and introduces a security risk of credential leaking without the vault owner knowing it.
People should request access to the vault owner and consume the secrets from there instead of via a wrapping API.
However, it clearly shows how easily you can integrate with MSI and can be used for POC purposes
Maintainer: @nzthiago
-->
<policies>
<inbound>
<base />
<send-request mode="new" response-variable-name="keyvaultsecret" timeout="20" ignore-error="false">
<set-url>https://msikvtest.vault.azure.net/secrets/mysecret/?api-version=7.0</set-url>
<set-method>GET</set-method>
<authentication-managed-identity resource="https://vault.azure.net" />
</send-request>
<return-response>
<set-status code="200" reason="Done" />
<set-body>@{ return ((IResponse)context.Variables["keyvaultsecret"]).Body.As<string>(); }</set-body>
</return-response>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
You can’t perform that action at this time.