1
votes

I've created a vault in Azure and gave it access to API management (registered app in AAD). I'm trying to not store any passwords in header while making API calls, but instead get them from the keyvault. Is there a way to do this? If yes how?

Been looking for days and haven't found something

Thanks

2

2 Answers

4
votes

You need to use API Management Policy to get the job done (https://docs.microsoft.com/en-us/azure/api-management/api-management-policies).

The policy needs to be constructed to post HTTP request to Azure AD OAuth endpoint to receive access token (https://docs.microsoft.com/en-us/azure/api-management/api-management-transformation-policies#TransformationPolicies). Using access token you just need to call to Key Vault API and retrieve the secret (https://docs.microsoft.com/en-us/azure/api-management/api-management-advanced-policies#SendRequest). That secret will be passed along in your header (set-header)

Sample to get access token: https://docs.microsoft.com/en-us/azure/api-management/policies/use-oauth2-for-authorization?toc=api-management/toc.json

1
votes

Here is an end to end example of Azure API Management and Azure Key Vault, including how to setup authorization in Azure AD so APIM can read secrets, certificates, etc. from Key Vault.

https://github.com/kevinhillinger/azure-api-management-keyvault

The integration requires that a service principal is registered in the Azure AD tenant for the subscription that the Key Vault instance belongs to. Then we're going to authorize it to talk to key vault.

In the example provided, I am retrieving a certificate since this is the more "difficult" option.

Here is the flow for the integration of Azure Key Vault:

  1. Get a minted token (bearer) from Azure AD (make sure the scope is properly set for Key Vault)
  2. Get the response and set a variable with the token value
  3. Send a request to Key Vault with Authorization header loaded up with the token
  4. Get the certificate info
  5. Fetch the entire PFX file in base64