How to renew shared subscription key in azure api management gateway?

0
votes

I'm using <log-to-event-hub> policy to log all the request and responses to event-hubs.This policy requires a logger-id which refers to the event hub where our logs will be streamed.To create this logger I referred https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-log-event-hubs . Where we send a PUT request to https://{your service}.management.azure-api.net/loggers/{new logger name}?api-version=2017-03-01 with the SharedAccessSignature token generated in the Management API section API Management Service.Now this token is valid only for 30days.That means the<log-to-event-hub> policy can log to this event-hub only for 30 days.

Today the SharedAccessSignature got expired.So all of my API's started throwing a 500 internal server error.How to renew this SharedAccessSignature automatically so that when its about to expire it automatically gets renewed with the new SharedAccessSignature.

I did not find any solution so I deleted the event-hub and created a new one with the new shared key.I will be storing all my logs in this event-hub so it should be running up everytime.Can anyone help me with this.

1
azureazure-api-management
Please ask for more details - Rahul jhawar
from the documentation: docs.microsoft.com/en-us/rest/api/apimanagement/…. You can programmatically create token so you may want to create some script that runs every X days to generate a new token ??? - Thomas
Ok...but where will I put the newly generated token.I tried generating a new token from the azure portal.But when I tried sending a PUT request to azure-api with the new token ,it says the entity with same name already exist.Because the logger with the name already exist but its expired. - Rahul jhawar
Will I have to create a new logger with the new key always.That way I have to change the name of the logger in the event-hub policy always - Rahul jhawar
you are doing it all manually from the portal ? you probably want to create/update the logger from ARM template ? - Thomas

1 Answers

0
votes

You're mixing up tokens here. The token you generate in "Management API" section is used to authenticate your call to create logger. This token is only needed if you choose to make that call via our direct api (xxx.management.azure-api.net) and not via ARM. This PUT call needs to be done only once to create a logger. The credentials that are used to talk to eventhub are passed inside payload of that call, see "credentials" here: https://docs.microsoft.com/en-us/rest/api/apimanagement/2019-01-01/logger/createorupdate#request-body. And it's those credentials you may need to rotate. See eventhub docs on how to create those credentials.