APIM connection to KeyVault via SystemAssigned Managed Identity fails

Question

I'm using the following setup described here. https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-properties?WT.mc_id=Portal-fx&tabs=azure-cli

I setup APIM with a system managed identity, then go to KV, grant Key Vault Secrets and Certificate Management to the APIM identity, but when I try to crate custom domain and certificates via terraform to APIM I got the following error:

Error: creating/updating Custom Domain: xxx performing CreateOrUpdate: xx unexpected status 400 with error: InvalidOperation: Failed to access KeyVault Secret xxx using Managed Service Identity (http://aka.ms/apimmsi) of Api Management service. Check if Managed Identity of Type: SystemAssigned, ClientId: xxx and ObjectId: xxx has GET permissions on secrets in the KeyVault Access Policies.

Answer 1

I tired to provision APIM connection to KeyVault via SystemAssigned Managed Identity using terraform and i was able to provision the requirement successfully.

Here you're trying to set up Azure API Management (APIM) with a system managed identity and then use this identity to access secrets in Azure Key Vault for the purpose of configuring a custom domain and certificates via Terraform. The error you're encountering indicates a permissions issue with the Managed Service Identity (MSI) accessing the Key Vault.

The error message you're receiving suggests that the Managed Service Identity associated with your Azure API Management service does not have the required permissions to access secrets in the Azure Key Vault.

• The API Management's system managed identity might not have the correct permissions (specifically, GET permissions) on the secrets in the Key Vault.
• Sometimes after setting up permissions, there can be a delay before they are fully propagated and effective.

Make sure your SP or User permissions are in-line with your provision requirement. As you required to provision keyvault and access its secrets we need keyvault adminstrator, secret officer and contributor role for you identity.

I tried a demo version of configuration with necesary permissions Where i can successfully provision the requirement.

My terraform configuration:

provider "azurerm" {
    features {}
}

variable "resource_group_name" {
    description = "Name of the resource group"
    type        = string
}

variable "location" {
    description = "Location for all resources"
    type        = string
}
  
variable "tenant_id" {
    description = "Tenant ID for the Azure resources"
    type        = string
}
  
resource "azurerm_resource_group" "example" {
    name     = var.resource_group_name
    location = var.location
}
  
resource "azurerm_api_management" "example" {
    name                = "examplevk-apim"
    location            = azurerm_resource_group.example.location
    resource_group_name = azurerm_resource_group.example.name
    publisher_name      = "example"
    publisher_email     = "[email protected]"
    sku_name            = "Developer_1"
  
    identity {
      type = "SystemAssigned"
    }
}
  
resource "azurerm_key_vault" "example" {
    name                = "examplekvvksb"
    location            = azurerm_resource_group.example.location
    resource_group_name = azurerm_resource_group.example.name
    tenant_id           = var.tenant_id
    sku_name            = "standard"
  
    access_policy {
      tenant_id = var.tenant_id
      object_id = azurerm_api_management.example.identity[0].principal_id
  
      secret_permissions = ["Get", "List", "Set", "Delete", "Recover", "Backup", "Restore", "Purge"]
    }
}

Output:

Now push an SSL certificate to the key vault and continue with the configuration that follows.

# Assuming the certificate is already in the Key Vault
data "azurerm_key_vault_secret" "example_certificate" {
  name         = "myCertificateName"
  key_vault_id = azurerm_key_vault.example.id
}

# Configure Custom Domain in APIM
resource "azurerm_api_management_custom_domain" "example" {
  api_management_id = azurerm_api_management.example.id

  portal {
    host_name            = "portal.my-custom-domain.com"
    key_vault_id         = azurerm_key_vault.example.id
    key_vault_secret_id  = data.azurerm_key_vault_secret.example_certificate.id
  }

  # Configure additional domains (developer portal, gateway, etc.) as needed
}

This configuration will let you access the certification as your SP has all the relevant permissions as mentioned above.