How to use Logic Apps to rotate APIM subscription keys & notify subscription owners

My GitHub repo shows an example of how to use Logic Apps to regenerate the primary key in an Azure API Management instance. APIM doesn’t provide a native way to rotate keys on a regular basis. Rotating API subscription keys is a good security practice since they are just a long password and should not be considered a secure method of authorizing API calls.

This repo also has an example of how to use Logic Apps in combination with an Azure Function and an Azure Key Vault to generate custom API subscription keys, store them in Key Vault and then set the key in APIM.

This repo also shows you how to use stateful Logic Apps to notify subscription owners that their API subscription keys are about to expire and ask them to approve or deny being the owner.

Pre-requisites

• Azure subscription & resource group
• Azure CLI
• dotnet CLI
• .NET 6
• Azure Function CLI
• PowerShell
• Visual Studio Code
• Logic Apps Visual Studio Code Extension
• Event Hub Visual Studio Code Extension

How to use Logic Apps to regenerate API subscription keys using native APIM capabilities

The Logic App will go through the following steps to regenerate the API subscription primary key when it is within 30 days of expiring and then notifying the owner.

1. It will first query the APIM to see what API subscriptions are expiring in the next 30 days.
2. It will then loop over each one and:
   1. Regenerate the primary key using the native API for APIM.
   2. Get the subscription owner ID & product name.
   3. Send an email to the subscription owner notifying them of the change.

You can right-click on the logic-app/rotate-subscription-key/workflow.json file and select Open in Designer to see the GUI tool for building Logic Apps.

How to use Logic Apps to regenerate API subscription keys via an Azure Function, store that new key in Azure Key Vault & set the new key in APIM

The Logic App will go through the following steps to generate a new API subscription primary key when it is within 30 days of expiring, saving it to Key Vault & then setting it in APIM, and then notifying the owner.

1. It will first query the APIM to see what API subscriptions are expiring in the next 30 days.
2. It will then loop over each one and:
   1. Call the Azure Function to generate a new primary key
   2. Save this new key to Azure Key Vault.
   3. Set the the primary key using the native API for APIM.
   4. Get the subscription owner ID & product name.
   5. Send an email to the subscription owner notifying them of the change.

You can right-click on the logic-app/set-subscription-key/workflow.json file and select Open in Designer to see the GUI tool for building Logic Apps.

How to notify API subscription owners and get their approval or denial

The Logic App will go through the following steps to notify the API subscription owner of the API subscription key expiring and wait on their response (using stateful Logic Apps).

1. It will first query the APIM to see what API subscriptions are expiring in the next 30 days.
2. It will then loop over each one and:
   1. Get the subscription owner ID & product name.
   2. Send an email to the subscription owner notifying them of the expiration and asking them to Approve or Deny.
   3. The Logic App will then wait on their response.
   4. Based upon the response, it will send a follow-up email with an Approval or Denial email.

You can right-click on the logic-app/notify-subscription-owner/workflow.json file and select Open in Designer to see the GUI tool for building Logic Apps.

Links

• Logic Apps Standard
• Azure API Management
• Azure Function
• Azure Key Vault
• Stateful Logic Apps