Skip to content

configure-managed-identity-kv-secret-user.md

Latest commit

 

History

History
81 lines (62 loc) · 2.75 KB

configure-managed-identity-kv-secret-user.md

File metadata and controls

81 lines (62 loc) · 2.75 KB
title Include file
description Include file
services api-center
ms.service azure-api-center
ms.topic include
ms.date 03/09/2026
ms.custom Include file

To allow import of the assets, assign your API center's managed identity the Key Vault Secrets User role in your Azure key vault. You can use the portal or the Azure CLI.

Portal

  1. In the portal, go to your key vault.
  2. In the sidebar menu, select Access control (IAM).
  3. Select + Add role assignment.
  4. On the Add role assignment page, set the values as follows:
    1. On the Role tab, select Key Vault Secrets User.
    2. On the Members tab, in Assign access to - Select Managed identity > + Select members.
    3. On the Select managed identities page, select the system-assigned managed identity of your API center that you added in the previous section. Click Select.
    4. Select Review + assign.

Azure CLI

  1. Get the principal ID of the identity. For a system-assigned identity, use the az apic show command.

    #! /bin/bash
apicObjID=$(az apic show --name <api-center-name> \
    --resource-group <resource-group-name> \
    --query "identity.principalId" --output tsv)

    # Formatted for PowerShell
$apicObjID=$(az apic show --name <api-center-name> `
    --resource-group <resource-group-name> `
    --query "identity.principalId" --output tsv)

  2. Get the resource ID of your key vault using the az keyvault show command.

    #! /bin/bash
kvID=$(az keyvault show --name <kv-name> --resource-group <resource-group-name> --query "id" --output tsv)

    # Formatted for PowerShell
$kvID=$(az keyvault show --name <kv-name> --resource-group <resource-group-name> --query "id" --output tsv)

  3. Assign the managed identity the Key Vault Secrets User role in your key vault the az role assignment create command.

    #! /bin/bash
scope="${kvID:1}"

az role assignment create \
    --role "Key Vault Secrets User" \
    --assignee-object-id $apicObjID \
    --assignee-principal-type ServicePrincipal \
    --scope $scope 

    # Formatted for PowerShell
$scope=$apimID.substring(1)

az role assignment create `
    --role "Key Vault Secrets User" `
    --assignee-object-id $apicObjID `
    --assignee-principal-type ServicePrincipal `
    --scope $scope