Please note!

This way can still be used but it is MUCH simpler to do it directly from APIm in the portal. Simply try to add a certificate in a Keyvault and APIm will ask you if you would like to add the access policies needed. If you have access rights in the Keyvault (the same you need to add the code below), you can simply click OK.


There are a lot of uses for the Azure Keyvault. It really is a very useful service, and you should look into using it. One awesome way of using it is to store certificates. It gives you the added bonus of setting up contacts on who to e-mail when the certs are about to expire.

HTTPs certificates and APIm

In order to make the API management portal and proxy a part of your organization you can make it look like it is hosted by you. So instead of the address for the portal being it can be This is dome using Custom Domains in APIM.

In order to make it look like the portal is a part of the organization, you must supply a certificate in order to use https. This certificate can be uploaded directly to APIm but a better place to store it is in a KeyVault. That way you can use it elsewhere provided the credentials are correct and the access policies are set.

Access policy and APIm managed identity

The only supported way of getting a certificate from a KeyVault to an APIm instance is to use a managed identity. It is very easy to make APIm register itself with Azure AD and give you a service identity guid. The hard part is to use this identity in the KeyVault and add an access policy for it. The way to make this work is, according to the documentation, to use an ARM template. However, that template is … not as good as it should be. So I made a better one.

The improved template

This template is made to be run in the same resource group as the keyvault. Also, note that you must create the managed identity in the APIm instance before running this template.


“$schema”: “”,

“contentVersion”: “”,

“parameters”: {

“vaults_MyKeyVault_name”: {

“defaultValue”: “MyKeyVault”,

“type”: “String”



“APIM_resourceGroupName”: {

“defaultValue”: “MyAPImResourceGroup”,

“type”: “String”


“APIM_servicename”: {

“defaultValue”: “MyAPImInstance”,

“type”: “String”



“variables”: {


“apimServiceIdentityResourceId”: “[concat(resourceId(parameters(‘APIM_resourceGroupName’), ‘Microsoft.ApiManagement/service’, parameters(‘APIM_servicename’)),’/providers/Microsoft.ManagedIdentity/Identities/default’)]”


“resources”: [


“type”: “Microsoft.KeyVault/vaults/accessPolicies”,

“name”: “[concat(parameters(‘vaults_MyKeyVault_name’), ‘/add’)]”,

“apiVersion”: “2015-06-01”,

“properties”: {

“accessPolicies”: [{

“tenantId”: “[reference(variables(‘apimServiceIdentityResourceId’), ‘2015-08-31-PREVIEW’).tenantId]”,

“objectId”: “[reference(variables(‘apimServiceIdentityResourceId’), ‘2015-08-31-PREVIEW’).principalId]”,

“permissions”: {

“secrets”: [“get”,”list”]








As you can see, it is very simple. You only fill in the name of the KeyVault, the name of the resource group that the APIm instance is in, and lastly the name of the APIm instance.

Running the template

It might not be obvious how to run this template from the portal. The easiest way of running it is by searching for “template” in the search box at the top and click on Deploy Custom Template.

The result

After the deployment is done, you can go to your KeyVault and find the managed identity in the updated Access Policies. You should find an entry with the name of your APIm instance listed as an application.