Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
APPLIES TO: All API Management tiers
This article describes the "Failed to update API Management service hostnames" error, which might occur when you add a custom domain for the Azure API Management service. The following steps can help you resolve the issue.
Symptom
When you try to add a custom domain for your API Management service by using a certificate from Azure Key Vault, you receive the following error message:
Failed to update API Management service hostnames. Request to resource 'https://vaultname.vault.azure.net/secrets/secretname/?api-version=7.0' failed with StatusCode: Forbidden for RequestId: . Exception message: Operation returned an invalid status code 'Forbidden'.
Cause
The API Management service doesn't have permission to access the key vault that you're trying to use for the custom domain.
Solution
To resolve this issue, follow these steps:
Sign in to the Azure portal, then select your API Management instance. Under Security in the sidebar menu, select Managed identities. Make sure that the Status setting is set to On.
From the Azure portal, open the Key vaults service, and select the key vault that you're trying to use for the custom domain.
Select Access policies, and check if a service principal matches the name of the API Management service instance. If so, select that service principal, and make sure that it has the Get permission listed under Secret permissions.
If the API Management service isn't in the list, select Add access policy, and then create the following access policy:
- Configure from Template: None
- Select principal: Search the name of the API Management service, and then select it from the list
- Key permissions: None
- Secret permissions: Get
- Certificate permissions: None
Select OK to create the access policy.
Select Save to save the changes.
To check whether the issue is resolved, try to create the custom domain in the API Management service by using the Key Vault certificate.