This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 43%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJA%3C/text%3E%3C/svg%3E)
I have an Azure API Management resource that has an associated Application Insights. The infrastructure was created with Terraform.
The problem is that a security audit has found that a NamedValue has been created within API Management containing the Instrumentation Key of Application Insights. This is something that wasn't specifically created from Terraform, but rather by its internal calls.
The question is: Is there a way to configure Application Insights within API Management so that it reads the Instrumentation Key from an Azure Key Vault instead of from a Named Value?
Kind regards
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 39%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
@Jesus Arnas Iñigo Thanks for your question.I understand that you are trying to get instrumentation key from Azure Key Vault instead of named value. But you can configure your named values to read the instrumentation key directly from key vault instead of storing it as plain value. Have you considered this approach ?
Reference:
I wasn't aware of that approach; I'll look into it.
Thank you very much!
@Jesus Arnas Iñigo Hope the information provided is helpful. Kindly revert if you have further questions.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 8%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDV%3C/text%3E%3C/svg%3E)
The issue is about the automatically created values for the Logger-credentials.
There are many of these NamedValues (each redeploy gets a new entry, leaving 50+ unused leftover Named Values).
Worse is that the MS Security Benchmark reports these as non-compliant ("API Management secret named values should be stored in Azure Key Vault").
Two solutions possible, please check this: