Context

When creating an Azure API Management Subscription resource using Crossplane without providing primaryKeyRef and secondaryKeyRef, Azure automatically generates the primary and secondary keys. You need to access these auto-generated keys through connection details in your Composition.

Answer

The auto-generated subscription keys are available in the connection secret under attribute.primary_key and attribute.secondary_key. Here's how to access them:

1. Create the Subscription resource without key references:

apiVersion: apimanagement.azure.upbound.io/v1beta1
kind: Subscription
metadata:
  annotations:
    crossplane.io/external-name: test-name-2
  name: example-with-secret
spec:
  forProvider:
    displayName: your-subscription-name
    apiManagementName: your-api-management-name
    productIdSelector:
      matchLabels:
        testing.upbound.io/example-name: example
    resourceGroupName: your-resource-group
    userIdSelector:
      matchLabels:
        testing.upbound.io/example-name: example
  writeConnectionSecretToRef:
    name: subscription-conn-secret
    namespace: your-namespace

2. Access the keys in your Composition:

connectionDetails:
  - name: primary_key
    type: FromConnectionSecretKey
    fromConnectionSecretKey: attribute.primary_key
  - name: secondary_key
    type: FromConnectionSecretKey
    fromConnectionSecretKey: attribute.secondary_key

3. Verify the connection secret contains the keys:

kubectl get secret subscription-conn-secret -n your-namespace -o yaml

The resulting secret will contain the auto-generated keys as base64-encoded values under attribute.primary_key and attribute.secondary_key.

This approach allows you to use dynamically generated subscription keys for ephemeral subscriptions without needing to provide key secrets upfront.