You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/guides/environment-overrides.md
+108-9Lines changed: 108 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -204,6 +204,89 @@ loggers:
204
204
isBuffered: true
205
205
```
206
206
207
+
> **Note:** When you provide a raw `instrumentationKey` value (instead of a `{{namedValue}}` reference), APIM will automatically create a named value to store the credential securely.
208
+
209
+
### Logger credentials with auto-generated named values
210
+
211
+
When APIM creates a logger (e.g., for Application Insights), it auto-generates a named value to store the instrumentation key. These auto-generated named values have 24-character hex IDs (e.g., `66f48e1226dab62c0823e4f8`) and are normally skipped during publish because APIM recreates them automatically.
212
+
213
+
However, when publishing to a **fresh environment**, APIM cannot recreate these named values because the logger doesn't exist yet. To handle this, provide an override for the auto-generated named value:
214
+
215
+
```yaml
216
+
namedValues:
217
+
# Override the auto-generated named value with the production instrumentation key.
218
+
# Use the 24-char hex ID from the extracted artifact filename.
> **Note:** The built-in `master` subscription is automatically skipped during publish.
255
+
> Product-scoped subscriptions auto-generated by APIM are also skipped to avoid subscription limit errors.
256
+
257
+
### Products
258
+
259
+
```yaml
260
+
products:
261
+
- name: starter-product
262
+
properties:
263
+
displayName: "Starter (Production)"
264
+
subscriptionRequired: true
265
+
approvalRequired: false
266
+
subscriptionsLimit: 10
267
+
```
268
+
269
+
### Gateways
270
+
271
+
```yaml
272
+
gateways:
273
+
- name: on-prem-gateway
274
+
properties:
275
+
locationData:
276
+
name: "Production datacenter"
277
+
city: "Seattle"
278
+
countryOrRegion: "US"
279
+
```
280
+
281
+
### Policy fragments
282
+
283
+
```yaml
284
+
policyFragments:
285
+
- name: rate-limit-fragment
286
+
properties:
287
+
description: "Production rate limiting policy"
288
+
```
289
+
207
290
### Service-level policies
208
291
209
292
```yaml
@@ -213,21 +296,26 @@ policies:
213
296
format: rawxml
214
297
```
215
298
216
-
### All other resource types
299
+
### Version sets, groups, and tags
217
300
218
-
Overrides are also supported for: `gateways`, `versionSets`, `groups`, `subscriptions`, `products`, `tags`, `policyFragments`, and `workspaces`. Each uses the same `name` + `properties` format:
301
+
Overrides are also supported for `versionSets`, `groups`, `tags`, and `workspaces`. Each uses the same `name` + `properties` format:
219
302
220
303
```yaml
221
-
gateways:
222
-
- name: on-prem-gateway
304
+
versionSets:
305
+
- name: petstore-versions
223
306
properties:
224
-
locationData:
225
-
name: "On-premises datacenter"
307
+
displayName: "Petstore API Versions"
308
+
versioningScheme: Segment
226
309
227
-
products:
228
-
- name: starter-product
310
+
groups:
311
+
- name: partner-developers
229
312
properties:
230
-
displayName: "Starter (Production)"
313
+
displayName: "Partner Developers (Production)"
314
+
315
+
tags:
316
+
- name: public-api
317
+
properties:
318
+
displayName: "Public API"
231
319
```
232
320
233
321
## Override rules
@@ -360,6 +448,17 @@ If you add a new backend in dev but forget to add it to your override files, pub
360
448
361
449
When using Key Vault references, the APIM managed identity needs access to the Key Vault. A common failure mode: overrides reference a Key Vault but APIM lacks the `Key Vault Secrets User` role on that vault.
362
450
451
+
### Gotcha: Auto-generated named values for loggers
452
+
453
+
When you create a logger in APIM (e.g., for Application Insights), APIM auto-generates a named value to store the credential. These have 24-character hex names (e.g., `<24-char-hex-id>`). During extract, these are captured as artifacts. During publish:
454
+
455
+
- **Same environment:** Auto-generated named values are skipped (APIM already has them).
456
+
- **Fresh environment:** The logger fails because the named value doesn't exist yet. Provide an override with the target environment's credential value, or override the logger's `credentials` directly.
457
+
458
+
### Gotcha: Redacted secrets
459
+
460
+
Extracted secret named values have their `value` replaced with `*** REDACTED ***`. If you publish these without providing an override with a real value or Key Vault reference, they will be skipped with a warning. Always provide overrides for secret named values when publishing to a different environment.
461
+
363
462
### Dry-run validation
364
463
365
464
Use `--dry-run` to preview publish behavior with overrides:
0 commit comments