I would like to share a suggestion for improvements in integrations between Azure keyvault and API management.
Currently, there is a possibility to assign the API management instance system managed identity to the keyvaults access policy which indeed works however, this then allows the entire API management instance to access the keyvault. Even if you limit the scope of the API management system managed identity to only "get" and not "list" there is still a possibility for other users of the API management instance to extract secrets from that keyvault, of course given that the name of the secrets are known.
What would be a cool feature is if you could limit the access policies to individual APIs as well which would mean that you cant abuse existing policies in other APIs to retrieve secrets from a specific keyvault. This would allow you to have even more finegrained access policies towards individual keyvaults