Currently a client application works directly over internet with Azure Keyvault to get secret stored in the Keyvault. Azure service principal is used on client side for authentication to the Keyvault and this service principal has GET, LIST permission on Keyvault.
Is it possible to configure a Azure API Management (Azure API gateway) between client app and Keyvault to proxy client's API request (e.g., GET) directed toward the Keyvault. Also, is it a bad practice to have direct communication between client app and Keyvault over internet using service principal?
