This is the last part of section 3 and will cover two topics:
- Manage API permissions to Azure subscriptions and resources
- Configure an authentication method for a service principal
Table of Contents
Manage API permissions to Azure subscriptions and resources
What is Azure API management?
Azure API Management relies on Azure role-based access control (Azure RBAC) to enable fine-grained access management for API Management services and entities (for example, APIs and policies). This article gives you an overview of the built-in and custom roles in API Management.
Built-in roles
API Management currently provides three built-in roles and will add two more roles in the near future. These roles can be assigned at different scopes, including subscription, resource group, and individual API Management instance. For instance, if you assign the “API Management Service Reader” role to a user at the resource-group level, then the user has read access to all API Management instances inside the resource group.
The following table provides brief descriptions of the built-in roles. You can assign these roles by using the Azure portal or other tools, including Azure PowerShell, Azure CLI, and REST API.
Role | Read access[1] | Write access[2] | Service creation, deletion, scaling, VPN, and custom domain configuration | Access to the legacy publisher portal | Description |
---|---|---|---|---|---|
API Management Service Contributor | ✓ | ✓ | ✓ | ✓ | Super user. Has full CRUD access to API Management services and entities (for example, APIs and policies). Has access to the legacy publisher portal. |
API Management Service Reader | ✓ | Has read-only access to API Management services and entities. | |||
API Management Service Operator | ✓ | ✓ | Can manage API Management services, but not entities. |
[1] Read access to API Management services and entities (for example, APIs and policies).
[2] Write access to API Management services and entities except the following operations: instance creation, deletion, and scaling; VPN configuration; and custom domain setup.
Custom roles
If none of the built-in roles meet your specific needs, custom roles can be created to provide more granular access management for API Management entities. For example, you can create a custom role that has read-only access to an API Management service, but only has write access to one specific API.
How to manage custom roles?
First open Your Azure CLI.
And type az to start CLI.
Listing custom roles
Find out the current custom roles with.
1 |
az role definition list --custom-role-only true --output json --query '[].{roleName:roleName, roleType:roleType}' |
And we have none, so let’s create one.
Creating custom role
First we need to create a JSON file, for this what would be a better tool than Visual Studio Code for the Web
Figuring out what resource providers to use.
Microsoft has an excellent resource to browse thru different resources and it’s called Resource Explorer.
Let’s find Microsoft.ApiManagement provider.
Enabling resource providers
You can check what resource providers have been registered from GUI and register them.
With Shell.
1 |
Get-AzureRmResourceProvider -ListAvailable | Select-Object ProviderNamespace, RegistrationState |
And register a provider.
1 |
Register-AzureRmResourceProvider -ProviderNamespace microsoft.aad |
Creating JSON
First we need to find Your subscription ID You are currently logged in:
1 |
az account show --query id --output tsv |
Or all subscription You have:
1 |
az account list --output table |
And then we construct the JSON file.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
{ "Name": "API Management Reader role", "IsCustom": true, "Description": "Can check API Name Availability.", "Actions": [ "Microsoft.ApiManagement/checkNameAvailability/read/*", "Microsoft.ApiManagement/service/read/*" ], "NotActions": [], "DataActions": [], "NotDataActions": [], "AssignableScopes": [ "/subscriptions/you Subscription ID" ] } |
Uploading JSON
Open Upload / Download file menu from Shell.
And Upload Your JSON file.
And the file is there.
Creating a role based on JSON
Create new custom role with the following.
1 |
az role definition create --role-definition "ApiReaderRole.json" |
And You will see output for the command.
Querying the custom role
With the following command You can find Your custom role and display only Rolename and RoleType columns.
1 |
az role definition list --custom-role-only true --output json --query '[].{roleName:roleName, roleType:roleType}' |
Or find the Custom role with GUI.
And select only Custom roles.
Adding a role assignment
You can now add the created Custom role to identities.
You can choose Users or Managed identities.
And you can also create the Custom role from GUI with cloning an existing role, Creating from Scratch or from JSON.
With cloning You can select any existing role and copy it to a Custom role.
You can add or exclude permissions.
And add Assignable scopes. Management group is still in preview so it won’t be coming to the test but it’s a nice feature.
And when You select what You want, You will get a freshly created JSON. How cool is that!
Configure an authentication method for a service principal
What is a Service Principal?
Automated tools that use Azure services should always have restricted permissions. Instead of having applications sign in as a fully privileged user, Azure offers service principals.
An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources. This access is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level. For security reasons, it’s always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.
Creating Service Principal
PowerShell with pre-hydrated password
You can create a Service principal with PowerShell.
1 |
az ad sp create-for-rbac --name MyOwnServicePrincipal --role Contributor |
Running the command again will patch the existing Application instance.
PowerShell with Certificate
You can have Your own certificate for this but You can also use one from Key Vault.
1 |
az ad sp create-for-rbac --name MyOwnServicePrincipalWithCert --role Contributor --cert MyOwnCertificate --keyvault cloudpartnerkeyvault02 |
And this is the output.
If You run the command again, it will patch Application instance.
If You choose Your own certificate it has to be in an ASCII format such as PEM, CER, or DER. Pass the certificate as a string, or use the @path
format to load the certificate from a file. Make sure any tool that uses this service principal has access to the certificate’s private key.
Listing Service Principal roles
You can list the roles with the following. Note that You have to use AppID from the Service Principal.
1 |
az role assignment list --assignee 2041c020-d156-446e-aed4-ab225128d5cf |
And the output.
Adding permissions to Service Principal
Open App registrations and find Your Service Principals.
Add permissions like in last post for any App registration.
And the permissions appear to the list.
Thing to remember
You can create Custom roles by cloning an existing role, Creating from Scratch or from JSON.
Service Principal is an App registration
JSON format and what are actions You have to have and what scope could assigned. For the scopes You also assign Resource groups not only the whole Subscription.
Authentication can be done with a Pre-hydrated password or certificate (Remember Keyvault)
Remember Az role commands.
az role assignment | Manage role assignments. |
az role assignment create | Create a new role assignment for a user, group, or service principal. |
az role assignment delete | Delete role assignments. |
az role assignment list | List role assignments. |
az role assignment list-changelogs | List changelogs for role assignments. |
az role assignment update | Update an existing role assignment for a user, group, or service principal. |
az role definition | Manage role definitions. |
az role definition create | Create a custom role definition. |
az role definition delete | Delete a role definition. |
az role definition list | List role definitions. |
az role definition update | Update a role definition. |