WELCOME TO CLOUD MATTER

Search
  • Roman Guoussev-Donskoi

Azure API Management: access back-end securely with managed identity

A common challenge when building cloud applications is managing the credentials for authenticating to cloud services.


Luckily Azure provides simple and elegant solution to this issue - managed identities. (

What is managed identities for Azure resources?)


For Azure API management one can configure managed identity to generate jwt tokens and access back-end App Services protected with Azure AD authentication. This provides secure access without having to store or manage any credentials.


Configure Back-end services Authentication

Ensure your back-end services are already configured for Azure AD authentication.

For Azure Functions and App Services something like below:


The important piece of Azure AD authentication that APIM will reference to create a jwt token for accessing back-end app is client ID.



For configuring back-end APIM access authentication (when you call another APIM from your APIM instance) please see Protect an API by using OAuth 2.0 with Azure Active Directory and API Management and Protect Azure API Management Basic Tier using OAuth 2.0


API Management identity

Configure API management identity is very simple just enable it in "Setting" APIM blade as below or specify in ARM template at API management creation time.


Configure API Policy

To access back-end services protected by Azure AD authentication use we use the authentication-managed-identity policy.


Example is below


Test

You can validate (e.g. in Postman) that access function without a bearer token will return 401(unauthenticated).

If you add Authorization header with Bearer token you can see function has been accessed successfully.


Now time to test function access from API Management













977 views0 comments

Recent Posts

See All

Databricks is an amazing platform for data engineering, data science and machine learning. One of the critical requirements of secure data processing is data audit - the ability to identity what data

SAS access to storage account is very convenient and easy and while Microsoft recommends that you use Azure AD credentials when possible as security best practice still SAS sometimes hard to avoid. Le

 

Subscribe

 

CONTACT

Your details were sent successfully!

Computers