Azure API Management: access back-end securely with managed identity
A common challenge when building cloud applications is managing the credentials for authenticating to cloud services.
Luckily Azure provides simple and elegant solution to this issue - managed identities. (
What is managed identities for Azure resources?)
For Azure API management one can configure managed identity to generate jwt tokens and access back-end App Services protected with Azure AD authentication. This provides secure access without having to store or manage any credentials.
Configure Back-end services Authentication
Ensure your back-end services are already configured for Azure AD authentication.
For Azure Functions and App Services something like below:
The important piece of Azure AD authentication that APIM will reference to create a jwt token for accessing back-end app is client ID.
For configuring back-end APIM access authentication (when you call another APIM from your APIM instance) please see Protect an API by using OAuth 2.0 with Azure Active Directory and API Management and Protect Azure API Management Basic Tier using OAuth 2.0
API Management identity
Configure API management identity is very simple just enable it in "Setting" APIM blade as below or specify in ARM template at API management creation time.
Configure API Policy
To access back-end services protected by Azure AD authentication use we use the authentication-managed-identity policy.
Example is below
You can validate (e.g. in Postman) that access function without a bearer token will return 401(unauthenticated).
If you add Authorization header with Bearer token you can see function has been accessed successfully.
Now time to test function access from API Management