Amit Srivastava Thank you for posting your question in Microsoft Q&A.
Here are the steps you can follow to achieve this:
- Enable System-assigned Managed Identity for your APIM instance as described Use managed identities in Azure API Management.
- Assign
Azure App Configuration Data Reader
role for the managed identity as per doc: AD Authentication - Then write a custom policy to send request to Azure App Configuration Rest API (https://learn.microsoft.com/en-us/azure/azure-app-configuration/rest-api-key-value#get-key-value) to get the key value and use
authentication-managed-identity
policy to generate authorization token. Refer sample code snippet below: (replace <app-config-name> and testkeyname with actual value)
<send-request mode="new" timeout="20" ignore-error="false" response-variable-name="tokenstate">
<set-url>@("https://<app-config-name>.azconfig.io/kv/testkeyname?api-version=1.0")</set-url>
<set-method>GET</set-method>
<authentication-managed-identity resource="https://azconfig.io" ignore-error="false" />
</send-request>
<set-variable name="keyValue" value="@(((IResponse)context.Variables["tokenstate"]).Body.As<JObject>()["value"])" />
Note, the above code snippet is a sample policy for your reference, and you can customize it based on your need. If you face any issues, let me know. I hope this helps with your question.
If you found the answer to your question helpful, please take a moment to mark it as "Yes" for others to benefit from your experience. Or simply add a comment tagging me and would be happy to answer your questions.
Amit Srivastava I have tested this policy snippet, and this set up works good for my APIM/App Configuration. The exception suggests that APIM is not able to make a proper connection to the endpoint (here App Configuration). I suggest you debug APIs using Trace a call and validate the policy expression really failed at send-request policy.
If so, then try making a direct request to App Configuration Rest API above with bearer token via Postman and see the results. Validate if public access is disabled in App Configuration (or private access is enabled; refer Disable public access). Second step is, do you have APIM in VNET (internal or external mode)? Make sure there is a network connectivity to Azure App Configuration /Azure AD in NSG rules and route table as described in doc: Configure NSG rules and route table. You can quickly set up APIM in public mode to test this scenario.
If you still face the issue, share the policy evaluation expression failure, and set up details. That would really help.