How to use Service Principal(I'd and secret) to access Azure App Configuration from APIM policy?

Question

How to use Service Principal(I'd and secret) to access Azure App Configuration from APIM policy?

Answer 1

Amit Srivastava Thanks for posting your question in Microsoft Q&A. In general, we recommend using Managed Identity instead of app registration, if possible, to eliminate the need for managing credentials. In that case, you can follow steps discussed in other thread: How to call/retrieve value from Azure app config through APIM policy.

For using Service Principal with client id, client secret, you need to assign role Azure App Configuration Data Reader for the service principal, and then follow either of the below approaches:

• Use send-request policy to get token from Azure AD and then call Azure App Configuration Rest API like discussed in the other thread. Here is the sample policy snippet: https://github.com/Azure/api-management-policy-snippets/blob/master/examples/Get%20OAuth2%20access%20token%20from%20AAD%20and%20forward%20it%20to%20the%20backend.policy.xml and we have detailed steps described in API Management Policy for Access Token Acquisition, Caching and Renewal article. Make sure to configure resource/audience as https://azconfig.io when acquiring the token (refer https://learn.microsoft.com/en-us/azure/azure-app-configuration/rest-api-authentication-azure-ad#azure-ad-token-acquisition).
• Instead of the above steps, check out authorizations feature which is currently in preview and can be used to manage token acquisition. First step is to create authorization in APIM for your service principal as described here with client id, client secret, grant type as Client credentials, resource url as https://azconfig.io and assign access policy to the managed identity of APIM. Second, use get-authorization-context policy to get token from Azure AD and pass it to Azure App Configuration Rest API and here is the sample policy snippet:

<get-authorization-context provider-id="testproviderad" authorization-id="testproviderad" context-variable-name="auth-context" identity-type="managed" ignore-error="false" />
        <send-request mode="new" timeout="20" ignore-error="false" response-variable-name="tokenstate">
            <set-url>@("https://<app-config-name>.azconfig.io/kv/testkeyname?api-version=1.0")</set-url>
            <set-method>GET</set-method>
            <set-header name="Authorization" exists-action="override">
                <value>@("Bearer " + ((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</value>
            </set-header>
        </send-request>

I hope this helps with your question and let m know if you have any questions or face issues.

---

If you found the answer to your question helpful, please take a moment to mark it as "Yes" for others to benefit from your experience. Or simply add a comment tagging me and would be happy to answer your questions.

Answer 2

Hi Muthu kumaran, after resolving the firewall issue, today when I tested the policy it is failing after 2nd <send-request> call with the error" expression evaluation failed, the message body is not a valid JSON. I can see that first call to Azure AD is successful which returned a jwt token which then be passed in request header to call app config. But after the call app config is complete, it seems like not returning the response in proper JSON format(though post man is returning the response in proper JSON form). Here I am posting 2nd <send-request> which actually not returning the response in json format. Can you please help me if I am missing any thing here. <send-request mode="new" timeout="20" ignore-error="false" response-variable="tokenres"> <set-url>@("https://xyz.azconfig.io/kV/keyname?api-version=1.0")</set-url> <set-method>GET</set-method> <set-header name="Authorization" exists-action="override"> <value>@("Bearer "+token from previous call) </value> </set-header> </send-request> <set-variable name="tokenresstring" value="@(((IResponse)context.Variables["tokenres"]).Body.As<JObject>())" />. So the particular issue at last line(set variable). Thanks

Answer 3

Hi MuthuKumaran, firewall policy got resolved, now calls are going through. I followed the first approach which you told(get jwt from AD and then paas it to azconfig rest API), unfortunately I am getting an error while parsing the return response of 2nd call(app config call for both POST and GET) as "expression evaluation failed, the message body is not a valid JSON. Here I am posting the screen shot of policy, can you please help me out to figure out the solution for this. Please note from POST Man I am getting proper JSON response. Error reporting for set variable last line. Thanks p