How to write APIM (Azure API Mgt Svc) Policy to implement RBAC (Role Based Access Control) to restrict access to my Azure Func?

Siegfried Heintze 1,861 Reputation points
  1. I want to create service two principals using "az ad sp create-for-rbac" and assign custom roles to them using "az role definition create" and "az role assignment create".
  2. Then I want to log in as each service principal and create an authentication token that contains these roles I have created.
  3. Then I want to make a REST call (using curl) that indirectly calls my azure function via my APIM where the authentication token is in the header.
  4. Finally, I want the APIM policy to reject the REST call from the first service principal and accept the REST call from the second service principal (and call the azure function). The APIM policy needs to reject the first REST call on the bases of missing or wrong roles in the JWT and accept the second REST call on the bases if having the required roles in the JWT.

Please help me write the APIM the policy and the (powershell or bash az cli) script to do this. I'm not sure what (custom?) roles to assign to my service principal. I think it would use <validate-jwt>. It might use <authentication-managed-identity/>, I'm not sure.

I've already done a similar exercise using Azure AD authentication tokens that I get when the user logs into a web site (for example) and that is not what I want. I want to use the RBAC feature of service principals to restrict access to my azure function.



Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,209 questions
{count} votes