How to connect to Azure Storage account via OAuth2.0 from Azure APIM?

Vijay 0 Reputation points
2024-04-08T03:41:19.2533333+00:00

Step1: Created an application in Microsoft Entra ID under "App registrations".

Step2: Recorded the following details:

  • Client ID
  • Client secret
  • Access token URL

Step3: For the Storage Account, added a role assignment and grant access to the created application with the role "Storage Blob Data Owner."

The Client ID, Client secret, and Access token URL details have been configured in Azure APIM credential manager and the following policy has been added to the inbound processing section. 

<set-header name="x-ms-version" exists-action="override">
            <value>2022-11-02</value>
        </set-header>
<get-authorization-context provider-id="storageblob" authorization-id="Blob" context-variable-name="auth-context" identity-type="managed" />
        <set-header name="Authorization" exists-action="override">
            <value>@("Bearer " + ((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</value>
        </set-header>

Due to the token being generated without the appropriate audience(resource) "https://storage.azure.com", I am receiving the following error message.

In order to generate tokens for the storage account, where should I configure the resource (https://storage.azure.com)?

HTTP/1.1 401 Server failed to authenticate the request. Please refer to the information in the www-authenticate header.
content-length: 406
content-type: application/xml
date: Mon, 08 Apr 2024 03:24:28 GMT
ocp-apim-apiid: echo-api
ocp-apim-operationid: retrieve-resource-cached
ocp-apim-subscriptionid: master
ocp-apim-trace-location: https://apimstt2cg5mjuwhldqwcbez.blob.core.windows.net/apiinspectorcontainer/37a485306d764bcf91e7ae2500590beb?sv=2019-07-07&sr=b&sig=MgiTM5PTGka7k3e5a04NDG1oPgNkA%2BDIFtrIgjAgJD4%3D&se=2024-04-09T03%3A24%3A28Z&sp=r&traceId=5ba19406831a4b3e98e97915afaeee99
vary: Origin
www-authenticate: Bearer authorization_uri=https://login.microsoftonline.com/7******-318f-4d0f**********/oauth2/authorize resource_id=https://storage.azure.com
x-ms-error-code: InvalidAuthenticationInfo
x-ms-request-id: 8519b383-801e-0052-3b64-8923cf000000

<?xml version="1.0" encoding="utf-8"?>
<Error>
    <Code>InvalidAuthenticationInfo</Code>
    <Message>Server failed to authenticate the request. Please refer to the information in the www-authenticate header.
RequestId:8519b383-801e-0052-3b64-8923cf000000
Time:2024-04-08T03:24:28.5008064Z</Message>
    <AuthenticationErrorDetail>Audience validation failed. Audience did not match.</AuthenticationErrorDetail>
</Error>
Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,759 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,700 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,432 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,522 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Aki Nishikawa 485 Reputation points Microsoft Employee
    2024-04-15T06:38:43.72+00:00

    I'm not sure why you'd like to use get-authorization-context policy, but how about using APIM's managed identity to authenticate against Blob storage?

    [Steps]

    1. Enable managed identity of your APIM instance. System assigned managed identity is simpler, but user assigned managed identity also works.
    2. Assign Blob storage owner role to APIM's managed identity.
    3. Use authentication-managed-identity and set-header policies to add authorization header in order to call Blob storage REST APIs.

    Azure API Management policy reference - authentication-managed-identity | Microsoft Learn

    <policies>
    <inbound>
        <base />
        <authentication-managed-identity resource="https://storage.azure.com/"
                                            output-token-variable-name="msi-access-token"
                                            ignore-error="false" />
        <set-header name="Authorization"
                    exists-action="override">
            <value>@("Bearer " + (string)context.Variables["msi-access-token"])</value>
        </set-header>
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

    After that, you should be able to manipulate blob contents using APIs exposed at APIM. If authentication at APIM is required, you should configure authentication.

    Protect API in API Management using OAuth 2.0 and Microsoft Entra ID - Azure API Management | Microsoft Learn