Azure APIM APIOps

Question

Azure APIM APIOps

David Athukuni 0

Hello,

I am trying to run the APIOps toolkit with Azure DevOps by following this doc :

We are just a beginner to this tool, so while running the run-extractor.yml file we are facing the below 2 errors. Kindly help us to fix this so that we can proceed further.

Authenticaltion error.
JWT token error

Env variables set for extractor are as below,

AZURE_SUBSCRIPTION_ID = "dev"

AZURE_RESOURCE_GROUP_NAME = "rg-dev"

API_MANAGEMENT_SERVICE_NAME = "apim"

API_MANAGEMENT_SERVICE_OUTPUT_FOLDER_PATH = "$(Build.ArtifactsStagingDirectory)\extracted

CLIENT_ID = "app id"

CLIENT_SECRET = "value"

image (1)

Thanks,

David

Durga Reshma Malthi 4,430 Reputation points Microsoft External Staff Moderator

2025-06-26T11:35:44.56+00:00
Hi David Athukuni

From your first screenshot, I have seen the below error:

Azure.Identity.CredentialUnavailableException: DefaultAzureCredential failed to retrieve a token... ManagedIdentityCredential authentication unavailable... EnvironmentCredential authentication unavailable. Environment variables not fully conf

It seems you need set all the required environment variables to enable EnvironmentCredential.

You must set:

AZURE_TENANT_ID = "<Your Tenant ID>" REQUIRED AZURE_CLIENT_ID = "<Your App Registration ID>" This is your CLIENT_ID AZURE_CLIENT_SECRET = "<Secret>" This is your CLIENT_SECRET

From your second screenshot, I have seen the below error:

IDX12741: JWT is not well formed. There are no dots (.)...

This error occurs when the CLIENT_SECRET value or token being passed is invalid.

Ensure your CLIENT_SECRET is not accidentally URL-encoded, double-quoted, or copied incorrectly.

It should look something like: ~YwQ8OaBm... (a long random string), not just “value” or a fake token.

Hope this helps!

Please Let me know if you have any queries.
jhansi nallamothu 0 Reputation points

2025-06-26T12:21:25.15+00:00

Hi Durga,

We have added client id, client secret and tenant id in extractor.yaml file but still getting the error as below.

Thanks & Regards

Jhansi Lakshmi
Durga Reshma Malthi 4,430 Reputation points Microsoft External Staff Moderator

2025-06-26T13:07:14.5333333+00:00
Hi jhansi nallamothu

The extractor.yaml does not automatically apply those secrets to the environment, the APIOps tool does not load credentials from extractor.yaml directly for authentication.

Instead, it uses Azure SDK's DefaultAzureCredential, which pulls values from environment variables, not from extractor.yaml.

Add a step in your Azure DevOps pipeline before the extractor runs to export these variables:

variables: AZURE_SUBSCRIPTION_ID: 'xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' AZURE_RESOURCE_GROUP_NAME: 'rg-dev' API_MANAGEMENT_SERVICE_NAME: 'apim' API_MANAGEMENT_SERVICE_OUTPUT_FOLDER_PATH: '$(Build.ArtifactsStagingDirectory)/extracted' # Azure credentials - must be exact variable names for DefaultAzureCredential to work AZURE_CLIENT_ID: $(AZURE_CLIENT_ID) AZURE_CLIENT_SECRET: $(AZURE_CLIENT_SECRET) AZURE_TENANT_ID: $(AZURE_TENANT_ID)

Then in Azure DevOps UI, Go to Pipelines -> Library -> Create a Variable Group -> Add variables -> AZURE_CLIENT_ID, AZURE_CLIENT_SECRET (mark as secret) and AZURE_TENANT_ID

then link this group in your pipeline with:

variables: - group: <variable group name>

Hope this helps!

Please Let me know if you have any queries.
jhansi nallamothu 0 Reputation points

2025-06-27T12:02:28.2766667+00:00

Hi Durga,

Thank you for your quick response.

I have extracted All API's using above environment variables, but I need to extract only selected APIs.

Thanks & Regards

Jhansi Nallamothu

Durga Reshma Malthi 4,430 Microsoft External Staff Moderator

Hi jhansi nallamothu

You can try this:

version: "1.0"
apimServiceName: apim
AZURE_RESOURCE_GROUP_NAME: rg-dev
AZURE_SUBSCRIPTION_ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
API_MANAGEMENT_SERVICE_OUTPUT_FOLDER_PATH: $(Build.ArtifactsStagingDirectory)/extracted
AZURE_CLIENT_ID: $(AZURE_CLIENT_ID)
AZURE_CLIENT_SECRET: $(AZURE_CLIENT_SECRET)
AZURE_TENANT_ID: $(AZURE_TENANT_ID)
multipleAPIs: true
apiNames:
  - customer-api
  - orders-api

This allows you to list the specific APIs.

Hope this helps!

Please Let me know if you have any queries.

Your answer

Durga Reshma Malthi 4,430 Reputation points Microsoft External Staff Moderator

2025-06-26T11:35:44.56+00:00

Hi David Athukuni

From your first screenshot, I have seen the below error:

Azure.Identity.CredentialUnavailableException: DefaultAzureCredential failed to retrieve a token... ManagedIdentityCredential authentication unavailable... EnvironmentCredential authentication unavailable. Environment variables not fully conf

It seems you need set all the required environment variables to enable EnvironmentCredential.

You must set:

AZURE_TENANT_ID = "<Your Tenant ID>" REQUIRED AZURE_CLIENT_ID = "<Your App Registration ID>" This is your CLIENT_ID AZURE_CLIENT_SECRET = "<Secret>" This is your CLIENT_SECRET

From your second screenshot, I have seen the below error:

IDX12741: JWT is not well formed. There are no dots (.)...

This error occurs when the CLIENT_SECRET value or token being passed is invalid.

Ensure your CLIENT_SECRET is not accidentally URL-encoded, double-quoted, or copied incorrectly.

It should look something like: ~YwQ8OaBm... (a long random string), not just “value” or a fake token.

Hope this helps!

Please Let me know if you have any queries.
jhansi nallamothu 0 Reputation points

2025-06-26T12:21:25.15+00:00

Hi Durga,

We have added client id, client secret and tenant id in extractor.yaml file but still getting the error as below.

Thanks & Regards

Jhansi Lakshmi
Durga Reshma Malthi 4,430 Reputation points Microsoft External Staff Moderator

2025-06-26T13:07:14.5333333+00:00

Hi jhansi nallamothu

The extractor.yaml does not automatically apply those secrets to the environment, the APIOps tool does not load credentials from extractor.yaml directly for authentication.

Instead, it uses Azure SDK's DefaultAzureCredential, which pulls values from environment variables, not from extractor.yaml.

Add a step in your Azure DevOps pipeline before the extractor runs to export these variables:

variables: AZURE_SUBSCRIPTION_ID: 'xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' AZURE_RESOURCE_GROUP_NAME: 'rg-dev' API_MANAGEMENT_SERVICE_NAME: 'apim' API_MANAGEMENT_SERVICE_OUTPUT_FOLDER_PATH: '$(Build.ArtifactsStagingDirectory)/extracted' # Azure credentials - must be exact variable names for DefaultAzureCredential to work AZURE_CLIENT_ID: $(AZURE_CLIENT_ID) AZURE_CLIENT_SECRET: $(AZURE_CLIENT_SECRET) AZURE_TENANT_ID: $(AZURE_TENANT_ID)

Then in Azure DevOps UI, Go to Pipelines -> Library -> Create a Variable Group -> Add variables -> AZURE_CLIENT_ID, AZURE_CLIENT_SECRET (mark as secret) and AZURE_TENANT_ID

then link this group in your pipeline with:

variables: - group: <variable group name>

Hope this helps!

Please Let me know if you have any queries.
jhansi nallamothu 0 Reputation points

2025-06-27T12:02:28.2766667+00:00

Hi Durga,

Thank you for your quick response.

I have extracted All API's using above environment variables, but I need to extract only selected APIs.

Thanks & Regards

Jhansi Nallamothu
Durga Reshma Malthi 4,430 Reputation points Microsoft External Staff Moderator

2025-06-27T13:13:00.1333333+00:00

Hi jhansi nallamothu

You can try this:

version: "1.0" apimServiceName: apim AZURE_RESOURCE_GROUP_NAME: rg-dev AZURE_SUBSCRIPTION_ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx API_MANAGEMENT_SERVICE_OUTPUT_FOLDER_PATH: $(Build.ArtifactsStagingDirectory)/extracted AZURE_CLIENT_ID: $(AZURE_CLIENT_ID) AZURE_CLIENT_SECRET: $(AZURE_CLIENT_SECRET) AZURE_TENANT_ID: $(AZURE_TENANT_ID) multipleAPIs: true apiNames: - customer-api - orders-api

This allows you to list the specific APIs.

Hope this helps!

Please Let me know if you have any queries.

Share via

Azure APIM APIOps

Your answer