Azure APIM APIOps

Question

Azure APIM APIOps

David Athukuni 0

Hello,

I am trying to run the APIOps toolkit with Azure DevOps by following this doc :

We are just a beginner to this tool, so while running the run-extractor.yml file we are facing the below 2 errors. Kindly help us to fix this so that we can proceed further.

Authenticaltion error.
JWT token error

Env variables set for extractor are as below,

AZURE_SUBSCRIPTION_ID = "dev"

AZURE_RESOURCE_GROUP_NAME = "rg-dev"

API_MANAGEMENT_SERVICE_NAME = "apim"

API_MANAGEMENT_SERVICE_OUTPUT_FOLDER_PATH = "$(Build.ArtifactsStagingDirectory)\extracted

CLIENT_ID = "app id"

CLIENT_SECRET = "value"

image (1)

Thanks,

David

Durga Reshma Malthi 6,205 Reputation points Microsoft External Staff Moderator

2025-06-26T11:35:44.56+00:00
Hi David Athukuni

From your first screenshot, I have seen the below error:

Azure.Identity.CredentialUnavailableException: DefaultAzureCredential failed to retrieve a token... ManagedIdentityCredential authentication unavailable... EnvironmentCredential authentication unavailable. Environment variables not fully conf

It seems you need set all the required environment variables to enable EnvironmentCredential.

You must set:

AZURE_TENANT_ID = "<Your Tenant ID>" REQUIRED AZURE_CLIENT_ID = "<Your App Registration ID>" This is your CLIENT_ID AZURE_CLIENT_SECRET = "<Secret>" This is your CLIENT_SECRET

From your second screenshot, I have seen the below error:

IDX12741: JWT is not well formed. There are no dots (.)...

This error occurs when the CLIENT_SECRET value or token being passed is invalid.

Ensure your CLIENT_SECRET is not accidentally URL-encoded, double-quoted, or copied incorrectly.

It should look something like: ~YwQ8OaBm... (a long random string), not just “value” or a fake token.

Hope this helps!

Please Let me know if you have any queries.
jhansi nallamothu 0 Reputation points

2025-06-26T12:21:25.15+00:00

Hi Durga,

We have added client id, client secret and tenant id in extractor.yaml file but still getting the error as below.

Thanks & Regards

Jhansi Lakshmi
jhansi nallamothu 0 Reputation points

2025-06-27T12:02:28.2766667+00:00

Hi Durga,

Thank you for your quick response.

I have extracted All API's using above environment variables, but I need to extract only selected APIs.

Thanks & Regards

Jhansi Nallamothu

Durga Reshma Malthi 6,205 Microsoft External Staff Moderator

Hi jhansi nallamothu

You can try this:

version: "1.0"
apimServiceName: apim
AZURE_RESOURCE_GROUP_NAME: rg-dev
AZURE_SUBSCRIPTION_ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
API_MANAGEMENT_SERVICE_OUTPUT_FOLDER_PATH: $(Build.ArtifactsStagingDirectory)/extracted
AZURE_CLIENT_ID: $(AZURE_CLIENT_ID)
AZURE_CLIENT_SECRET: $(AZURE_CLIENT_SECRET)
AZURE_TENANT_ID: $(AZURE_TENANT_ID)
multipleAPIs: true
apiNames:
  - customer-api
  - orders-api

This allows you to list the specific APIs.

Hope this helps!

Please Let me know if you have any queries.

jhansi nallamothu 0 Reputation points

2025-06-30T07:37:17.4433333+00:00

Hi Durga,

We tried the above values in extractor.yaml and given apiNames as env variable.

but still all the api's are getting extracted as in artifacts. we need only selected API's

Durga Reshma Malthi 6,205 Microsoft External Staff Moderator

Hi jhansi nallamothu

Could you please try this

version: "1.0"
apimServiceName: "apim"
resourceGroup: "rg-dev"
subscriptionId: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
outputFolder: "$(Build.ArtifactsStagingDirectory)/extracted"
multipleAPIs: true
apiNames:
  - customer-api
  - orders-api

Keep your AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID in the Azure DevOps pipeline environment, not in the YAML file. The extractor will pick them up from the environment via DefaultAzureCredential.

Alternatively try this, if the above not worked,

version: "1.0"
apimServiceName: apim
AZURE_RESOURCE_GROUP_NAME: rg-dev
AZURE_SUBSCRIPTION_ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
API_MANAGEMENT_SERVICE_OUTPUT_FOLDER_PATH: $(Build.ArtifactsStagingDirectory)/extracted
AZURE_CLIENT_ID: $(AZURE_CLIENT_ID)
AZURE_CLIENT_SECRET: $(AZURE_CLIENT_SECRET)
AZURE_TENANT_ID: $(AZURE_TENANT_ID)
multipleAPIs: true
apisToExtract:
  - apiName: customer-api
  - apiName: orders-api

Hope this helps!

Please Let me know if you have any queries.

jhansi nallamothu 0 Reputation points

2025-06-30T13:04:54.8466667+00:00

Hi Durga,

We tried both ways still not getting selected api's.

Thanks & Regards

Jhansi Nallamothu
Durga Reshma Malthi 6,205 Reputation points Microsoft External Staff Moderator

2025-06-30T14:00:23.4466667+00:00
Hi jhansi nallamothu

Ensure the file is not named extractor.yaml if you're using the default run-extractor.yml, which might override it. Use a custom name like custom-extractor.yaml.

And this file is passed via --configuration-yaml-path or CONFIGURATION_YAML_PATH in your pipeline.

Ensure you are using correct extractor Version - APIOps v6.0.1.7 - https://github.com/Azure/apiops/releases/tag/v6.0.1.7

Try this as well:

version: "1.0" apimServiceName: apim resourceGroup: rg-dev subscriptionId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx outputFolder: "$(Build.ArtifactsStagingDirectory)/extracted" multipleAPIs: true apisToExtract: - apiName: customer-api - apiName: orders-api

Hope this helps!

Please Let me know if you have any queries.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
jhansi nallamothu 0 Reputation points

2025-07-01T06:17:29.3533333+00:00

Hi Durga,

We have renamed the extractor.yaml file and the file passed via confinguration yaml path still unable to extract selected api's.

Thanks & Regards

Jhansi Nallamothu

Durga Reshma Malthi 6,205 Microsoft External Staff Moderator

Hi jhansi nallamothu

As per your screenshot, you're using this format:

API_MANAGEMENT_SERVICE_NAME: ...
AZURE_RESOURCE_GROUP_NAME: ...
AZURE_SUBSCRIPTION_ID: ...
API_MANAGEMENT_SERVICE_OUTPUT_FOLDER_PATH: ...

But the extractor (v6.x) expects these field names instead, could you please change it as below format:

version: "1.0"
apimServiceName: apim
resourceGroup: rg-dev
subscriptionId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
outputFolder: $(outputFolder) # or $(Build.ArtifactsStagingDirectory)/extracted
multipleAPIs: true
apisToExtract:
  - apiName: customer-api
  - apiName: orders-api

Hope this helps!

Please Let me know if you have any queries.

jhansi nallamothu 0 Reputation points

2025-07-01T09:20:38.0333333+00:00

Hi Durga,

I have changed the format of custom-extractor.yaml but still unable to extract selected api's.

I have used API name as exact name of api not a display name.

Thanks & Regards

Jhansi Nallamothu
jhansi nallamothu 0 Reputation points

2025-07-02T07:32:13.1666667+00:00

Hi Durga,

We tried embedding the piece of code which you have given and also changed the custom-extractor.yaml file but still it is taking all api's not sure what we are missing.

Thanks & Regards

Jhansi Nallamothu
Durga Reshma Malthi 6,205 Reputation points Microsoft External Staff Moderator

2025-07-02T09:13:40.6933333+00:00
Hi jhansi nallamothu

Even though you're passing --config, the extractor might still be defaulting to extractor.yaml if the --config flag is not being interpreted correctly.

In your AzurePowerShell@5 step, add this just before the extractor runs:

Write-Host "Reading config file content:" Get-Content $config

In older versions of the APIOps toolkit where apiNames was silently ignored unless other filters (like productNames, loggerNames, etc.) were also present - https://github.com/Azure/apiops/issues/317

Try this workaround in your custom-extractor.yaml:

version: "1.0" apimServiceName: "apim" resourceGroup: "rg-dev" subscriptionId: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" outputFolder: "$(Build.ArtifactsStagingDirectory)/extracted" multipleAPIs: true apiNames: - customer-api - orders-api productNames: [] loggerNames: [] namedValueNames: [] policyFragmentNames: []

Alternatively, try this:

version: "1.0" apimServiceName: my-uatapim-service resourceGroup: uatapim-service subscriptionId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx outputFolder: $(outputFolder) multipleAPIs: true apisToExtract: - apiName: dcb - apiName: abha-service

Ensure you’re using v6.0.1.7 or newer.

If all else fails, bypass the config file entirely and run:

& $extractor extract ` --apimServiceName "apim" ` --resourceGroup "rg-dev" ` --subscriptionId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" ` --outputFolder "$(Build.ArtifactsStagingDirectory)/extracted" ` --apiName "customer-api"

This is the most direct way to test if the extractor respects filtering.

Hope this helps!

Please Let me know if you have any queries.
Durga Reshma Malthi 6,205 Reputation points Microsoft External Staff Moderator

2025-07-04T08:23:50.0333333+00:00

Hi jhansi nallamothu / David Athukuni

If you are still facing this issue, please raise a support request in Azure Portal.

Alternatively, you can report a problem in Developer community - https://developercommunity.visualstudio.com/AzureDevOps
Durga Reshma Malthi 6,205 Reputation points Microsoft External Staff Moderator

2025-07-07T09:09:51.73+00:00

Hi jhansi nallamothu / David Athukuni

If you are still facing this issue, please raise a support request in Azure Portal.

Alternatively, you can report a problem in Developer community - https://developercommunity.visualstudio.com/AzureDevOps

If you found the information helpful, please click "Upvote" on the post to let us know and consider accepting the answer as the token of appreciation. Thank You.

1 answer

Your answer

Durga Reshma Malthi 6,205 Reputation points Microsoft External Staff Moderator

2025-06-26T11:35:44.56+00:00

Hi David Athukuni

From your first screenshot, I have seen the below error:

Azure.Identity.CredentialUnavailableException: DefaultAzureCredential failed to retrieve a token... ManagedIdentityCredential authentication unavailable... EnvironmentCredential authentication unavailable. Environment variables not fully conf

It seems you need set all the required environment variables to enable EnvironmentCredential.

You must set:

AZURE_TENANT_ID = "<Your Tenant ID>" REQUIRED AZURE_CLIENT_ID = "<Your App Registration ID>" This is your CLIENT_ID AZURE_CLIENT_SECRET = "<Secret>" This is your CLIENT_SECRET

From your second screenshot, I have seen the below error:

IDX12741: JWT is not well formed. There are no dots (.)...

This error occurs when the CLIENT_SECRET value or token being passed is invalid.

Ensure your CLIENT_SECRET is not accidentally URL-encoded, double-quoted, or copied incorrectly.

It should look something like: ~YwQ8OaBm... (a long random string), not just “value” or a fake token.

Hope this helps!

Please Let me know if you have any queries.
jhansi nallamothu 0 Reputation points

2025-06-26T12:21:25.15+00:00

Hi Durga,

We have added client id, client secret and tenant id in extractor.yaml file but still getting the error as below.

Thanks & Regards

Jhansi Lakshmi
jhansi nallamothu 0 Reputation points

2025-06-27T12:02:28.2766667+00:00

Hi Durga,

Thank you for your quick response.

I have extracted All API's using above environment variables, but I need to extract only selected APIs.

Thanks & Regards

Jhansi Nallamothu
Durga Reshma Malthi 6,205 Reputation points Microsoft External Staff Moderator

2025-06-27T13:13:00.1333333+00:00

Hi jhansi nallamothu

You can try this:

version: "1.0" apimServiceName: apim AZURE_RESOURCE_GROUP_NAME: rg-dev AZURE_SUBSCRIPTION_ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx API_MANAGEMENT_SERVICE_OUTPUT_FOLDER_PATH: $(Build.ArtifactsStagingDirectory)/extracted AZURE_CLIENT_ID: $(AZURE_CLIENT_ID) AZURE_CLIENT_SECRET: $(AZURE_CLIENT_SECRET) AZURE_TENANT_ID: $(AZURE_TENANT_ID) multipleAPIs: true apiNames: - customer-api - orders-api

This allows you to list the specific APIs.

Hope this helps!

Please Let me know if you have any queries.
jhansi nallamothu 0 Reputation points

2025-06-30T07:37:17.4433333+00:00

Hi Durga,

We tried the above values in extractor.yaml and given apiNames as env variable.

but still all the api's are getting extracted as in artifacts. we need only selected API's
Durga Reshma Malthi 6,205 Reputation points Microsoft External Staff Moderator

2025-06-30T10:04:07.8133333+00:00

Hi jhansi nallamothu

Could you please try this

version: "1.0" apimServiceName: "apim" resourceGroup: "rg-dev" subscriptionId: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" outputFolder: "$(Build.ArtifactsStagingDirectory)/extracted" multipleAPIs: true apiNames: - customer-api - orders-api

Keep your AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID in the Azure DevOps pipeline environment, not in the YAML file. The extractor will pick them up from the environment via DefaultAzureCredential.

Alternatively try this, if the above not worked,

version: "1.0" apimServiceName: apim AZURE_RESOURCE_GROUP_NAME: rg-dev AZURE_SUBSCRIPTION_ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx API_MANAGEMENT_SERVICE_OUTPUT_FOLDER_PATH: $(Build.ArtifactsStagingDirectory)/extracted AZURE_CLIENT_ID: $(AZURE_CLIENT_ID) AZURE_CLIENT_SECRET: $(AZURE_CLIENT_SECRET) AZURE_TENANT_ID: $(AZURE_TENANT_ID) multipleAPIs: true apisToExtract: - apiName: customer-api - apiName: orders-api

Hope this helps!

Please Let me know if you have any queries.
jhansi nallamothu 0 Reputation points

2025-06-30T13:04:54.8466667+00:00

Hi Durga,

We tried both ways still not getting selected api's.

Thanks & Regards

Jhansi Nallamothu
Durga Reshma Malthi 6,205 Reputation points Microsoft External Staff Moderator

2025-06-30T14:00:23.4466667+00:00

Hi jhansi nallamothu

Ensure the file is not named extractor.yaml if you're using the default run-extractor.yml, which might override it. Use a custom name like custom-extractor.yaml.

And this file is passed via --configuration-yaml-path or CONFIGURATION_YAML_PATH in your pipeline.

Ensure you are using correct extractor Version - APIOps v6.0.1.7 - https://github.com/Azure/apiops/releases/tag/v6.0.1.7

Try this as well:

version: "1.0" apimServiceName: apim resourceGroup: rg-dev subscriptionId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx outputFolder: "$(Build.ArtifactsStagingDirectory)/extracted" multipleAPIs: true apisToExtract: - apiName: customer-api - apiName: orders-api

Hope this helps!

Please Let me know if you have any queries.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
jhansi nallamothu 0 Reputation points

2025-07-01T06:17:29.3533333+00:00

Hi Durga,

We have renamed the extractor.yaml file and the file passed via confinguration yaml path still unable to extract selected api's.

Thanks & Regards

Jhansi Nallamothu
Durga Reshma Malthi 6,205 Reputation points Microsoft External Staff Moderator

2025-07-01T08:39:19.4833333+00:00

Hi jhansi nallamothu

As per your screenshot, you're using this format:

API_MANAGEMENT_SERVICE_NAME: ... AZURE_RESOURCE_GROUP_NAME: ... AZURE_SUBSCRIPTION_ID: ... API_MANAGEMENT_SERVICE_OUTPUT_FOLDER_PATH: ...

But the extractor (v6.x) expects these field names instead, could you please change it as below format:

version: "1.0" apimServiceName: apim resourceGroup: rg-dev subscriptionId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx outputFolder: $(outputFolder) # or $(Build.ArtifactsStagingDirectory)/extracted multipleAPIs: true apisToExtract: - apiName: customer-api - apiName: orders-api

Hope this helps!

Please Let me know if you have any queries.
jhansi nallamothu 0 Reputation points

2025-07-01T09:20:38.0333333+00:00

Hi Durga,

I have changed the format of custom-extractor.yaml but still unable to extract selected api's.

I have used API name as exact name of api not a display name.

Thanks & Regards

Jhansi Nallamothu
jhansi nallamothu 0 Reputation points

2025-07-02T07:32:13.1666667+00:00

Hi Durga,

We tried embedding the piece of code which you have given and also changed the custom-extractor.yaml file but still it is taking all api's not sure what we are missing.

Thanks & Regards

Jhansi Nallamothu
Durga Reshma Malthi 6,205 Reputation points Microsoft External Staff Moderator

2025-07-02T09:13:40.6933333+00:00

Hi jhansi nallamothu

Even though you're passing --config, the extractor might still be defaulting to extractor.yaml if the --config flag is not being interpreted correctly.

In your AzurePowerShell@5 step, add this just before the extractor runs:

Write-Host "Reading config file content:" Get-Content $config

In older versions of the APIOps toolkit where apiNames was silently ignored unless other filters (like productNames, loggerNames, etc.) were also present - https://github.com/Azure/apiops/issues/317

Try this workaround in your custom-extractor.yaml:

version: "1.0" apimServiceName: "apim" resourceGroup: "rg-dev" subscriptionId: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" outputFolder: "$(Build.ArtifactsStagingDirectory)/extracted" multipleAPIs: true apiNames: - customer-api - orders-api productNames: [] loggerNames: [] namedValueNames: [] policyFragmentNames: []

Alternatively, try this:

version: "1.0" apimServiceName: my-uatapim-service resourceGroup: uatapim-service subscriptionId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx outputFolder: $(outputFolder) multipleAPIs: true apisToExtract: - apiName: dcb - apiName: abha-service

Ensure you’re using v6.0.1.7 or newer.

If all else fails, bypass the config file entirely and run:

& $extractor extract ` --apimServiceName "apim" ` --resourceGroup "rg-dev" ` --subscriptionId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" ` --outputFolder "$(Build.ArtifactsStagingDirectory)/extracted" ` --apiName "customer-api"

This is the most direct way to test if the extractor respects filtering.

Hope this helps!

Please Let me know if you have any queries.
Durga Reshma Malthi 6,205 Reputation points Microsoft External Staff Moderator

2025-07-04T08:23:50.0333333+00:00

Hi jhansi nallamothu / David Athukuni

If you are still facing this issue, please raise a support request in Azure Portal.

Alternatively, you can report a problem in Developer community - https://developercommunity.visualstudio.com/AzureDevOps
Durga Reshma Malthi 6,205 Reputation points Microsoft External Staff Moderator

2025-07-07T09:09:51.73+00:00

Hi jhansi nallamothu / David Athukuni

If you are still facing this issue, please raise a support request in Azure Portal.

Alternatively, you can report a problem in Developer community - https://developercommunity.visualstudio.com/AzureDevOps

If you found the information helpful, please click "Upvote" on the post to let us know and consider accepting the answer as the token of appreciation. Thank You.

Answer 1

Hi jhansi nallamothu

The extractor.yaml does not automatically apply those secrets to the environment, the APIOps tool does not load credentials from extractor.yaml directly for authentication.

Instead, it uses Azure SDK's DefaultAzureCredential, which pulls values from environment variables, not from extractor.yaml.

Add a step in your Azure DevOps pipeline before the extractor runs to export these variables:

variables:
  AZURE_SUBSCRIPTION_ID: 'xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
  AZURE_RESOURCE_GROUP_NAME: 'rg-dev'
  API_MANAGEMENT_SERVICE_NAME: 'apim'
  API_MANAGEMENT_SERVICE_OUTPUT_FOLDER_PATH: '$(Build.ArtifactsStagingDirectory)/extracted'
  # Azure credentials - must be exact variable names for DefaultAzureCredential to work
  AZURE_CLIENT_ID: $(AZURE_CLIENT_ID)
  AZURE_CLIENT_SECRET: $(AZURE_CLIENT_SECRET)
  AZURE_TENANT_ID: $(AZURE_TENANT_ID)

Then in Azure DevOps UI, Go to Pipelines -> Library -> Create a Variable Group -> Add variables -> AZURE_CLIENT_ID, AZURE_CLIENT_SECRET (mark as secret) and AZURE_TENANT_ID

then link this group in your pipeline with:

variables:
  - group: <variable group name>

Hope this helps!

Please Let me know if you have any queries.

Durga Reshma Malthi 6,205 Reputation points Microsoft External Staff Moderator

2025-07-08T08:37:54.5+00:00

Hi jhansi nallamothu / David Athukuni

If you are still facing this issue, please raise a support request in Azure Portal.

Alternatively, you can report a problem in Developer community - https://developercommunity.visualstudio.com/AzureDevOps

If you found the information helpful, please click "Upvote" on the post to let us know and consider accepting the answer as the token of appreciation. Thank You.

Share via

Azure APIM APIOps

1 answer

Your answer