question

Lily-9563 avatar image
0 Votes"
Lily-9563 asked MughundhanRaveendran-MSFT answered

Can managed identities be used in inbound policy in APIM ?

Hi, our team is using following oauth way to authenticate API consumers.
https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad

Since it needs key rotation manually or automatically for consumers, not sure if managed identities way can replace oauth in this scenario.
This is what we reference so far.
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

Need your advise, thank you.

azure-api-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MughundhanRaveendran-MSFT avatar image
0 Votes"
MughundhanRaveendran-MSFT answered

@Lily-9563 ,

Thanks for reaching out to Q&A.

Managed identities can be used to replace oauth, however key rotation would still be applicable. Key rotation becomes an overhead if you had to do it manually as it requires modifying the code however Managed identity makes it simple as it handles key rotation automatically.

I hope you are aware of user assigned and system assigned managed identity. When a managed identity for any Azure Resource is created, it is termed as the System-Assigned Managed Identity. Once the System-Assigned Managed Identity for a resource is created in AAD, a service principal with the name same as the Azure resource gets created . Each Service Principal has its own client secret using which the AAD authenticates and validates that its a service principal known to itself. Azure automatically rotates the identity by updating this client secret in the backend, and saves the application admin from creating a new secret every time it expires.

If you are looking to avoid key rotation then it cannot be avoided unfortunately. However it can be done automatically using Managed identity and the authentication-managed-identity policy can be used to authenticate with a backend service using the managed identity

https://docs.microsoft.com/en-us/azure/api-management/api-management-authentication-policies#ManagedIdentity

I hope this helps!

Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.