Unable to post message to Azure Service Bus Queue from Azure API using Managed Identity

Sumit Bharti 41 Reputation points
2022-03-29T02:57:26.333+00:00

I am trying to test out the sample code by azure "Authenticate using Managed Identity to access Service Bus" and its on github:

Authenticate%20using%20Managed%20Identity%20to%20access%20Service%20Bus.xml

What I have done is in below steps:

Created an Azure API Management Service. In this I added an API which has a POST method
I also enabled a System Generated Managed Identity for this APIM
I created a Service Bus and create a queue
I added the managed identity to a role of "Azure Service Bus Data Sender" on the queue.
Last, I modified the code from azure to have names from objects I created above and it looks like below:

187743-azure-error.jpg

On running a test on API I get error: "500 Internal Server Error". The message of course is not being sent. Any idea what I may be doing wrong here? Help appreciated.

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,122 questions
Azure Service Bus
Azure Service Bus
An Azure service that provides cloud messaging as a service and hybrid integration.
623 questions
0 comments No comments
{count} votes

Accepted answer
  1. MayankBargali-MSFT 70,441 Reputation points
    2022-03-29T05:01:32.063+00:00

    @Sumit Bharti Thanks for reaching out. It looks like the 500 error is coming from the backend service where your request URL is not correctly formed and the backend request might be generated as below which is resulting in 500 errors as the endpoint is incorrect.
    https://{servicebusname}.servicebus.windows.net/{topic/queue name}/messages?api-version=2015-01/{operationName}

    You can always refer to the service bus send message REST document and make sure you are using the POST method, if not then you need to use <set-method>POST</set-method> in your policy. Further, you can always check OCP-APIM traces to debug your APIs

    API management preserves the operation URL template while forwarding requests to the backend API. You can use rewrite-uri policy to control that behavior.

    Either you can remove URL value from your operation as below and only use '/' if it works for you then the policy that you are using (GitHub example) will work.

    187630-image.png

    Alternative you need to leverage the rewrite-uri as below:

     <inbound>  
            <base />  
            <authentication-managed-identity resource="https://servicebus.azure.net" output-token-variable-name="msi-access-token" ignore-error="false" />  
            <set-header name="Authorization" exists-action="override">  
                <value>@((string)context.Variables["msi-access-token"])</value>  
            </set-header>  
            <set-body>{    
            "Body": "APIM sending request using AAD Token",  
            "BrokerProperties":{"Trusted Service":"APIM"},    
            "UserProperties":{"Priority":"Medium","Customer":"Contoso"}    
          }</set-body>  
            <set-backend-service base-url="https://{servicebusname}.servicebus.windows.net" />  
            <rewrite-uri template="/{topic/queue name}/messages?api-version=2015-01" />  
        </inbound>  
    

    In case if you still observe issues then please let me know so I can initiate a private comment and you can share OCP APIM traces content only to my private comment to assist you further.

    For Community: You can refer to this document and follow two steps on how to leverage system identity

    Enable system-assigned identity on the API Management instance. For instructions, see Use managed identities in Azure API Management.
    Add the identity to the Azure Service Bus Data Sender role on the Service Bus namespace

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.