Manage authorization with Azure API Management and Function App as back-end

1
votes

Currently I have been working in a project to implement few APIs hosted on Azure and make them publicly available via Azure API Management service. At the moment, the APIM service communicates with the Function App (API), and the Function App has the authorization level as Function. So, anytime there is a request to the APIM service, this request is forwarded to the Function App, and the code is injected to the request be authorized. But, at the moment we are managing policies on XML files, and consequently the authorization code is hard coded on these files. So I was wondering if you have any suggestion in terms of managing these codes dynamically, without hard-coding them to these files, since the files are saved in Azure DevOps repos... At the moment, we have a pipeline set-up on Azure DevOps to manage policies changes, so anytime there is a change, it will upload the new policies files to a Storage Account, and then we deploy an ARM template to configure all the APIM service, with the new policies.

Any ideas how to manage those codes without hard-code them?

Thanks.

2
azureazure-api-management

2 Answers

2
votes

See here on how to use named values in policies: https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-properties. They're created specifically to abstract some common parameters and/or secrets away from policy code.

In addition, you could check how Function App import works in APIM right now. After import you have:

  1. An API for a Function App
  2. An operation for a selected Function in Function App
  3. A backend entity - https://docs.microsoft.com/en-us/rest/api/apimanagement/apimanagementrest/azure-api-management-rest-api-backend-entity - that points to your function app and references named value with a key to a function
  4. Named value that holds function key and is marked as a secret.

All that allows you to boil down policy code to call Function app to:

<set-backend-service id="my-function-app" />
1
votes

After some research and analysis about the different options, i end-up using the listSecrets function, from the Functions resource, in the ARM template. So, i store the result (function key) of the function's call in a variable, and then i use that variable to compose the function's URL and associate it on the back-end service on the API Management API policies. More info in relation with the listSecrets function in this link.

Thank you Vitaliy for the help.