Basic authentication in API Management using Key Vault.

 

This post will provide an example of how to integrate Azure API ManagementKey Vault and Managed Identities to securely retrieve and use a secret within an API.



Enable Managed Identity

Before we jump into the policy itself, we first need to do some groundwork. As we are going to retrieve the secret from Key Vault, we will assign a managed identity to API Management, which we then give permission to get the secrets. First, enable managed identity on your API Management.




Assign permissions

Once enabled, the next step is to assign the required permissions to this new identity in Key Vault, which has the name of our resource. We do this in the Access policies blade, where we provide Get permissions for the secrets. Important to note, this does give the identity access to all the secrets in this Key Vault. As such, it is important to have a good Key Vault policy around separation of secrets.




Next Add access policy with the below of below screen shot.




Once done above steps we can see in access policy api management will added, refer below screen shot.





Next Generating secrets Value in azure key vault refer below screen shots.










Create policy

Now that we have everything in place, we are going to create the policy. In this scenario, we will send the secret as part of our basic authentication header. The endpoint we are using is on Request Bin, which allows us to easily inspect the call. Refer below screen shot.







Add below xml in policy.

 

<!--

    IMPORTANT:

    - Policy elements can appear only within the <inbound>, <outbound>, <backend> section elements.

    - To apply a policy to the incoming request (before it is forwarded to the backend service), place a corresponding policy element within the <inbound> section element.

    - To apply a policy to the outgoing response (before it is sent back to the caller), place a corresponding policy element within the <outbound> section element.

    - To add a policy, place the cursor at the desired insertion point and select a policy from the sidebar.

    - To remove a policy, delete the corresponding policy statement from the policy document.

    - Position the <base> element within a section element to inherit all policies from the corresponding section element in the enclosing scope.

    - Remove the <base> element to prevent inheriting policies from the corresponding section element in the enclosing scope.

    - Policies are applied in the order of their appearance, from the top down.

    - Comments within policy elements are not supported and may disappear. Place your comments between policy elements or at a higher level scope.

-->

<policies>

    <inbound>

        <choose>

            <when condition="@(!context.Request.Headers.ContainsKey("Authorization"))">

                <return-response>

                    <set-status code="401" reason="Unauthorized" />

                </return-response>

            </when>

        </choose>

        <!-- check the cache for secret first -->

        <cache-lookup-value key="@(context.Request.Headers.GetValueOrDefault("Authorization").AsBasic().UserId)" variable-name="keyvaultsecretResponse" />

        <!-- call Key Vault if not found in cache -->

        <choose>

            <when condition="@(!context.Variables.ContainsKey("keyvaultsecretResponse"))">

                <send-request mode="new" response-variable-name="keyvaultsecret" timeout="20" ignore-error="false">

                    <set-url>@{

                 return "https://*******.vault.azure.net/secrets/" + context.Request.Headers.GetValueOrDefault("Authorization").AsBasic().UserId + "/?api-version=7.0";

             }</set-url>

                    <set-method>GET</set-method>

                    <authentication-managed-identity resource="https://vault.azure.net" />

                </send-request>

                <!-- transform response to string and store in cache -->

                <set-variable name="keyvaultsecretResponse" value="@((string)((IResponse)context.Variables["keyvaultsecret"]).Body.As<JObject>()["value"])" />

                <cache-store-value key="@(context.Request.Headers.GetValueOrDefault("Authorization").AsBasic().UserId)" value="@((string)context.Variables["keyvaultsecretResponse"])" duration="3600" />

            </when>

        </choose>

        <!--Check if password from the Authorization header matches the secret value from the Key Vault -->

        <choose>

            <when condition="@(context.Request.Headers.GetValueOrDefault("Authorization").AsBasic().Password!= (string)context.Variables["keyvaultsecretResponse"])">

                <return-response>

                    <set-status code="401" reason="Not authorized" />

                </return-response>

            </when>

        </choose>

        <!--Delete the Authorization header, because it can cause problems at the backend-->

        <set-header name="Authorization" exists-action="delete" />

        <base />

    </inbound>

    <backend>

        <base />

    </backend>

    <outbound>

        <base />

    </outbound>

    <on-error>

        <base />

    </on-error>

</policies>

 

Reference Link:

 

https://aztoso.com/posts/apim-basic-auth-keyvault/

https://blog.eldert.net/retrieve-azure-key-vault-secrets-from-api-management-policies/

https://madeofstrings.com/2019/06/13/azure-api-management-key-vault-and-managed-identities/

https://vincentlauzon.com/2019/11/19/accessing-azure-key-vault-from-within-azure-api-management/



















Comments

Post a Comment

Popular posts from this blog

Create Data Package file to Import Or Export CRM records.

Image
  The Microsoft Dynamics CRM 2015 Software Development Kit (SDK) Migration tool is essential for exporting and importing configuration data. It is particularly useful for transferring metadata, customizations, and configurations between environments. Download Link: https://www.microsoft.com/en-in/download/details.aspx?id=44567 After downloading Microsoft Dynamics CRM 2015 Software Development Kit (SDK) unzip and Navigate to MicrosoftDynamicsCRM2015SDK\Tools\ConfigurationMigration. ·        To Open SDK tool MicrosoftDynamicsCRM2015SDK\Tools\ConfigurationMigration\ DataMigrationUtility.exe ·        First, we need to Create Schema. Select on Create Schema and click on continue. ·        It be asked to log in to your source CRM system, Select Display list of available organizations and give your username and passed and logging. ·        Please select your org...
Read more

Receive Incoming Message in Twilio using Power Automate

Image
  In this blog we will learn how to read when an incoming message received in Twilio using Power Automate. ·        Power Automate Flow creation. ·        Configuration power automate flow URL in Twilio.   Power Automate Flow creation. Open https://make.powerapps.com/   and create a new automated flow in Power Automate using the "When an HTTP request is received" trigger. To do this, search for "HTTP" and select the HTTP request trigger, as shown below. Give the required flow name and click on Create. Next add Compose compound and add below formal  to read input from above step. decodeUriComponent(string(triggerBody())) Next to read received message, from number and to number we need each initial variables in flow. From Number add below formal in value:  first(split(split(outputs('Compose'), 'From=')[1], '&')) To Number add below formal in value : first(split(split(ou...
Read more

Azure Function to Read Incoming Message in Twilio

Image
  Introduction In this tutorial, we will learn how to read incoming message in Twilio and respond to webhooks using Azure Functions. We will learn what is webhooks, how to set up an Azure Function, and then use Azure Function app to respond to a Twilio SMS webhook and create a record in dynamic 365 in case entity when new message received. Prerequisites: A Twilio account.  An Azure account with an active subscription. Dynamic365 subscription. What is webhook? Webhook is an HTTP request triggered by an event in a source system and sent to a destination system. To enable this, you provide the source system with a URL where it can send the HTTP request. A typical webhook setup involves the following: A destination system that needs to be notified about a specific event. A source system that sends a notification to the destination system when the event occurs. This system uses the provided webhook URL to make the HTTP request. In your a...
Read more

Open canvas app with Customize the command bar using command designer

Image
  This topic guides you through creating and editing modern commands using the command designer and Power Fx. Create a new model-driven app using modern app designer 1.      Sign into  Power Apps 2.      On the left navigation pane, select  Solutions  and then open or create a solution to contain the new model-driven app. 3.      Select  New  >  App  >  Model-driven app 4.      Select  Modern app designer , and then select  Create .    Enter a  Name  for your app, and then select  Create . More information:  Create a model-driven app that has an account table page 1.      On the left navigation pane, select  Solutions , and then open the solution containing the existing model-driven app. 2.      Select the model-driven app, and then select --  >  Edit ...
Read more

Execute CRUD operations within the Power Platform using a Canvas App

Image
  User story: When a new account is created, there is a requirement to execute a curd operation via Power Apps, involving updating an existing record and deleting the record from the accounts. If we want to few complete records in accounts entity on welcome screen: Navigate to vertical Gallery and select Items property should be Item=Accounts. To create a new record, one must click on the plus icon displayed on the screen and input the formula provided below, as illustrated in the following screen. This action will prompt a new screen to open for the creation of the new record.   Navigate ( CreateScreen ) ; ResetForm ( 'Account Create Form' ) After navigating to the creation screen, a new form will be displayed, and it is necessary to configure the data source to 'Account,' as shown in the screen below. And Items property = Defaults (Accounts) Next, upon clicking the submit button, we should save the data in the account entity and return to the main screen. ...
Read more