Scenario overview
The self-hosted gateway configuration API can check Azure RBAC to determine who has permissions to read the gateway configuration. After you create an Azure AD app with those permissions, the self-hosted gateway can authenticate to the API Management instance using the app.
To enable Azure AD authentication, complete the following steps:
- Create two custom roles to:
- Let the configuration API get access to customer's RBAC information
- Grant permissions to read self-hosted gateway configuration
- Grant RBAC access to the API Management instance's managed identity
- Create an Azure AD app and grant it access to read the gateway configuration
- Deploy the gateway with new configuration options
Prerequisites
- An API Management instance in the Developer or Premium service tier. If needed, complete the following quickstart: Create an Azure API Management instance.
- Provision a gateway resource on the instance.
- Enable a system-assigned managed identity on the instance.
- Self-hosted gateway container image version 2.2 or later
Limitations notes
- Only system-assigned managed identity is supported.
Create custom roles
Create the following two custom roles that are assigned in later steps. You can use the permissions listed in the following JSON templates to create the custom roles using the Azure portal, Azure CLI, Azure PowerShell, or other Azure tools.
When configuring the custom roles, update the AssignableScopes property with appropriate scope values for your directory, such as a subscription in which your API Management instance is deployed.
API Management Configuration API Access Validator Service Role
{
"Description": "Can access RBAC permissions on the API Management resource to authorize requests in Configuration API.",
"IsCustom": true,
"Name": "API Management Configuration API Access Validator Service Role",
"Permissions": [
{
"Actions": [
"Microsoft.Authorization/denyAssignments/read",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": []
}
],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{subscriptionID}"
]
}
API Management Gateway Configuration Reader Role
{
"Description": "Can read self-hosted gateway configuration from Configuration API",
"IsCustom": true,
"Name": "API Management Gateway Configuration Reader Role",
"Permissions": [
{
"Actions": [],
"NotActions": [],
"DataActions": [
"Microsoft.ApiManagement/service/gateways/getConfiguration/action"
],
"NotDataActions": []
}
],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{subscriptionID}"
]
}
Add role assignments
Assign API Management Configuration API Access Validator Service Role
Assign the API Management Configuration API Access Validator Service Role to the managed identity of the API Management instance. For detailed steps to assign a role, see Assign Azure roles using the portal.
- Scope: The resource group or subscription in which the API Management instance is deployed
- Role: API Management Configuration API Access Validator Service Role
- Assign access to: Managed identity of API Management instance
Assign API Management Gateway Configuration Reader Role
Step 1: Register Azure AD app
Create a new Azure AD app. For steps, see Create an Azure Active Directory application and service principal that can access resources. This app will be used by the self-hosted gateway to authenticate to the API Management instance.
- Generate a client secret
- Take note of the following application values for use in the next section when deploying the self-hosted gateway: application (client) ID, directory (tenant) ID, and client secret
Step 2: Assign API Management Gateway Configuration Reader Service Role
Assign the API Management Gateway Configuration Reader Service Role to the app.
- Scope: The API Management instance (or resource group or subscription in which it's deployed)
- Role: API Management Gateway Configuration Reader Role
- Assign access to: Azure AD app
Deploy the self-hosted gateway
Deploy the self-hosted gateway to docker, using below env.conf file
config.service.endpoint=<apimname>.configuration.azure-api.net
config.service.auth=azureAdApp
config.service.auth.azureAd.tenantId=<your tenand id>
config.service.auth.azureAd.clientId=<client id>
config.service.auth.azureAd.clientSecret=<client secret>
gateway.name=<gatewayname>
runtime.deployment.artifact.source=Azure Portal
runtime.deployment.mechanism=Docker
Check gateway working. On apim gateway, you should be able to see the number of instances connected. In my case 2 instances connected through self hosted gateway in docker.