Create Azure APIM Self Hosted Gateway in docker using Azure AD Authentication

Scenario overview

The self-hosted gateway configuration API can check Azure RBAC to determine who has permissions to read the gateway configuration. After you create an Azure AD app with those permissions, the self-hosted gateway can authenticate to the API Management instance using the app.

To enable Azure AD authentication, complete the following steps:

1. Create two custom roles to:
   • Let the configuration API get access to customer's RBAC information
   • Grant permissions to read self-hosted gateway configuration
2. Grant RBAC access to the API Management instance's managed identity
3. Create an Azure AD app and grant it access to read the gateway configuration
4. Deploy the gateway with new configuration options

Prerequisites

• An API Management instance in the Developer or Premium service tier. If needed, complete the following quickstart: Create an Azure API Management instance.
• Provision a gateway resource on the instance.
• Enable a system-assigned managed identity on the instance.
• Self-hosted gateway container image version 2.2 or later

Limitations notes

• Only system-assigned managed identity is supported.

Create custom roles

Create the following two custom roles that are assigned in later steps. You can use the permissions listed in the following JSON templates to create the custom roles using the Azure portal, Azure CLI, Azure PowerShell, or other Azure tools.

When configuring the custom roles, update the AssignableScopes property with appropriate scope values for your directory, such as a subscription in which your API Management instance is deployed.

API Management Configuration API Access Validator Service Role

JSON

{
  "Description": "Can access RBAC permissions on the API Management resource to authorize requests in Configuration API.",
  "IsCustom": true,
  "Name": "API Management Configuration API Access Validator Service Role",
  "Permissions": [
    {
      "Actions": [
        "Microsoft.Authorization/denyAssignments/read",
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.Authorization/roleDefinitions/read"
      ],
      "NotActions": [],
      "DataActions": [],
      "NotDataActions": []
    }
  ],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/{subscriptionID}"
  ]
}

API Management Gateway Configuration Reader Role

JSON

{
  "Description": "Can read self-hosted gateway configuration from Configuration API",
  "IsCustom": true,
  "Name": "API Management Gateway Configuration Reader Role",
  "Permissions": [
    {
      "Actions": [],
      "NotActions": [],
      "DataActions": [
        "Microsoft.ApiManagement/service/gateways/getConfiguration/action"
      ],
      "NotDataActions": []
    }
  ],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/{subscriptionID}"
  ]
}

Add role assignments

Assign API Management Configuration API Access Validator Service Role

Assign the API Management Configuration API Access Validator Service Role to the managed identity of the API Management instance. For detailed steps to assign a role, see Assign Azure roles using the portal.

• Scope: The resource group or subscription in which the API Management instance is deployed
• Role: API Management Configuration API Access Validator Service Role
• Assign access to: Managed identity of API Management instance

Assign API Management Gateway Configuration Reader Role

Step 1: Register Azure AD app

Create a new Azure AD app. For steps, see Create an Azure Active Directory application and service principal that can access resources. This app will be used by the self-hosted gateway to authenticate to the API Management instance.

• Generate a client secret
• Take note of the following application values for use in the next section when deploying the self-hosted gateway: application (client) ID, directory (tenant) ID, and client secret

Step 2: Assign API Management Gateway Configuration Reader Service Role

Assign the API Management Gateway Configuration Reader Service Role to the app.

• Scope: The API Management instance (or resource group or subscription in which it's deployed)
• Role: API Management Gateway Configuration Reader Role
• Assign access to: Azure AD app

Deploy the self-hosted gateway

Deploy the self-hosted gateway to docker, using below env.conf file

 config.service.endpoint=<apimname>.configuration.azure-api.net

config.service.auth=azureAdApp

config.service.auth.azureAd.tenantId=<your tenand id>

config.service.auth.azureAd.clientId=<client id>

config.service.auth.azureAd.clientSecret=<client secret>

gateway.name=<gatewayname>

runtime.deployment.artifact.source=Azure Portal

runtime.deployment.mechanism=Docker

Check gateway working. On apim gateway, you should be able to see the number of instances connected. In my case 2 instances connected through self hosted gateway in docker.