The manual way is described here: API Management REST API
We have very short living CA certificates we use to authenticate against our APIM policies. So we want to update these CA certificate automatically by code.
Is there really no solution? The REST API is described here. Azure API Management Documentation
When REST is not possible is it possible with ARM templates to update or rollout the complete APIM with the custom CA included?
Related
I am starting with the Azure function in which I am creating API Function. After creating that function, I need to protect it.
Previously, I used the Microsoft.Identity.Platform to protect API's recourses, in which I created a registration in Azure AD for API, exposed the scopes, added the client apps in the list to provide access to the resources. Furthemore, it required to confirmation for 'API permission' in client app's Azure AD registration.
So, is there anything similar can I do, and do you think it would be a good option or if there are other options to pick from?
I read about the function key, but I read it is good for development not good for production.
I read about the function key, but I read it is good for development not good for production.
As you can see in this MS Doc, Microsoft mentioned that Authorization keys along with App Service Authentication is good for securing the HTTP Endpoints on all the stages like dev, testing and production environments in Azure Functions.
Also, there are multiple ways to secure your function API such as Authorization Keys, using APIM, (Front door + WAF) for restricting the incoming requests.
One of my workarounds 72633969 shows in securing the Azure functions in the context of restrict the function app from internet access and allow only from the APIM Instance.
The Steps I followed for the above solution in securing the Azure Function App APIs through APIM is:
Created a Http Trigger Function in the Function App.
Adding the allowed IP Addresses in the Access Restrictions of the Azure Function App Portal Menu > Networking Tab.
Set the Authorization Level of API to the "Function" Level or Custom key-value level that adds more security after adding to APIM Instance.
Added/Imported the Function API in APIM Instance and checked from the allowed IP addresses and also non-allowed IP address (System):
And more information on securing APIs using APIM Instance is given in the above Microsoft Documentation.
Authorization keys are a default security mechanism which is better if keys not published in public applications or publicly shared.
For better security mechanism, choose different options for the production environment. the other ways should be followed from the above-mentioned comment and refer to MS Q&A Forum 801055 provided the same by the user #LohithGN.
I am trying to update APIM custom domains with new certificates from the KeyVault. But it fails with the message "Failed to update API management service hostnames" with some CorrelationID.
I tried to delete the domain from the custom domain list, still the same here. Has anyone faced similar issue? Any leads will be helpful.
Failed to update API management service hostnames
This error usually occurs when you try to use an Azure Key Vault certificate to add a custom domain to your API Management service.
This is because the API Management service does not have permission to access the key vault for the custom domain you're trying to use.
You can refer this MSFT documentation, where one of the work around for this type of error is given.
I fixed the issue.
So basically, I had two custom domains for which the certificates were expired. I was trying to update one of them with new certificate. But it failed all the time.
So the solution is delete all the custom domains that have expired certificates, save them and add the domains again with new certificates.
We are using the email invite flow to get our users created in our Azure B2C. Currently we are reviewing our management of secrets in code and config, coming out of this work we are now using an Azure KeyVault.
Our ASP.Net website that previously had the cert loaded directly into the App Service is now referencing one in the key vault.
At the Azure B2C "Identity Experience Framework" end of the arrangement we have the “B2C_1A_IdTokenHintCert” policy key and that was created when we uploaded the certificate into Azure B2C. This breaks the approach of centralising the management of our certificates with KeyVault.
Is there a way of using KeyVault for the Custom Policy configuration?
In your particular scenario, you can expose your own metadata endpoint for id token hint validation in your App. That is what the sample does by default:
https://github.com/azure-ad-b2c/id-token-builder
You might then look for a way to reference the cert via key vault instead of uploading the cert to the app service. Eg reading the cert in your app via keyvault api.
https://learn.microsoft.com/en-us/rest/api/keyvault/#certificate-operations
Team,
I have recently migrated my azure classic portal resources to CSP subscription. I have successfully converted my azure cloud service to azure app website in the CSP subscription. But there is one thing i am not able connect. Its the third party API When we had the cloud service we had a .pfx uploaded to azure and in the code we use to create a uri which consists of the certifcate key + certificate secret key.
The certificate key is got directly from web.config. But the certificate secret key is got from EncryptedSettings.Appsettings("SecretKeyName").
This is basically got from the encrypted app setting done earlier by
https://eren.ws/2014/02/04/encrypting-the-web-config-file-of-an-azure-cloud-service/
But i am not sure what way should we implement on Azure website.
I have tried implementing the same but unfortunately it seems the secret key retrieval technique for cloud service is not the same as in the azure web app service.
When i debug the azure web site i can see that it gives the error as.
Failed to decrypt using provider ‘CustomProvider’. Error message from the provider: Value cannot be null.
Parameter name: keyObject
Can anyone please guide me ?
Rather than storing secrets in your config, you may wish instead to store them Azure KeyVault (which also gives you secret management capabilities etc) and then load the secrets at runtime.
KeyVault documentation:
https://learn.microsoft.com/en-us/azure/key-vault/
Specifically how to use keyvault with azure websites:
https://learn.microsoft.com/en-us/azure/key-vault/key-vault-use-from-web-application
And these days, don't bother with manual authentication to use keyvault, instead use "Managed Service Identity", here's a tutorial:
https://azure.microsoft.com/en-gb/resources/samples/app-service-msi-keyvault-dotnet/
Interestingly the second tutorial does mention specifically using certificates for the purposes of authentication (against keyvault), you may wish to use this technique for yourself as a simplified way to get direct access to your certificate.
The service management API to get the certificate is this
https://management.core.windows.net/<subscription-id>/services/hostedservices/<service-name>/certificates/<thumbprint-algorithm>-<thumbprint-in-hexadecimal>
I need the equivalent ARM API ? Please help
You need this api call:
/subscriptions/%sub_Id%/resourceGroups/%rg_Name%/providers/Microsoft.ClassicCompute/domainNames/%cloudService_Name%/servicecertificates