Azure API Management

We use Azure API Management as a solution to publish APIs to external and internal customers.

CREATE Custom Role: API Management Operator

Here are the steps that I followed using Azure Portal’s CLI:

find subscription GUIDS

Online and Local Azure CLI

az account list

List all the existing roles

Online Azure CLI

az role definition list | jq '.[] | {"roleName":.properties.roleName, "description":.properties.description}'
az role definition list --custom-role-only --scope "/subscriptions/921deb18-e650-41b0-9ded-78573404b44f" --output json | jq '.[] | {"roleName":.properties.roleName, "description":.properties.description}'

Local Windows Azure CLI

az role definition list | jq ".[] | {\"roleName\":.properties.roleName, \"description\":.properties.description}"
az role definition list --custom-role-only --scope "/subscriptions/921deb18-e650-41b0-9ded-78573404b44f" --output json | jq ".[] | {\"roleName\":.properties.roleName, \"description\":.properties.description}"

view other roles to use as a template or just study

Local Windows Azure CLI

az role definition list --name "API Management Service Contributor" --output json

match the role details against https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-resource-provider-operations
create a JSON for importing a new role

{
  "Name": "API Management Operator",
  "IsCustom": true,
  "Description": "Role to allow Operators to administer parts of API Management. ",
  "Actions": [
            "Microsoft.Authorization/*/read",
            "Microsoft.ApiManagement/service/getssotoken/action",
            "Microsoft.ResourceHealth/availabilityStatuses/read",
            "Microsoft.Resources/subscriptions/resourceGroups/read",
            "Microsoft.Resources/deployments/read",
            "Microsoft.ApiManagement/Service/read",
            "Microsoft.ApiManagement/service/*/read",
            "Microsoft.ApiManagement/service/apis/*",
            "Microsoft.ApiManagement/service/products/*",
            "Microsoft.ApiManagement/service/reports/*",
            "Microsoft.ApiManagement/service/portalsettings/*",
            "Microsoft.ApiManagement/service/quotas/*",
            "Microsoft.ApiManagement/service/templates/*"
  ],
  "NotActions": [
  ],
  "AssignableScopes": [
    "/subscriptions/44867260-a2c3-4c71-83fc-15c3c45ae956",
    "/subscriptions/8d27f2c0-63bd-499e-bfad-1d9f581a9899",
    "/subscriptions/921deb18-e650-41b0-9ded-78573404b44f"
  ]
}

Create the new custom role

Online Azure CLI

az role definition create --role-definition '{ "Name": "API Management Operator", "IsCustom": true, "Description": "Role to allow Operators to administer parts of API Management.", "Actions": [ "Microsoft.Authorization/*/read", "Microsoft.ApiManagement/service/getssotoken/action", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/deployments/read", "Microsoft.ApiManagement/Service/read", "Microsoft.ApiManagement/service/*/read", "Microsoft.ApiManagement/service/apis/*", "Microsoft.ApiManagement/service/products/*", "Microsoft.ApiManagement/service/reports/*", "Microsoft.ApiManagement/service/portalsettings/*", "Microsoft.ApiManagement/service/quotas/*", "Microsoft.ApiManagement/service/templates/*" ], "NotActions": [ ], "AssignableScopes": [ "/subscriptions/44867260-a2c3-4c71-83fc-15c3c45ae956", "/subscriptions/8d27f2c0-63bd-499e-bfad-1d9f581a9899", "/subscriptions/921deb18-e650-41b0-9ded-78573404b44f" ]}'

Local Windows Azure CLI

az role definition create --role-definition "{  \"Name\": \"API Management Operator\",  \"IsCustom\": true,  \"Description\": \"Role to allow Operators to administer parts of API Management.\",  \"Actions\": [            \"Microsoft.Authorization/*/read\",            \"Microsoft.ApiManagement/service/getssotoken/action\",            \"Microsoft.ResourceHealth/availabilityStatuses/read\",            \"Microsoft.Resources/subscriptions/resourceGroups/read\",            \"Microsoft.Resources/deployments/read\",            \"Microsoft.ApiManagement/Service/read\",            \"Microsoft.ApiManagement/service/*/read\",            \"Microsoft.ApiManagement/service/apis/*\",            \"Microsoft.ApiManagement/service/products/*\",            \"Microsoft.ApiManagement/service/reports/*\",            \"Microsoft.ApiManagement/service/portalsettings/*\",            \"Microsoft.ApiManagement/service/quotas/*\",            \"Microsoft.ApiManagement/service/templates/*\"  ],  \"NotActions\": [  ],  \"AssignableScopes\": [    \"/subscriptions/44867260-a2c3-4c71-83fc-15c3c45ae956\",    \"/subscriptions/8d27f2c0-63bd-499e-bfad-1d9f581a9899\",    \"/subscriptions/921deb18-e650-41b0-9ded-78573404b44f\"  ]}"

Modify an existing custom role

Online Azure CLI

az role definition update --role-definition "{  "Name": "API Management Operator",  "IsCustom": true,  "Description": "Role to allow Operators to administer parts of API Management.",  "Actions": [            "Microsoft.Authorization/*/read",            "Microsoft.ApiManagement/service/getssotoken/action",            "Microsoft.ResourceHealth/availabilityStatuses/read",            "Microsoft.Resources/subscriptions/resourceGroups/read",            "Microsoft.Resources/deployments/read",            "Microsoft.ApiManagement/Service/read",            "Microsoft.ApiManagement/service/*/read",            "Microsoft.ApiManagement/service/apis/*",            "Microsoft.ApiManagement/service/products/*",            "Microsoft.ApiManagement/service/reports/*",            "Microsoft.ApiManagement/service/portalsettings/*",            "Microsoft.ApiManagement/service/quotas/*",            "Microsoft.ApiManagement/service/templates/*"  ],  "NotActions": [  ],  "AssignableScopes": [    "/subscriptions/44867260-a2c3-4c71-83fc-15c3c45ae956",    "/subscriptions/8d27f2c0-63bd-499e-bfad-1d9f581a9899",    "/subscriptions/921deb18-e650-41b0-9ded-78573404b44f"  ]}"

Local Windows Azure CLI

az role definition update --role-definition "{  \"Name\": \"API Management Operator\",  \"IsCustom\": true,  \"Description\": \"Role to allow Operators to administer parts of API Management.\",  \"Actions\": [            \"Microsoft.Authorization/*/read\",            \"Microsoft.ApiManagement/service/getssotoken/action\",            \"Microsoft.ResourceHealth/availabilityStatuses/read\",            \"Microsoft.Resources/subscriptions/resourceGroups/read\",            \"Microsoft.Resources/deployments/read\",            \"Microsoft.ApiManagement/Service/read\",            \"Microsoft.ApiManagement/service/*/read\",            \"Microsoft.ApiManagement/service/apis/*\",            \"Microsoft.ApiManagement/service/products/*\",            \"Microsoft.ApiManagement/service/reports/*\",            \"Microsoft.ApiManagement/service/portalsettings/*\",            \"Microsoft.ApiManagement/service/quotas/*\",            \"Microsoft.ApiManagement/service/templates/*\"  ],  \"NotActions\": [  ],  \"AssignableScopes\": [    \"/subscriptions/44867260-a2c3-4c71-83fc-15c3c45ae956\",    \"/subscriptions/8d27f2c0-63bd-499e-bfad-1d9f581a9899\",    \"/subscriptions/921deb18-e650-41b0-9ded-78573404b44f\"  ]}"

Finally use the Azure Portal to add the user with this new role to the resource group IAM (aka: RBAC) that the API Management was in.

CREATE Custom Role: API Management Operator

Share this: