Recently I had a scenario where I have an API exposed by API Management and used by consumers who use a service principal credential which has delegated API permissions to the service principal which represents the API. This works great but I now needed to call the API from a Logic App and we wanted to use a System Assigned or User Assigned Managed identity for the Logic App.
This is straightforward enough to setup the identity (for the sake of the post ill use a managed identity) but the challenge was how to setup the Azure AD delegated permissions. The problem was that when you create the managed identity you get an enterprise application in Azure AD but it does not create an App Registration. When you are doing it with a normal service principal scenario you can add the permissions like below.
With the managed identity there is no app registration and in the enterprise application I dont think you can configure the permissions via the portal (or certainly I couldnt workout how to do it or find documentation showing how to do it via the portal).
In the permissions section you can see where the permissions should go but there is no add button or similar.
I had a look at seeing if I could do it with powershell and Im sure you can but the script seems very fiddly to workout how to find the right object but terraform to the rescue as its really easy to do it there.
First off I need some data objects to reference the backend App Registration which represents the service principal that APIM is using. Terraform has the azuread_application resource to represent the app registration and the azuread_service_principal resource to represent the enterprise application. The APIM will have both an app registration and an enterprise app.
//App Registration = APIM-Demo-BackEnd (the azure ad app registration)
data "azuread_application" "APIM-Demo-BackEnd" {
application_id = "2bb810c5-c43f-46df-a5f5-80f124fda3d5"
}
//Service Principal = APIM-Demo-BackEnd (the enterprise app)
data "azuread_service_principal" "APIM-Demo-BackEnd" {
application_id = data.azuread_application.APIM-Demo-BackEnd.application_id
}
I then need a data object in terraform to represent the enterprise app created by Azure for my managed identity. In this case I am pointing to my user assigned managed identity but you could use a system assigned one just the same.
//Service Principal = Trusted-LogicApp-APIM (the enterprise app)
data "azuread_service_principal" "Trusted-LogicApp-APIM" {
application_id = "58e381fe-7c77-45f7-a53f-0528dba80500"
}I then create a terraform resource to represent the service principal delegated permissions and assign them to the enterprise app representing the managed identity with a pointer to the service principal representing APIM and list an array of the permissions I want to reference.
resource "azuread_service_principal_delegated_permission_grant" "add_permission_to_logicapp_managed_identity" {
service_principal_object_id = data.azuread_service_principal.Trusted-LogicApp-APIM.object_id
resource_service_principal_object_id = data.azuread_service_principal.APIM-Demo-BackEnd.object_id
//Just add a list of permissions here that you want to associate for the managed identity to have access
//to on the resource
claim_values = ["App.Read"]
}When I run the terraform it will setup this permission on my user assigned managed identity as shown below.
Now in my Logic App I can make a call to APIM and use the user assigned managed identity and pass the scope for the API permission I have delegated access to.
In the APIM policy I can then check the audience for the call using the validate-jwt token and check the audience is for the APIM permission which my logic app has delegated access to.
The full terraform script for setting up the permission is below.
//App Registration = APIM-Demo-BackEnd (the azure ad app registration)
data "azuread_application" "APIM-Demo-BackEnd" {
application_id = "2bb810c5-c43f-46df-a5f5-80f124fda3d5"
}
//Service Principal = APIM-Demo-BackEnd (the enterprise app)
data "azuread_service_principal" "APIM-Demo-BackEnd" {
application_id = data.azuread_application.APIM-Demo-BackEnd.application_id
}
//Service Principal = Trusted-LogicApp-APIM (the enterprise app)
data "azuread_service_principal" "Trusted-LogicApp-APIM" {
application_id = "58e381fe-7c77-45f7-a53f-0528dba80500"
}
resource "azuread_service_principal_delegated_permission_grant" "add_permission_to_logicapp_managed_identity" {
service_principal_object_id = data.azuread_service_principal.Trusted-LogicApp-APIM.object_id
resource_service_principal_object_id = data.azuread_service_principal.APIM-Demo-BackEnd.object_id
//Just add a list of permissions here that you want to associate for the managed identity to have access
//to on the resource
claim_values = ["App.Read"]
}
