Recently I've had the opportunity to do some Azure work at my job. In particular, I've been trying to learn and automate various actions around Azure API Management Service gateways and APIs. This took me quite a bit of wrapping my head around and thought I'd share my recent work in how to managed to assign RBAC roles to individual APIs.

In the portal, the only option you have is to assign access only on the entire API Management Service gateway and all APIs therein. We had a need to get more granular with this and needed to assign permissions at the API-level instead. With a little bit of PowerShell-fu and a lot of learning on my part, I was able to make it happen.

In a nutshell, here's the overall process:

  • Find the scopes of all the APIs you'd like to assign access to
  • Create an Azure role definition only scoped to those APIs
  • Assign that role definition to all of the APIs

It may sound simple but I learned there's no good way to do this natively with the Azure PowerShell cmdlets so I created a script to make it happen for me. If you'd rather just grab a copy, it's in the PowerShell Gallery so just run:

Install-Script -Name Grant-AzureApiAccess

Here's an example of how to use it. Most of the parameters are self-explanatory but one in particular testifies to how designed the script. This parameter is the ApiMatchPattern �parameter. Since I wanted to change multiple APIs at once, I decided to use a regex match parameter that will go out and discover all of the APIs that match that pattern.

$params = @{
� � ApiManagementServiceName = 'APIGateway'
� � ApiManagementServiceResourceGroup = 'GatewayRG'
� � ApiMatchPattern = 'FOO'
� � AzureRoleName = 'FOO Reader'
� � AzureRoleDescription = 'FOO Reader'
� � Rights = 'Read'
� � PrincipalName = 'FOO-Readers
� � AzurSubscriptionId = (Get-AzureRmSubscription).SubscriptionId
.\Grant-AzureApiAccess.ps1 @params

This example will assign the read only permission on all APIs matching FOO to the FOO-Readers Azure AD group on the API Management Service APIGateway. It will do this by creating an Azure role definition called FOO Reader scoped to just the APIs matched and assign that role to all APIs.This script was thrown together pretty quickly and only meets the requirements I had. This concept, however, could easily be converted into a module so if it doesn't quite fit your needs, grab the code and make it happen!

Join the Jar Tippers on Patreon

It takes a lot of time to write detailed blog posts like this one. In a single-income family, this blog is one way I depend on to keep the lights on. I'd be eternally grateful if you could become a Patreon patron today!

Become a Patron!