Amit Srivastava Thanks for posting your question in Microsoft Q&A. In general, we recommend using Managed Identity instead of app registration, if possible, to eliminate the need for managing credentials. In that case, you can follow steps discussed in other thread: How to call/retrieve value from Azure app config through APIM policy.
For using Service Principal with client id, client secret, you need to assign role Azure App Configuration Data Reader
for the service principal, and then follow either of the below approaches:
- Use
send-request
policy to get token from Azure AD and then call Azure App Configuration Rest API like discussed in the other thread. Here is the sample policy snippet: https://github.com/Azure/api-management-policy-snippets/blob/master/examples/Get%20OAuth2%20access%20token%20from%20AAD%20and%20forward%20it%20to%20the%20backend.policy.xml and we have detailed steps described in API Management Policy for Access Token Acquisition, Caching and Renewal article. Make sure to configure resource/audience ashttps://azconfig.io
when acquiring the token (refer https://zcusa.951200.xyz/en-us/azure/azure-app-configuration/rest-api-authentication-azure-ad#azure-ad-token-acquisition). - Instead of the above steps, check out authorizations feature which is currently in preview and can be used to manage token acquisition. First step is to create authorization in APIM for your service principal as described here with client id, client secret, grant type as Client credentials, resource url as
https://azconfig.io
and assign access policy to the managed identity of APIM. Second, useget-authorization-context
policy to get token from Azure AD and pass it to Azure App Configuration Rest API and here is the sample policy snippet:
<get-authorization-context provider-id="testproviderad" authorization-id="testproviderad" context-variable-name="auth-context" identity-type="managed" ignore-error="false" />
<send-request mode="new" timeout="20" ignore-error="false" response-variable-name="tokenstate">
<set-url>@("https://<app-config-name>.azconfig.io/kv/testkeyname?api-version=1.0")</set-url>
<set-method>GET</set-method>
<set-header name="Authorization" exists-action="override">
<value>@("Bearer " + ((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</value>
</set-header>
</send-request>
I hope this helps with your question and let m know if you have any questions or face issues.
If you found the answer to your question helpful, please take a moment to mark it as "Yes" for others to benefit from your experience. Or simply add a comment tagging me and would be happy to answer your questions.