Assigning Permissions to Azure Management APIs with PowerShell

Recently I’ve had the opportunity to do some Azure work at my job. In particular, I’ve been trying to learn and automate various actions around Azure API Management Service gateways and APIs. This took me quite a bit of wrapping my head around and thought I’d share my recent work in how to managed to assign RBAC roles to individual APIs.

In the portal, the only option you have is to assign access only on the entire API Management Service gateway and all APIs therein. We had a need to get more granular with this and needed to assign permissions at the API-level instead. With a little bit of PowerShell-fu and a lot of learning on my part, I was able to make it happen.

In a nutshell, here’s the overall process:

  • Find the scopes of all the APIs you’d like to assign access to
  • Create an Azure role defintion only scoped to those APIs
  • Assign that role definition to all of the APIs

It may sound simple but I learned there’s no good way to do this natively with the Azure PowerShell cmdlets so I created a script to make it happen for me. If you’d rather just grab a copy, it’s in the PowerShell Gallery so just run:

Here’s an example of how to use it. Most of the parameters are self-explanatory but one in particular testifies to how designed the script. This parameter is the ApiMatchPattern  parameter. Since I wanted to change multiple APIs at once, I decided to use a regex match parameter that will go out and discover all of the APIs that match that pattern.

Ths example will assign the read only permission on all APIs matching ‘FOO’ to the FOO-Readersn Azure AD group on the API Management Service APIGateway. It will do this by creating an Azure role definition called FOO Reader scoped to just the APIs matched and assign that role to all APIs.
This script was thrown together pretty quickly and only meets the requirements I had. This concept, however, could easily be converted into a module so if it doesn’t quite fit your needs, grab the code and make it happen!

Adam Bertram

Chief Automator at Adam the Automator, LLC
Adam Bertram is an independent consultant, technical writer, trainer and presenter. Adam specializes in consulting and evangelizing all things IT automation mainly focused around Windows PowerShell. Adam is a Microsoft Windows PowerShell MVP, 2015 powershell.org PowerShell hero and has numerous Microsoft IT pro certifications. He authors IT pro course content for Pluralsight, is a regular contributor to numerous print and online publications and presents at various user groups and conferences.You can find Adam here on the blog or on Twitter at @adbertram.

Leave a Reply