How to update API Policy?

[JoshuaPHolden]

Is there a way to update the policy for a given API through the CLI? Everytime I update an API the policy gets wiped out and has to be manually added back.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 86f27e34-66e0-1d08-f734-26ce29c56c36
• Version Independent ID: d1a421eb-807c-c0bd-cee3-a5aed7335625
• Content: az apim api
• Content Source: src/azure-cli/azure/cli/command_modules/apim/_help.py
• GitHub Login: @rloutlaw
• Microsoft Alias: routlaw

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @miaojiang.

[yonzhan]

apim

[miaojiang]

@nezoic thanks for the feedback. Can you please elaborate on how you update an API and steps to reproduce?

cc @RupengLiu

[MCKLMT]

Any news? What's the equivalent of Set-AzApiManagementPolicy?

[PradeepLoganathan]

Any updates on using AZ CLI to set the APIM policy please ?

[yonzhan]

API management service team should look into this

[ulluoink]

any news? did the "API management service team " looked into this?

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @miaojiang.

Issue Details

---

Is there a way to update the policy for a given API through the CLI? Everytime I update an API the policy gets wiped out and has to be manually added back. --- #### Document Details ⚠ *Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.* * ID: 86f27e34-66e0-1d08-f734-26ce29c56c36 * Version Independent ID: d1a421eb-807c-c0bd-cee3-a5aed7335625 * Content: [az apim api](https://docs.microsoft.com/en-us/cli/azure/apim/api?view=azure-cli-latest#az-apim-api-update) * Content Source: [src/azure-cli/azure/cli/command_modules/apim/_help.py](https://github.com/Azure/azure-cli/blob/dev/src/azure-cli/azure/cli/command_modules/apim/_help.py) * GitHub Login: @rloutlaw * Microsoft Alias: **routlaw**

Author:	nezoic
Assignees:	-
Labels:	`Service Attention`, `API Management`, `customer-reported`
Milestone:	-

[navba-MSFT]

@nezoic Apologies for the late reply. We are looking into this issue. We will update this thread once we have more details.

@adrianhall Could you please provide an update on this issue ? Awaiting your reply.

[intercity-technology]

I'm also experiencing difficulties with this.

I publish a function app ...

func azure functionapp publish $STAGING_FUNCTION_APP_NAME --typescript --subscription $SUBSCRIPTION_ID

Then reimport the API into APIM using OpenAPI schema...

az apim api import -g $STAGING_RESOURCE_GROUP --service-name $STAGING_GATEWAY_NAME --api-id $STAGING_FUNCTION_APP_NAME --path myPath --specification-path $CI_PROJECT_DIR/OpenAPI/schema.yaml --specification-format OpenApi

This works fine, apart from the fact that it wipes out any policies as they're not defined in the OpenAPI spec as described in the original question.

It would be great if this could be catered for by defining policies in OpenAPI but an az command to set policies (specifically validate-jwt for me) would be great, and to be honest, needed!

[adrianhall]

The ability to add a policy via CLI will be added to the next release of the APIM CLI - we are targeting end of May for this release. In the interim, you can use the az rest command to upload policies. Something like the following:

az rest --method PUT 
  --uri "https://management.azure.com/subscriptions/{subId}/resourceGroups/{rg}/providers/Microsoft.ApiManagement/service/{svc}/apis/{apiId}/policies/policy?api-version=2021-08-01"
  --body "{ \"value\": \"<your-policy-document-json-encoded-string>\",\"format\":\"xml\" }"

Ensure you encode the string as a JSON encoded string (quote quotes, newlines, etc.) This is not the most obvious format - the CLI command we are developing will allow you to use a file reference as well.

@intercity-technology - if you are importing a new OpenAPI spec, it does not create policies for you. You have to define them. So your observed behaviour is expected - we agree, a CLI command to inject the policy is needed.

[MariaLysik]

@adrianhall, when I try the REST workaround then I get the az error The command line is too long. Does it mean the Az PowerShell is the only solution for big policies now?

[adrianhall]

For large policies, you can use ARM / Bicep / Terraform or you can use the Azure Portal. You will run into the same size issues in Azure PowerShell.

[morphet81]

@adrianhall Hi. How should I proceed with the above example to upload a policy for a specific API operation? Also can we use names instead of IDs? IDs change every time we re-deploy.

[morphet81]

Found how to do it. But even though it goes through, it doesn't work 😅 I am using the following and my policies are not updated

--body "{ \"properties\":{\"method\":\"PUT\"},\"value\": \"<policies><inbound><base/><ip-filter action="allow"><address>192.168.1.1</address></ip-filter></inbound><backend><base/></backend><outbound><base/></outbound><on-error><base/></on-error></policies>\",\"format\":\"xml\" }"

Any idea what goes wrong? I didn't escape the action value because if I do it doesn't go through at all.

[adrianhall]

You definitely need to escape the quotes in the action. Syntax is slightly wrong.

az rest --method PUT --uri https://management.azure.com/subscriptions/{subId}/resourceGroups/{rgName}/providers/Microsoft.ApiManagement/service/{serviceName}/apis/{apiId}/operations/{operationId}/policies/policy?api-version=2021-08-01 --body @body.json

Then have a file body.json that contains the following:

{
  "value": "{{ json encoded policy file }}",
  "format": "rawxml"
}

Replace the {subId}, {rgName}, {serviceName}, {apiId}, and {operationId} in the URI with your values.

[morphet81]

Thanks a lot for your feedback. I've tried the new way but still no luck. If I don't put the properties field, it complains

Bad Request({"error":{"code":"ValidationError","message":"Invalid payload format. Contract should have 'properties' specified.","details":null}})

So I put properties, but if it's empty it complains. So I use this:

{
    "properties": {
        "method": "PUT"
    },
    "value": "<policies>
        <inbound>
            <ip-filter action=\"allow\">
                <address>192.168.1.1</address>
            </ip-filter>
        </inbound>
    </policies>",
    "format": "rawxml"
}

The request goes through, but when I check on Azure console, nothing changed. Any idea why?

[morphet81]

And just like that, 2 min later I find the solution 😅 The right body is the following. Need to put value and format under properties

{
    "properties": {
        "method": "PUT",
        "value": "<policies>
            <inbound>
                <ip-filter action=\"allow\">
                    <address>192.168.1.1</address>
                </ip-filter>
            </inbound>
        </policies>",
        "format": "rawxml"
    },
}

[adrianhall]

Sorry - yes - I missed the properties when I was typing. Glad it worked out for you

please-close

[bmaupin]

The ability to add a policy via CLI will be added to the next release of the APIM CLI - we are targeting end of May for this release.

Is there any update on this? Is there an open issue that we can follow to track this feature?

Thanks!

[adrianhall]

There isn't an open issue to track on GitHub (we track these work items in our internal issues tracker). We obviously did not meet the May target, but I don't have a new date at the moment.

[bmaupin]

There isn't an open issue to track on GitHub (we track these work items in our internal issues tracker). We obviously did not meet the May target, but I don't have a new date at the moment.

Thanks for the update.

For large policies, you can use ARM / Bicep / Terraform or you can use the Azure Portal. You will run into the same size issues in Azure PowerShell.

When this feature is implemented in Azure CLI, do you know if it will also have the same issues with large policies? I'm trying to determine if it's worth waiting for the feature to be implemented in Azure CLI or if I should look into the alternatives.

Nevermind, I just did some research on the error message that your comment was referring to ("The command line is too long"). This seems to be an issue with the Windows terminal, which appears to have a command length limit of 8191 characters. But I'm running the Azure CLI from Linux (technically a container in Linux) and it looks like the command length limit is over 100k characters. That should be enough :)

$ docker run --rm -it mcr.microsoft.com/azure-cli bash
bash-5.1# getconf ARG_MAX
131072

Thanks!

@adrianhall, when I try the REST workaround then I get the az error The command line is too long. Does it mean the Az PowerShell is the only solution for big policies now?

@MariaLysik You could try what I'm doing in case that helps to get around the limit: How to run the Azure CLI in a Docker container

[bmaupin]

This works fine, apart from the fact that it wipes out any policies as they're not defined in the OpenAPI spec as described in the original question.

It would be great if this could be catered for by defining policies in OpenAPI but an az command to set policies (specifically validate-jwt for me) would be great, and to be honest, needed!

Putting the policies in the OpenAPI definition would be amazing. For what it's worth, this is how IBM API Connect works; it puts the policies inside a custom x-ibm-configuration section in the API definition, e.g.

x-ibm-configuration:
  assembly:
    execute:
      - if:
          title: if
          condition: apim.getvariable('bypass-saml-validation') !== 'true'
          execute:
            - set-variable:
                title: Get SAMLResponse from headers
                actions:
# ...

Coming to Azure API Management from IBM API Connect feels like a step backward in that sense. Right now with API Connect all of our policies are easily version controlled because they're right inside the API definition. It's going to be a challenge to figure out how to do this with Azure.

[fellnerse]

I'm also looking forward to this feature! @adrianhall can you tell us what your release cycle is?

[adrianhall]

Sorry @fellnerse - I don't have a good line of sight at this point as to when the work will be completed.

close

[Tapanila]

Any news on this? @adrianhall would you be open for contributions to help with this?

[adrianhall]

Always happy for contributions. I still don't have a line of sight onto additional work in the Azure CLI.

[Tapanila]

Great. do you have a branch existing for the work you already done?

[adrianhall]

Just do your work on a fork - we'll manage the merged changes on this end.

[dboulet01]

Was this ever released? I would love this functionality

[benhoad]

Any impending eta yet?

[abhi-markan]

Hello, are we in a position to consume az cli to add APIM policies or do we still need to use REST API workaround? Thanks

[singsingwong2]

Hi all, for the REST Api workaround, how can I apply the policy to all operations in one go?

[adrianhall]

We are working on the CLI for the 2022-08-01 API version. You can do this operation with Azure PowerShell today.

For the REST API workaround, you would not apply the policy to "all operations" in one go - apply the policy to the "API" instead - it is then applied to all operations.

[adrianhall]

assign: KedarJoshi

[plaha-nlg]

Hi, Any update on azure cli to add the policies? can you provide any timeline?

[GlennColpaert]

Would be great to get an update on this 😄

[ulluoink]

still no cli support to manage policies in apim after three years

Azure is really beginning to get on my nerves

[ulluoink]

The ability to add a policy via CLI will be added to the next release of the APIM CLI - we are targeting end of May for this release. In the interim, you can use the az rest command to upload policies. Something like the following: ...

So obviously it neither worked for may nor august 2022 .

So now after over a year - any updates @adrianhall ?

Even if You say "No, Microsoft will not support this in CLI jsust use bicep" it would be helpful. But just say something reliable.

[celsocoutinho-tangany]

Any updates on this?

[Joseluismantilla]

Any updates on this Guys, I'd love to be able to manage APIM policies from AZ CLI.

[ulluoink]

any updates? @KedarJoshi

[bellaar2]

Any updates please? This is an useful feature.

[AndrewBates666]

Is there any movement on this? Reading this thread it's been coming in every next version of the AZ CLI update but I can't see the functionality. I agree with all the posters that this is required functionality and severely limits working with API management. An update with a solid delivery date would be good? Thanks A

[AndrewBates666]

And just like that, 2 min later I find the solution 😅 The right body is the following. Need to put value and format under properties

{
    "properties": {
        "method": "PUT",
        "value": "<policies>
            <inbound>
                <ip-filter action=\"allow\">
                    <address>192.168.1.1</address>
                </ip-filter>
            </inbound>
        </policies>",
        "format": "rawxml"
    },
}

I'm trying to use the REST API; the body I'm passing is:

{"properties":{"format":"xml","value":"<policies><inbound/><backend><forward-request/></backend><outbound/></policies>"}}

When I call the api endpoint I get the following error:

az : < was unexpected at this time. At C:\Data\apims1.ps1:8 char:1

• az rest --method PUT --uri $uri --body $body

• 
  + CategoryInfo          : NotSpecified: (< was unexpected at this time.:String) [], RemoteException
  + FullyQualifiedErrorId : NativeCommandError

I've tried encoding the < > as & #60;/& #62; and also & lt;/& gt; but can't get the body to be accepted. I've also encoded the " as \" but it still fails.

[seanksullivan]

And just like that, 2 min later I find the solution 😅 The right body is the following. Need to put value and format under properties

{
    "properties": {
        "method": "PUT",
        "value": "<policies>
            <inbound>
                <ip-filter action=\"allow\">
                    <address>192.168.1.1</address>
                </ip-filter>
            </inbound>
        </policies>",
        "format": "rawxml"
    },
}

I'm trying to use the REST API; the body I'm passing is:

{"properties":{"format":"xml","value":"<policies><inbound/><backend><forward-request/></backend><outbound/></policies>"}}

When I call the api endpoint I get the following error:

az : < was unexpected at this time. At C:\Data\apims1.ps1:8 char:1

• az rest --method PUT --uri $uri --body $body

• + CategoryInfo          : NotSpecified: (< was unexpected at this time.:String) [], RemoteException
  + FullyQualifiedErrorId : NativeCommandError

I've tried encoding the < > as & #60;/& #62; and also & lt;/& gt; but can't get the body to be accepted. I've also encoded the " as \" but it still fails.

I get the same...

[dmedellin]

Hi, could we get an update on this feature request? Thanks!

[jepperaskdk]

I can't get az rest to work if I add quotes in the policy.

This works:

$body = (@{
    properties = @{
        format = "xml"
        value = "<policies><inbound></inbound><backend></backend><outbound></outbound></policies>"
    }
} | ConvertTo-Json -Compress).Replace('"', '\"')

$url = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.ApiManagement/service/$ApimServiceName/policies/policy?api-version=2022-08-01"
az rest --method PUT --uri $url --body $body

But changing the policy to e.g. this, fails:

"<policies><inbound><set-header name=`"test`" exists-action=`"override`"><value>value</value></set-header></inbound><backend></backend><outbound></outbound></policies>"

< was unexpected at this time.

How should the quotes in the xml be escaped, while located within escaped json?

[captainhook]

@jepperaskdk did you figure out how to do this?

[jepperaskdk]

@captainhook No, I switched to PowerShell module. ☹️