How to update API Policy?

[JoshuaPHolden]

Is there a way to update the policy for a given API through the CLI? Everytime I update an API the policy gets wiped out and has to be manually added back.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 86f27e34-66e0-1d08-f734-26ce29c56c36
• Version Independent ID: d1a421eb-807c-c0bd-cee3-a5aed7335625
• Content: az apim api
• Content Source: src/azure-cli/azure/cli/command_modules/apim/_help.py
• GitHub Login: @rloutlaw
• Microsoft Alias: routlaw

[captainhook]

@captainhook No, I switched to PowerShell module. ☹️

Thanks. I am still struggling with this since I am using az cli in Azure DevOps and need it to work there.

@AndrewBates666 @seanksullivan, I'm guessing you didn't manage to resolve this either?

@KedarJoshi any update from MSFT end? The REST method works but it's not handling escapes properly - see above examples. Please advise. This is extremely debilitating to our work.

[Tapanila]

I didn't manage to get the quotes working so I just switched into using file.

 function Set-OperationScopedPolicies() {
  param(
    [Parameter(Mandatory)][PSCustomObject]$OperationsOutput,
    [Parameter(Mandatory)][Hashtable]$OperationScopes
  )
  $bodyFileName = 'body.json'

  $policyTemplate = Get-Content $PSScriptRoot/templates/filter-policy-template.xml -Raw
  $policyTemplate.Replace("{{OpenIdConfigUrl}}", "My secret values")
  $policyTemplate.Replace("{{Audience}}", "My secret values")
  $policy = $policyTemplate.Replace("{{SCOPE_NAMES}}", "My secret values")
  Set-Content -Path $bodyFileName -Value $policy
  $url = "https://management.azure.com/" + $operationid + "/policies/policy?api-version=2021-08-01"
  restResponse = az rest --method PUT --uri $url --body "@$bodyFileName" --output-file response.xml
  Remove-Item $bodyFileName
}

filter-policy-template.xml (This is in one line): {"properties":{"method":"PUT","value":"<policies>\r\n <inbound>\r\n <validate-jwt header-name=\"Authorization\" failed-validation-httpcode=\"401\" failed-validation-error-message=\"Unauthorized. Access token is missing or invalid.\">\r\n <openid-config url=\"{{OpenIdConfigUrl}}\" \/>\r\n <audiences>\r\n <audience>{{Audience}}<\/audience>\r\n <\/audiences>\r\n <required-claims>\r\n <claim name=\"groups\" match=\"any\">\r\n {{SCOPE_NAMES}} <\/claim>\r\n <\/required-claims>\r\n <\/validate-jwt>\r\n <base \/>\r\n <\/inbound>\r\n <backend>\r\n <base \/>\r\n <\/backend>\r\n <outbound>\r\n <base \/>\r\n <\/outbound>\r\n <on-error>\r\n <base \/>\r\n <\/on-error>\r\n<\/policies>","format":"rawxml"}}

[tpschmidt]

Managed to make this work on our side. Doesn't look to nasty I think. Key thing was to set format to rawxml and escaping everything properly.

#!/bin/bash

SCRIPT_DIR=$(cd "$(dirname "$0")" && pwd)

SUBSCRIPTION_ID="YOUR_SUBSCRIPTION"
RESOURCE_GROUP_NAME="YOUR_RG"
APIM_SERVICE_NAME="YOUR_SERVICE"
API_NAME="YOUR_API"

# Load the policy from the XML file
POLICY_FILE="$SCRIPT_DIR/../policies/proxy.xml"
POLICY_CONTENT=$(cat "$POLICY_FILE")

# Escape special characters in the XML content
ESCAPED_POLICY=$(echo "$POLICY_CONTENT" | sed 's/"/\\"/g' | awk '{gsub(/\n/, "\\n"); print}')

# Construct the body with the loaded policy
BODY="{\"properties\":{\"format\":\"rawxml\",\"value\":\"$ESCAPED_POLICY\"}}"

RG_URL="https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP_NAME"
SERVICE_URL="$RG_URL/providers/Microsoft.ApiManagement/service/$APIM_SERVICE_NAME"
API_URL="$SERVICE_URL/apis/$API_NAME"
POLICY_URL="$API_URL/policies/policy?api-version=2022-09-01-preview"

az rest --method PUT --uri "$POLICY_URL" --body "$BODY" --headers "Content-Type=application/json"