ghost
commented
2 years ago Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @adrianhall, @KedarJoshi.
Issue Details
### Description of the new feature **Related command** `Set-AzApiManagement -InputObject` **Is your feature request related to a problem? Please describe.** Scenario: APIM with VNET Injection When you want to perform some update operation into the APIM such as change the SKU and you only have RBAC permissions on the APIM, you cannot update it due permissions missing as below `Code: LinkedAuthorizationFailed Message: The client 'xxxxx@xxxxxx.com' with object id 'xxxxxx-xxxxx-xxxxx-xxxx-xxxxxx' has permission to perform action 'Microsoft.ApiManagement/service/write' on scope '/subscriptions/xxxxxxx-xxxx-xxx-xxxxx-xxxxx/resourceGroups/moftest/providers/Microsoft.ApiManagement/service/apimtestnodel'; however, it does not have permission to perform action 'join/action' on the linked scope(s) '/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxxx/resourceGroups/moftest/providers/Microsoft.Network/virtualNetworks/moftest-vnet/subnets/apimsub' or the linked scope(s) are invalid. cli.knack.cli: Event: Cli.PostExecute [
| Author: | jdoblams |
|---|---|
| Assignees: | - |
| Labels: | `API Management`, `feature-request`, `Service Attention`, `customer-reported` |
| Milestone: | - |
Description of the new feature
Related command
Set-AzApiManagement -InputObjectIs your feature request related to a problem? Please describe. Scenario: APIM with VNET Injection When you want to perform some update operation into the APIM such as change the SKU and you only have RBAC permissions on the APIM, you cannot update it due permissions missing as below
Code: LinkedAuthorizationFailed Message: The client 'xxxxx@xxxxxx.com' with object id 'xxxxxx-xxxxx-xxxxx-xxxx-xxxxxx' has permission to perform action 'Microsoft.ApiManagement/service/write' on scope '/subscriptions/xxxxxxx-xxxx-xxx-xxxxx-xxxxx/resourceGroups/moftest/providers/Microsoft.ApiManagement/service/apimtestnodel'; however, it does not have permission to perform action 'join/action' on the linked scope(s) '/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxxx/resourceGroups/moftest/providers/Microsoft.Network/virtualNetworks/moftest-vnet/subnets/apimsub' or the linked scope(s) are invalid. cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f16fc097640>]This previous error appears because the "Set-AzApiManagement -InputObject" use a PUT method to perform the update and to complete the PUT you need to have permissions in all the subproperties configured at APIM level.
Describe the solution you'd like We would like to have a PATCH operation for the "Set-AzApiManagement -InputObject" command same as you can perform over the REST API on next link https://docs.microsoft.com/en-us/rest/api/apimanagement/current-ga/api-management-service/update?tabs=HTTP
Proposed implementation details (optional)
Describe alternatives you've considered There is currently a command which one have both options to perform the update, it the "customlocations" on next link https://docs.microsoft.com/en-us/cli/azure/customlocation?view=azure-cli-latest
Additional context From "customlocations" You can patch or update as you can see on next image
Full Output from "Set-AzApiManagement" command without permissions on VNET `PS /home/jose> $apim = Get-AzApiManagement -ResourceGroupName "moftest" -Name "apimtestnodel" PS /home/jose> $apim.Sku = "Premium" PS /home/jose> $apim.Capacity = 1 PS /home/jose> Set-AzApiManagement -InputObject $apim Set-AzApiManagement: Operation returned an invalid status code 'Forbidden' PS /home/jose> Set-AzApiManagement -InputObject $apim -Verbose VERBOSE: Performing the operation "Set an API Management service." on target "apimtestnodel". Set-AzApiManagement: Operation returned an invalid status code 'Forbidden' PS /home/jose> Set-AzApiManagement -InputObject $apim -Verbose -Debug DEBUG: 2:42:38 PM - SetAzureApiManagement begin processing with ParameterSet '__AllParameterSets'. DEBUG: 2:42:38 PM - using account id 'xxxxx@xxxx'... DEBUG: 2:42:38 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
Confirm Are you sure you want to perform this action? Performing the operation "Set an API Management service." on target "apimtestnodel". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A DEBUG: [Common.Authentication]: Authenticating using Account: 'xxxxx@xxxx', environment: 'AzureCloud', tenant: 'xxxxx-xxxx-xxxx-xxxx-xxx' DEBUG: 2:42:41 PM - [ManagedServiceIdentityAuthenticator] Calling ManagedIdentityCredential.GetTokenAsync - TenantId:'xxxxx-xxxx-xxxx-xxxx-xxx', Scopes:'https://management.core.windows.net/', UserId:'' DEBUG: ManagedIdentityCredential.GetToken invoked. Scopes: [ https://management.core.windows.net/ ] ParentRequestId: DEBUG: Request [2aefb352-9043-4982-984c-7bd86be1e32b] POST http://localhost:50342/oauth2/token Metadata:REDACTED x-ms-client-request-id:2aefb352-9043-4982-984c-7bd86be1e32b x-ms-return-client-request-id:true User-Agent:azsdk-net-Identity/1.6.0,(.NET 6.0.6; Linux 5.4.0-1086-azure #91~18.04.1-Ubuntu SMP Thu Jun 23 20:33:05 UTC 2022) Content-Type:application/x-www-form-urlencoded client assembly: Azure.Identity DEBUG: Response [2aefb352-9043-4982-984c-7bd86be1e32b] 200 OK (00.0s) X-Powered-By:REDACTED ETag:W/"8f6-xxxxxxxxxxxxxxxxx" Date:Wed, 03 Aug 2022 14:42:41 GMT Connection:keep-alive Content-Type:application/json; charset=utf-8 Content-Length:2294
DEBUG: ManagedIdentityCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net/ ] ParentRequestId: ExpiresOn: 2022-08-03T15:48:58.0000000+00:00 DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: 'xxxxx-xxxx-xxxx-xxxx-xxx', UserId: 'xxxxx@xxxx' DEBUG: ============================ HTTP REQUEST ============================
HTTP Method: PUT
Absolute Uri: https://management.azure.com/subscriptions/xxxxxx-xxxxxx-xxxx-xxxxx/resourceGroups/moftest/providers/Microsoft.ApiManagement/service/apimtestnodel?api-version=2021-08-01
Headers: x-ms-client-request-id : 64cd2370-39ba-4230-aaf3-55606fdc1972 Accept-Language : en-US
Body: { "properties": { "notificationSenderEmail": "apimgmt-noreply@mail.windowsazure.com", "hostnameConfigurations": [ { "type": "Proxy", "hostName": "apimtestnodel.azure-api.net", "defaultSslBinding": true, "negotiateClientCertificate": false, "certificateSource": "BuiltIn" } ], "publicIpAddressId": "/subscriptions/xxxxxx-xxxxxx-xxxx-xxxxx/resourceGroups/moftest/providers/Microsoft.Network/publicIPAddresses/apimtestnodel", "publicNetworkAccess": "Enabled", "virtualNetworkConfiguration": { "subnetResourceId": "/subscriptions/xxxxxx-xxxxxx-xxxx-xxxxx/resourceGroups/moftest/providers/Microsoft.Network/virtualNetworks/moftest-vnet/subnets/apimsub" }, "customProperties": { "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30": "false", "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11": "false", "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10": "false", "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30": "false", "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11": "false", "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10": "false", "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168": "false", "Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2": "false" }, "disableGateway": false, "virtualNetworkType": "External", "publisherEmail": "louay@louay.com", "publisherName": "louay" }, "sku": { "name": "Premium", "capacity": 1 }, "location": "West US", "tags": {} }
DEBUG: ============================ HTTP RESPONSE ============================
Status Code: Forbidden
Headers: Cache-Control : no-cache Pragma : no-cache x-ms-failure-cause : gateway x-ms-request-id : 91a682d1-f2a7-4c21-a29c-48f1a6f3ec86 x-ms-correlation-request-id : 91a682d1-f2a7-4c21-a29c-48f1a6f3ec86 x-ms-routing-request-id : WESTEUROPE:20220803T144241Z:91a682d1-f2a7-4c21-a29c-48f1a6f3ec86 Strict-Transport-Security : max-age=31536000; includeSubDomains X-Content-Type-Options : nosniff Date : Wed, 03 Aug 2022 14:42:41 GMT Connection : close
Body: { "error": { "code": "LinkedAuthorizationFailed", "message": "The client 'xxxx@xxx.com' with object id 'xxxx-xxxx-xxxxx-xxxxxxx' has permission to perform action 'Microsoft.ApiManagement/service/write' on scope '/subscriptions/xxxxxx-xxxxxx-xxxx-xxxxx/resourceGroups/moftest/providers/Microsoft.ApiManagement/service/apimtestnodel'; however, it does not have permission to perform action 'join/action' on the linked scope(s) '/subscriptions/xxxxxx-xxxxxx-xxxx-xxxxx/resourceGroups/moftest/providers/Microsoft.Network/virtualNetworks/moftest-vnet/subnets/apimsub' or the linked scope(s) are invalid." } }
DEBUG: 2:42:41 PM - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = []. Set-AzApiManagement: Operation returned an invalid status code 'Forbidden' DEBUG: 2:42:41 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True]. DEBUG: AzureQoSEvent: Module: Az.ApiManagement:3.0.0; CommandName: Set-AzApiManagement; PSVersion: 7.2.5; IsSuccess: False; Duration: 00:00:02.4164112; Exception: Operation returned an invalid status code 'Forbidden'; DEBUG: Finish sending metric. DEBUG: 2:42:41 PM - SetAzureApiManagement end processing.`