Open pim-simons opened 8 months ago
The API management PowerShell module was released in January. This is an issue on the service side. Let me loop in their team.
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @solankisamir, @mikebudzynski, @KedarJoshi, @yingru97.
Any update on this? We are still experiencing this issue and haven't been able to create a backup of our API Mangement for a while now...
I've gotten this cmdlet to work by using managed identity on the ~Cosmos DB~ APIM, instead of storage account SAS key.
You make sure the ~Cosmos DB~ APIM has system assigned managed identity enabled, then give it (for instance) "Storage Blob Data Contributor" on the Storage Account container you want the backup to be written to. Then do something like this to trigger the backup job.
# Assets
$ApimResourceId = [string] ''
$StorageAccountResourceId = [string] ''
$ContainerName = [string] 'test-apim-backup'
$BackupName = [string] 'test-apim-backup-{0}.apimbackup' -f [datetime]::UtcNow.ToString('yyyyMMdd-HHmmss')
# Get storage account context
$StorageAccount = Get-AzResource -ResourceId $StorageAccountResourceId
$StorageContext = New-AzStorageContext -StorageAccountName $StorageAccount.'Name' -Protocol 'Https' -UseConnectedAccount
# Get Id of managed identity
$Apim = Get-AzResource -ResourceId $ApimResourceId
$ApimManagedIdentity = $Apim.'Identity'.Where{$_.'Type' -eq 'SystemAssigned'}
if ([string]::IsNullOrEmpty($ApimManagedIdentity.'PrincipalId')) {
Write-Error -ErrorRecord 'Stop' -Message ('Failed to find system assigned managed identity of "{0}".' -f $Apim.'Name')
}
# Do backup
Backup-AzApiManagement -ResourceGroupName $Apim.'ResourceGroup' -Name $Apim.'Name' -AccessType 'SystemAssignedManagedIdentity' `
-StorageContext $StorageContext -TargetContainerName $ContainerName -TargetBlobName $BackupName `
-IdentityClientId $ApimManagedIdentity.'PrincipalId'
The principal/user running the script must obviously be authenticated, and have permissions to trigger an APIM backup.
@o-l-a-v thank you for your response! However I don't quite understand since we do not use Cosmos DB, why is this necessary when we want to backup the APIM instance to a storage account?
@o-l-a-v thank you for your response! However I don't quite understand since we do not use Cosmos DB, why is this necessary when we want to backup the APIM instance to a storage account?
Oops, sorry, I ment APIM. This was about APIM, not Cosmos DB.
@o-l-a-v thank you for your response! However I don't quite understand since we do not use Cosmos DB, why is this necessary when we want to backup the APIM instance to a storage account?
Oops, sorry, I ment APIM. This was about APIM, not Cosmos DB.
Ah that makes a bit more sense 👍🏻 Will give this a try, thanks!!
Got it working with the use of managed identity, however using the storage account keys still seems broken.
For now I have a way to fix this, but it still is strange that the storage account keys version is not working anymore. @solankisamir, @mikebudzynski, @KedarJoshi, @yingru97 any feedback on that?
I've gotten this cmdlet to work by using managed identity on the ~Cosmos DB~ APIM, instead of storage account SAS key.
You make sure the ~Cosmos DB~ APIM has system assigned managed identity enabled, then give it (for instance) "Storage Blob Data Contributor" on the Storage Account container you want the backup to be written to. Then do something like this to trigger the backup job.
# Assets $ApimResourceId = [string] '' $StorageAccountResourceId = [string] '' $ContainerName = [string] 'test-apim-backup' $BackupName = [string] 'test-apim-backup-{0}.apimbackup' -f [datetime]::UtcNow.ToString('yyyyMMdd-HHmmss') # Get storage account context $StorageAccount = Get-AzResource -ResourceId $StorageAccountResourceId $StorageContext = New-AzStorageContext -StorageAccountName $StorageAccount.'Name' -Protocol 'Https' -UseConnectedAccount # Get Id of managed identity $Apim = Get-AzResource -ResourceId $ApimResourceId $ApimManagedIdentity = $Apim.'Identity'.Where{$_.'Type' -eq 'SystemAssigned'} if ([string]::IsNullOrEmpty($ApimManagedIdentity.'PrincipalId')) { Write-Error -ErrorRecord 'Stop' -Message ('Failed to find system assigned managed identity of "{0}".' -f $Apim.'Name') } # Do backup Backup-AzApiManagement -ResourceGroupName $Apim.'ResourceGroup' -Name $Apim.'Name' -AccessType 'SystemAssignedManagedIdentity' ` -StorageContext $StorageContext -TargetContainerName $ContainerName -TargetBlobName $BackupName ` -IdentityClientId $ApimManagedIdentity.'PrincipalId'
The principal/user running the script must obviously be authenticated, and have permissions to trigger an APIM backup.
I am still getting the below error using managed identities, i followed the above mentioned steps.
@pim-simons @o-l-a-v
@Nealsaha1007
You have a different error.
-Debug
?Edit: Updated the sample PowerShell with more failproofing.
It worked now thanks @o-l-a-v
Description
We have been using
Backup-AzApiManagement
for quite a long time to backup our API Management instance, since this week this script has started failing with this error:When I add debug logging I find the following information:
Nothing on our side has changed as far as I know, what could be causing this issue?
Issue script & Debug output
Environment data
Module versions
Error output