Closed ShubjeetPal closed 8 months ago
I think you're right that the Reader Role for the APIM Managed Identity is no longer necessary.
I think it may be a hangover from a previous version of the example where the Products were fetched indirectly via a products
API exposed through APIM, which used the Managed Identity as the authentication method to retrieve the products.
But now the Billing web app is fetching the Products via the APIM Management API directly, authenticating as the Service Principal that has the Contributor role.
I've just remembered why it's required - we call the products
API as part of the stripeInitialisation.ps1
script:
https://github.com/microsoft/azure-api-management-monetization/blob/5e92670e603d75bf12a4d6a44e4cd679d078c652/payment/stripeInitialisation.ps1#L77
The API Management is given Reader Role. What is the purpose of this role and where it is used.
Asking this question because there is already a Service Principal which is given Contributor Role. The Billing web app authenticates to the API Management management API using this service principal to create/update the API Management subscription after checkout using APIM API's