Purpose of Reader Role Assigned to API Management Service besides the Service Principal Contributor Role

[ShubjeetPal]

The API Management is given Reader Role. What is the purpose of this role and where it is used.

resource apimManagedIdentityReaderRole 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
  scope: resourceGroup()
  name: guid(apiManagementService.id, readerRoleId)
  properties: {
    roleDefinitionId: readerRoleId
    principalId: apiManagementService.identity.principalId
  }
}

Asking this question because there is already a Service Principal which is given Contributor Role. The Billing web app authenticates to the API Management management API using this service principal to create/update the API Management subscription after checkout using APIM API's

resource servicePrincipalContributorRole 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
  name: guid(resourceGroup().id, servicePrincipalObjectId, contributorRoleId)
  scope: resourceGroup()
  properties: {
    roleDefinitionId: contributorRoleId
    principalId: servicePrincipalObjectId
  }
}

[MikeEvansLarah]

I think you're right that the Reader Role for the APIM Managed Identity is no longer necessary.

I think it may be a hangover from a previous version of the example where the Products were fetched indirectly via a products API exposed through APIM, which used the Managed Identity as the authentication method to retrieve the products.

But now the Billing web app is fetching the Products via the APIM Management API directly, authenticating as the Service Principal that has the Contributor role.

[MikeEvansLarah]

I've just remembered why it's required - we call the products API as part of the stripeInitialisation.ps1 script: https://github.com/microsoft/azure-api-management-monetization/blob/5e92670e603d75bf12a4d6a44e4cd679d078c652/payment/stripeInitialisation.ps1#L77