Is managed identity available for communication between API Management service and Azure functions?

Question

I have an Azure API Management service communicating with Azure functions runtime v1. Currently when i deploy a new version of the Function App (using CI/CD pipeline in Azure Devops, and using built-in microsoft tasks), the function keys (including master key) change. Consequently, the key that the API Management's api is injecting in the requests to the function is not longer valid, and i get a 401 - Unauthorized. So, i have at the moment a task in the pipeline to update these keys anytime i deploy the Function App. The API Management provides a feature to enable Managed Identity, but when i try to create a role assignment in the Function App to the API Management, under the System assigned managed identity, i don't have the option for API Management service. So i presume it is not possible to setup this role assignment between the two services, right? If not, then is there any suggestion for a workaround to avoid manage keys for the communication between API Management service and Azure Functions?

Thanks

Answer 1

UPDATE

Managed Identity can now be used by leveraging the authentication-managed-identity policy .

---

Yes. Managed Identity cannot be used here.

One alternative would be to protect your function app with an IP restriction using the APIM Instances IP which guaranteed to be static as long as it isn't recreated and setting the function to be an anonymous function.

Note that you might have problems accessing the function from the portal too for which you would have to allow the public IP of the computer you are using to access if required.

Another option would be to

• Setup authentication for your function app
• Have APIM get an access token with the Client Credentials Flow using the send-request policy
• Set this access token in the header to call the anonymous function

You could probably try caching this access token using the cache policies .