-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Backup-AzApiManagement: BadRequest #23411
Comments
The API management PowerShell module was released in January. This is an issue on the service side. Let me loop in their team. |
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @solankisamir, @mikebudzynski, @KedarJoshi, @yingru97. |
Any update on this? We are still experiencing this issue and haven't been able to create a backup of our API Mangement for a while now... |
I've gotten this cmdlet to work by using managed identity on the You make sure the # Assets
$ApimResourceId = [string] ''
$StorageAccountResourceId = [string] ''
$ContainerName = [string] 'test-apim-backup'
$BackupName = [string] 'test-apim-backup-{0}.apimbackup' -f [datetime]::UtcNow.ToString('yyyyMMdd-HHmmss')
# Get storage account context
$StorageAccount = Get-AzResource -ResourceId $StorageAccountResourceId
$StorageContext = New-AzStorageContext -StorageAccountName $StorageAccount.'Name' -Protocol 'Https' -UseConnectedAccount
# Get Id of managed identity
$Apim = Get-AzResource -ResourceId $ApimResourceId
$ApimManagedIdentity = $Apim.'Identity'.Where{$_.'Type' -eq 'SystemAssigned'}
if ([string]::IsNullOrEmpty($ApimManagedIdentity.'PrincipalId')) {
Write-Error -ErrorRecord 'Stop' -Message ('Failed to find system assigned managed identity of "{0}".' -f $Apim.'Name')
}
# Do backup
Backup-AzApiManagement -ResourceGroupName $Apim.'ResourceGroup' -Name $Apim.'Name' -AccessType 'SystemAssignedManagedIdentity' `
-StorageContext $StorageContext -TargetContainerName $ContainerName -TargetBlobName $BackupName `
-IdentityClientId $ApimManagedIdentity.'PrincipalId' The principal/user running the script must obviously be authenticated, and have permissions to trigger an APIM backup. |
@o-l-a-v thank you for your response! However I don't quite understand since we do not use Cosmos DB, why is this necessary when we want to backup the APIM instance to a storage account? |
Oops, sorry, I ment APIM. This was about APIM, not Cosmos DB. |
Ah that makes a bit more sense 👍🏻 Will give this a try, thanks!! |
Got it working with the use of managed identity, however using the storage account keys still seems broken. For now I have a way to fix this, but it still is strange that the storage account keys version is not working anymore. @solankisamir, @mikebudzynski, @KedarJoshi, @yingru97 any feedback on that? |
You have a different error.
Edit: Updated the sample PowerShell with more failproofing. Click to expand<#
Prerequirements:
* APIM exists with managed identity enabled.
* Storage Account and container exists.
* APIM managed identity has suitable RBAC data-plane role on target Storage Account container.
* For instance: "Storage Blob Data Contributor".
#>
# PowerShell preferences
$ErrorActionPreference = 'Stop'
# Assets
$ApimResourceId = [string] '/subscriptions/<sub_id>/resourceGroups/<rg_name>/providers/Microsoft.ApiManagement/service/<apim_name>'
$StorageAccountResourceId = [string] '/subscriptions/<sub_id>/resourceGroups/<rg_name>/providers/Microsoft.Storage/storageAccounts/<stg_name>'
$StorageAccountContainerName = [string] 'test-apim-backup'
$BackupName = [string] 'test-apim-backup-{0}.apimbackup' -f [datetime]::UtcNow.ToString('yyyyMMdd-HHmmss')
# Get
## APIM and ID of its' managed identity
$Apim = Get-AzResource -ResourceId $ApimResourceId
$ApimManagedIdentity = $Apim.'Identity'.Where{$_.'Type' -eq 'SystemAssigned'}
## Storage account and its' context
$StorageAccount = Get-AzResource -ResourceId $StorageAccountResourceId
$StorageContext = New-AzStorageContext -StorageAccountName $StorageAccount.'Name' -Protocol 'Https' -UseConnectedAccount
# Failproofing
## APIM managed identity exists
if ([string]::IsNullOrEmpty($ApimManagedIdentity.'PrincipalId')) {
Write-Error -ErrorAction 'Stop' -Message ('Failed to find system assigned managed identity of "{0}".' -f $Apim.'Name')
}
## Storage Account container exists
if (-not $(Try{$null = Get-AzStorageContainer -Context $StorageContext -Name $StorageAccountContainerName -ErrorAction 'Stop'; $?}Catch{$false})) {
Write-Error -ErrorAction 'Stop' -Message ('Failed to find Storage Account "{0}" container "{1}".' -f $StorageAccount.'Name', $StorageAccountContainerName)
}
# Do backup
Backup-AzApiManagement -ResourceGroupName $Apim.'ResourceGroup' -Name $Apim.'Name' -AccessType 'SystemAssignedManagedIdentity' `
-StorageContext $StorageContext -TargetContainerName $StorageAccountContainerName -TargetBlobName $BackupName `
-IdentityClientId $ApimManagedIdentity.'PrincipalId'
|
It worked now thanks @o-l-a-v |
Description
We have been using
Backup-AzApiManagement
for quite a long time to backup our API Management instance, since this week this script has started failing with this error:When I add debug logging I find the following information:
Nothing on our side has changed as far as I know, what could be causing this issue?
Issue script & Debug output
Environment data
Module versions
Error output
The text was updated successfully, but these errors were encountered: