How to log Azure APIM user in Application Insights
Goal
Determine who is accessing which API endpoints within Azure APIM from Application Insights (AI).
Assumptions
- User = an individual person or Backend
- Several users may share the same Subscription Key
To exaggerate, consider having 10k users and they share the same subscription key (perhaps that is a wrong approach, but please continue reading).
Setup
APIM enabled sending logs to AI and a Log Analytics workspace
Attempt #1
I hit the API endpoint from Postman on my machine using a subscription key. I then did the same thing but from a VM. This resulted in two log entries in AI with 2 different IPs and the same subscription.
ApiManagementGatewayLogs
| project TimeGenerated, CallerIpAddress, ApiId, OperationId, ApimSubscriptionId
Attempt #2
Within the APIM instance, I went to Monitoring --> Analytics and clicked on the Users tab. This did not show any helpful information about the "User".
Discussion
It appears there is an unlimited number of subscription keys that can be made for a Standardv2 APIM instance. In that case, perhaps the correct approach is to solve this by creating 10k keys (treating them like API keys), but I haven't found guidance on that specifically.
I wouldn't expect APIM to know "who" is accessing it without it having being given the information. This is why I assume I'd need to employ JWT validation where the user would obtain a token and call the gateway. Given a JWT, the user name or system could be extracted from the JWT claims. Once I have the user claim, would I be able to enrich the AI logs with that information?
Questions
- Should subscriptions be treated like API keys?
- Should subscription keys be shared by multiple users or backends?
- How do I enrich Application Insight logs to include additional information, such as a JWT claim?
I am new to using Azure APIM and am looking forward to adopting it on our team. Thanks for any helpful advice in advance!
- Should subscriptions be treated like API keys?
Technically you can treat subscription keys as API Keys, but this will not be applicable in all the scenarios.
By default, when you create an API, a subscription key is required for API access.
You can use subscription keys as API keys in few scenarios where you can have a less data and it is detailed more clearly in the MSDoc here.
- Should subscription keys be shared by multiple users or backends?
Technically the sharing a subscription key with a group of users or backends can be done, but it is not well recommended if you are trying to retrieve a granular user level data identity.
For example, if you have a single subscription key which is used by many users or backend applications, it becomes difficult to identify who accessed what and which application.
So, assigning a unique subscription key to each individual user or backend is more flexible for tracking the required data.
If still you want to assign multiple users or backend applications a same subscription key, make sure you are implementing a unique identifier within a JWT token that each user’s request has or as a query parameter.
- How do I enrich Application Insight logs to include additional information?
To enrich Application Insights for adding the additional details, you can first configure API management service to validate JWTs, and extract user claims. Now, pass this information to Application Insights further.
Note: You can use logging or trace policies in the <outbound> policy to send and retrieve the data.
To validate JWT, Go to APIM and add an inbound validate-JWT policy by including authentication header, claims and also an open Id URL as shown below.
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Not accessible">
<openid-config url="https://login.microsoftonline.com/tenantID/v2.0/.well-known/openid-configuration" />
<audiences>
<audience>api://d172xxxxadcab</audience>
</audiences>
<required-claims>
<claim name="aud" match="all">
<value>d17229xxx71eadcab</value>
</claim>
</required-claims>
</validate-jwt>
And also, you need to use set-variable to extract the required user claims such as userid and add it in the logs for retrieval.
Once sending logs is done, you can query the data from Application insights accordingly with the specific query related language. (Eg: KQL)
- How to resolve paging when retrieving data from REST API in R
- SearchService deployment fails if the resource exists
- Azure Bicep - Referencing a variable that cannot be calculated at the start
- Local development with Azure SignalR Service and Azure Functions
- Azure Functions & Application Insights requests "Operation Link" empty
- Disabling allow public blob access using terraform
- how to retrieve all resources under given subnet using Azure Resource Graph Explorer query
- I'm using SSIS in ADF to move .csv from a blob container to another and then ingest into a Azure SQL database. I get an assembly error
- How to build expression in ADF from json using parameterized variable?
- Reference a variable azure pipeline not working
- Graph Powershell adding a user to PIM for a privileged security group
- Indexing static HTML blob storage content with Azure Cognitive Search is not working as expected
- Azure python webapp deploy shows as running even though it is successful
- Azure pipeline get Pull request source and target branch name
- Error while copying Azure Storage table from one Storage to another storage table using Powershell script
- Azure Function App Fails to Delete Blob Image After Deployment
- Use Azure AD authentication but manage roles in database in .NET 6
- Microsoft Azure VMs IaaS or PaaS?
- Can an application property be updated/deleted from a ServiceBusReceivedMessage?
- Why is my Blazor Web App throwing a SocketException when authenticating with OpenIddict when deployed to Azure App Service?
- RPC failed: curl 56 failure when receiving data from the peer
- Read 'Attribute & Claims' from SAML Entra application configuration using PowerShell
- Reading Excel file returns 'Invalid Request' error
- Is it possible to clone an Azure Container App?
- Unable to Enable Encryption at host for Azure VM
- Application Insights does not capture information level logging
- How to look up logical partition count and size in Cosmos DB
- AzureRmWebAppDeployment@4 tries to deploy to a wrong URL to Linux app plan
- Azure B2C client credentials flow throws invalid_grant AADB2C90085
- Why I can't create azurerm_app_service connection?