Is it possible to create a policy that will conditionally expose an api management endpoint in azure even when a opim-subscription key is required?

Question

An example of what I am looking for is as follows but the allow-access element does not exist. What can I replace with so that the subscription key is not checked. i.e. in this case it would allow all callers access to the controller as long as they are making GET requests.

<policies>
<inbound>
    <base />
    <choose>
        <when condition="@(context.Request.Method.Equals("GET"))">
            <allow-access />
        </when>
    </choose>
</inbound>
<backend>
    <base />
</backend>
<outbound>
    <base />
</outbound>
<on-error>
    <base />
</on-error>

Any help would be appreciated.

Answer 1

A workaround would be to turn off the Requires subscription setting on the product and check the subscription key in the inbound policy by yourself. Here is an example of how to do it.

1. Go to Settings of Starter product.
2. Uncheck Requires subscription and save.
3. Open the policies of the product and add the following policy to the inbound. The value of <check-header> policy is the subscription key of the Starter product.

<choose>
    <when condition="@(!context.Request.Method.Equals("GET"))">
        <check-header name="Ocp-Apim-Subscription-Key" failed-check-httpcode="401" failed-check-error-message="Not authorized" ignore-case="false">
            <value>920b4e307f4f41ff9bd4a3bd6a5450ee</value>
        </check-header>
    </when>
</choose>