Reputation: 15
403 when calling durable function status query via Azure API Management Service
I have an Azure Durable Functions Orchestration function configured and running in Azure.
I also have an Azure API Management Service configured to expose the orchestration function.
I can successfully call the orchestration function via the Azure API Management Service and get the 202 accepted and the Location header with the status query GET URL to poll until the orchestration function completes/fails etc.
If I call the relevant status query GET URL directly to the azure function: e.g. https://some-ulr-to-the-function-app.azurewebsites.net/runtime/webhooks/durabletask/instances/cc970c6e2cb2426f99629c17cdd12345?code=q4NnjCbKTdBdH6712345dm4tnRRlYEAZ2tnZUliepmIKAzFuNUC0MQ==
I get a 200 response and the current status of the orchestration as expected
If I try and expose this endpoint via the Azure API Management Service and attempt to get the status I get a 403 forbidden response. e.g. https://some-ulr-to-apim-service.azure-api.net/runtime/webhooks/durabletask/instances/cc970c6e2cb2426f99629c17cdd12345?code=q4NnjCbKTdBdH6712345dm4tnRRlYEAZ2tnZUliepmIKAzFuNUC0MQ==
So can this, /runtime/webhooks/durabletask/instances/cc970c6e2cb2426f99629c17cdd12345?code=q4NnjCbKTdBdH6712345dm4tnRRlYEAZ2tnZUliepmIKAzFuNUC0MQ==, endpoint be exposed via the Azure API Management Service? If so what should I look to be configuring to be able to expose this endpoint via the Azure API Management service?
I have tried giving direct access to the underlying storage account and tables where this instance data is held via the the managed identity of the Azure API Management Service but am still getting the 403 Forbidden result.
In Application Insights I can see that the Azure API Management Service has passed on the request to the function app as expected but with the 403 result.
Any help would be much appreciated
Upvotes: 1
Views: 706
Answers (1)
Reputation: 73
@in-pv and I discovered the solution to the issue.
Summary
If querying the durable function's statusQueryGetUri through Azure API Management Service, make sure that the backend referenced in that API request has no custom headers defined in it's authorization credentials.
Details
When setting up an API Management Service backend for an Azure Function App, Azure will provision a header called x-functions-key into the backend's authorization credentials. This header is required when interacting with your function app through the API Management Service, and it's value should be your function app key. If you exclude this header you will receive a 401 Unauthorized error when trying to call your azure function through the API Management service.
If this header is included when you query a durable functions's statusQueryGetUri, the durable function will return a 403 error. The header must be removed from the API Management Service backend authorization credentials for calls to the durable function status endpoint.
Upvotes: 1
Related Questions
- 403 forbidden error when calling durable function status query via Azure API Management Service
- Getting error while accessing Azure API developer portal while using Azure Application Gateway with Azure API Management service
- REST URL with Azure function via APIM
- Azure Durable function for long running activity
- Azure function returns 403 when triggered by Azure DataFactory
- Poll a Durable Function inside an Azure API Management request
- 403 Forbidden when hitting Azure API Management with Azure Function Backend
- Azure service management api 403 forbidden when use network proxy