Get password for Azure API Management Git repository through powershell

Question

I am trying to run some automation for our test- and production instances of Azure API Management, and is exploring the Git-configuration. Based on the answer and its comments from this post, I was able to make this powershell script that works partially:

$resourceGroupName = '<My resource group name>'
$serviceName = '<My Azure Api Management instance name>'
$gitUser = '<username for Git found in APIM Publisher Portal>'

$apimContext = New-AzureRmApiManagementContext -ResourceGroupName $resourceGroupName -ServiceName $serviceName

$user = (Get-AzureRmApiManagementUser -Context $apimContext) | Select-Object -First 1

$expiry = Get-Date ((Get-Date).AddDays(29)) -Format "yyyy-MM-ddTHH:mm:ss.000Z"
$parameters = @{ "keyType"= "primary"; "expiry"= "$expiry"; }

$pw = Invoke-AzureRmResourceAction  -ResourceGroupName $resourceGroupName `
                                    -ResourceType 'Microsoft.ApiManagement/service/users' `
                                    -Action 'token' `
                                    -ResourceName "$serviceName/$($user.UserId)" `
                                    -ApiVersion "2016-10-10" `
                                    -Parameters $parameters

## URL-encode password:
$pwUrlencodedLowerCase = [System.Web.HttpUtility]::UrlEncode($pw.value)

# Seems like password has to be URL-encoded with UPPERCASE heximal digits (e.g. %3D instead of %3d) for Git to authenticate properly:
[regex]$regex='(%[0-9a-f][0-9a-f])'
$pwUrlencoded = $regex.Replace($pwUrlencodedLowerCase, {$args[0].Value.ToUpper()})

$gitUrl = "https://${gitUser}:$pwUrlencoded@$serviceName.scm.azure-api.net/"

git clone $gitUrl

This fails with:

Cloning into '<servicename>.scm.azure-api.net'...
fatal: unable to access 'https://apim:<pwUrlencoded>@<servicename>.
scm.azure-api.net/': The requested URL returned error: 403

The script works OK if I paste in a password from the APIM Publisher Portal directly instead of $pw.value in this line:

$pwUrlencodedLowerCase = [System.Web.HttpUtility]::UrlEncode('<Pasted password from portal>')

So the urlencode and regexing part is not my primary suspect.

What am I doing wrong here?

Answer 1

I also posted more or less the same question here at Microsoft Azure Support site, and there I got a reply from "Sheetal J S" that solved the problem for me.

The main issue was this line:

$user = (Get-AzureRmApiManagementUser -Context $apimContext) | Select-Object -First 1

Instead getting the user Id for the git access like this:

$gitAccess = Get-AzureRmApiManagementTenantGitAccess -Context $apimContext
$userId = $gitAccess.Id

And then referencing that Id in the resource name when calling Invoke-AzureRmResourceAction instead made it work as I wanted. The full working script is then like this (in case someone else would benefit from it):

$resourceGroupName = '<My resource group name>'
$serviceName = '<My Azure Api Management instance name>'
$gitUser = '<username for Git found in APIM Publisher Portal>'

$apimContext = New-AzureRmApiManagementContext -ResourceGroupName $resourceGroupName -ServiceName $serviceName

$gitAccess = Get-AzureRmApiManagementTenantGitAccess -Context $apimContext
$userId = $gitAccess.Id

$expiry = Get-Date ((Get-Date).AddDays(29)) -Format "yyyy-MM-ddTHH:mm:ss.000Z"
$parameters = @{ "keyType"= "primary"; "expiry"= "$expiry"; }

$pw = Invoke-AzureRmResourceAction  -ResourceGroupName $resourceGroupName -ResourceType 'Microsoft.ApiManagement/service/users' -Action 'token' -ResourceName "$serviceName/$userId" -ApiVersion "2016-10-10" -Parameters $parameters

# URL-encode password:
$pwUrlencodedLowerCase = [System.Web.HttpUtility]::UrlEncode($pw.value)

# Seems like password has to be URL-encoded with UPPERCASE heximal digits (e.g. %3D instead of %3d) for Git to authenticate properly:
[regex]$regex='(%[0-9a-f][0-9a-f])'
$pwUrlencoded = $regex.Replace($pwUrlencodedLowerCase, {$args[0].Value.ToUpper()})

$gitUrl = "https://${gitUser}:$pwUrlencoded@$serviceName.scm.azure-api.net/"

git clone $gitUrl