Question: Managed identity self-managed managed app scenario to publish to marketplace API

[cveld]

Can you explain how the compute is able to pull the managed app's managed identity to publish to the marketplace metering api?
So far I was only able to find guidance how the publisher can pull the managed identity through the listTokens api:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/publish-managed-identity#accessing-the-managed-identity-token

Maybe I don't understand, when I am reading:
https://learn.microsoft.com/en-us/partner-center/marketplace-offers/marketplace-metering-service-authentication#using-the-azure-managed-identities-token
How is it possible that the system identity of the vm is able to publish to the marketplace metering api?

[chgeuer]

Every managed identity within the managed resource group should be authorized to make a REST call to the Azure Metered Billing API, i.e. getting a token metering_access_token like

GET /metadata/identity/oauth2/token?api-version=2018-02-01&resource=20e940b3-4c77-4b0b-9a53-9e16a1b010a7 HTTP/1.1
Host: 169.254.169.254
Metadata: true

Then you can craft your API payload, and POST it with your metering_access_token:

meteringPayloadJson="$( echo "{}"                            | \
   jq --arg x "${managedBy}"     '.resourceUri=$x'           | \
   jq --arg x "${planName}"      '.planId=$x'                | \
   jq --arg x "${dimensionName}" '.dimension=$x'             | \
   jq --arg x "${quantity}"      '.quantity=($x | fromjson)' | \
   jq --arg x "${timestamp}"     '.effectiveStartTime=$x'      \
   )"

marketplace_response="$( curl \
   --silent \
   --request POST \
   --url "https://marketplaceapi.microsoft.com/api/usageEvent?api-version=2018-08-31" \
   --header "Authorization: Bearer ${metering_access_token}" \
   --header "Content-Type: application/json" \
   --data "${meteringPayloadJson}" )" 

However, like you spotted, the trick is to have the right information about the managedBy property, which is a ARM property on the managed app object, which is not in the managed resource group. The way how I handled that in here is by having the ARM template fetch that property at deployment time, and stick it to a location that my managed identity has access to at runtime, such as a KeyVault in the managed resource group. Check out this:

metered-billing-accelerator/managed-app/src/nestedtemplates/meteredBillingDependencies.bicep

Line 44 in 2faabf9

managedBy: resourceGroup().managedBy

In the ARM template, I call resourceGroup().managedBy, and then I can e.g. have that stored in KV (

metered-billing-accelerator/managed-app/src/nestedtemplates/meteredBillingDependencies.bicep

Line 166 in 2faabf9

managedBy: names.managedApp.managedBy

), or in a deployment script, etc etc.

You might also take https://cookbook.geuer-pollmann.de/azure/marketplace-submit-manually-using-script and https://github.com/chgeuer/metering_cloudshell as inspiration...