Recently I had to read some REST API data using an Azure Logic App. The data itself comes from AFAS, a Dutch SaaS ERP company. In general, the process is mostly the same as reading the data with Azure Data Factory (check out this blog post to learn more):
- you create a getconnector in AFAS. This is a view on top of your data, selecting a certain subset. You can add pre-defined filters in there as well. The result of the getconnector is the base dataset associated with a REST API endpoint.
- you add the getconnector to a specific appconnector. You also generate a token which can be used to authorize the application that wants to access the REST API.
- in whatever application you use (ADF, Logic App, Azure Function …), you retrieve the token and make a REST API call to the endpoint, embedding the token in the header.
There’s a minor difference in how you need to handle the token in Azure Logic Apps, compared with how you do it in ADF. Which is the reason for this blog post.
First, create a new Logic App (of the type consumption, which is basically serverless) with an HTTP trigger.
Since our AFAS token is kept in Azure Keyvault, we’re just going to save the Logic App as-is.
Exit the designer and go to the Identity section. There, enable a system-assigned identity.
We’re going to use this identity to get the secret from Azure Key Vault. But first we need to create an access policy in our vault that grants the necessary permissions to this identity.
In the new access policy, assign the Get and List Secret permissions.
Choose the system assigned managed identity of the Logic App as the principal for the access policy.
Back in our Logic App, add an Azure Key Vault action of the type Get Secret. First you’ll be asked to create the connection to the Key Vault. Make sure to select managed identity as the authentication type.
After connecting, select the desired secret from the dropdown.
As a reminder, the token should have the following format:
<token><version>1</version><data>123</data></token>
Now we can add an HTTP action, which will be used to do the REST API call. The URL should be something like https://xxx.rest.afas.online/ProfitRestServices/connectors/mygetconnector, where xxx is your company code in AFAS. Up to this point, everything is the same as in ADF. In our HTTP request, we also need to specify the token so we can authenticate with the REST service. This is done by specifying an Authorization header, with the content “AfasToken xyz”, where xyz is the base64 representation of the token. In ADF this looks like this (again, check out this blog post for more info):
Let’s try the same in the Logic App.
The following expression is used to set the value for the Authorization header (which is very similar to the ADF expression):
concat('AfasToken ',base64(body('Get_secret')?['value']))
However, when we execute the Logic App, it is possible it fails with an authorization error (which was the case when I initially developed the Logic App). When writing this blog post it obviously succeeded from the first try, so the error is apparently hard to reproduce. Anyway, if you get the authorization error, you might try another method to pass the token. Instead of directly specifying the header, we can add a parameter to the HTTP action. There’s only one available: authentication.
Set it to type Raw, and then specify the expression we used earlier:
This should make the Logic App succeed:
------------------------------------------------
Do you like this blog post? You can thank me by buying me a beer 🙂