Skip to content

Files

Latest commit

dksimpsondksimpson
Fix merge issue
Apr 22, 2022
e27d79c · Apr 22, 2022

History

History
227 lines (150 loc) · 11.8 KB

howto-integrate-azure-managed-service-identity.md

File metadata and controls

227 lines (150 loc) · 11.8 KB
title titleSuffix description author ms.author ms.service ms.custom ms.topic ms.date zone_pivot_groups
Use managed identities to access App Configuration
Azure App Configuration
Authenticate to Azure App Configuration using managed identities
AlexandraKemperMS
alkemper
azure-app-configuration
devx-track-csharp, fasttrack-edit, subject-rbac-steps
conceptual
04/08/2021
appconfig-provider

Use managed identities to access App Configuration

Azure Active Directory managed identities simplify secrets management for your cloud application. With a managed identity, your code can use the service principal created for the Azure service it runs on. You use a managed identity instead of a separate credential stored in Azure Key Vault or a local connection string.

Azure App Configuration and its .NET Core, .NET Framework, and Java Spring client libraries have managed identity support built into them. Although you aren't required to use it, the managed identity eliminates the need for an access token that contains secrets. Your code can access the App Configuration store using only the service endpoint. You can embed this URL in your code directly without exposing any secret.

:::zone target="docs" pivot="framework-dotnet"

This article shows how you can take advantage of the managed identity to access App Configuration. It builds on the web app introduced in the quickstarts. Before you continue, Create an ASP.NET Core app with App Configuration first.

:::zone-end

:::zone target="docs" pivot="framework-spring"

This article shows how you can take advantage of the managed identity to access App Configuration. It builds on the web app introduced in the quickstarts. Before you continue, Create a Java Spring app with Azure App Configuration first.

:::zone-end

Important

Managed Identity cannot be used to authenticate locally-running applications. Your application must be deployed to an Azure service that supports Managed Identity. This article uses Azure App Service as an example, but the same concept applies to any other Azure service that supports managed identity, for example, Azure Kubernetes Service, Azure Virtual Machine, and Azure Container Instances. If your workload is hosted in one of those services, you can leverage the service's managed identity support, too.

You can use any code editor to do the steps in this tutorial. Visual Studio Code is an excellent option available on the Windows, macOS, and Linux platforms.

In this article, you learn how to:

[!div class="checklist"]

  • Grant a managed identity access to App Configuration.
  • Configure your app to use a managed identity when you connect to App Configuration.

Prerequisites

To complete this tutorial, you must have:

:::zone target="docs" pivot="framework-dotnet"

:::zone-end

:::zone target="docs" pivot="framework-spring"

:::zone-end

[!INCLUDE quickstarts-free-trial-note]

Add a managed identity

To set up a managed identity in the portal, you first create an application and then enable the feature.

  1. Access your App Services resource in the Azure portal. If you don't have an existing App Services resource to work with, create one.

  2. Scroll down to the Settings group in the left pane, and select Identity.

  3. On the System assigned tab, switch Status to On and select Save.

  4. Answer Yes when prompted to enable system assigned managed identity.

    Set managed identity in App Service

Grant access to App Configuration

The following steps describe how to assign the App Configuration Data Reader role to App Service. For detailed steps, see Assign Azure roles using the Azure portal.

  1. In the Azure portal, select All resources and select the App Configuration store that you created in the quickstart.

  2. Select Access control (IAM).

  3. Select Add > Add role assignment.

    :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot showing Access control (IAM) page with Add role assignment menu open.":::

  4. On the Role tab, select the App Configuration Data Reader role.

    :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-role-generic.png" alt-text="Screenshot showing Add role assignment page with Role tab selected.":::

  5. On the Members tab, select Managed identity, and then select Select members.

  6. Select your Azure subscription, for Managed Identity select App Service, then select your App Service name.

  7. On the Review + assign tab, select Review + assign to assign the role.

Use a managed identity

:::zone target="docs" pivot="framework-dotnet"

  1. Add a reference to the Azure.Identity package:

    dotnet add package Azure.Identity

  2. Find the endpoint to your App Configuration store. This URL is listed on the Access keys tab for the store in the Azure portal.

  3. Open appsettings.json, and add the following script. Replace <service_endpoint>, including the brackets, with the URL to your App Configuration store.

    "AppConfig": {
    "Endpoint": "<service_endpoint>"
}

  4. Open Program.cs, and add a reference to the Azure.Identity and Microsoft.Azure.Services.AppAuthentication namespaces:

    using Azure.Identity;

  5. If you wish to access only values stored directly in App Configuration, update the CreateWebHostBuilder method by replacing the config.AddAzureAppConfiguration() method (this is found in the Microsoft.Azure.AppConfiguration.AspNetCore package).

    [!IMPORTANT] CreateHostBuilder replaces CreateWebHostBuilder in .NET Core 3.0. Select the correct syntax based on your environment.

    .NET Core 5.x

    public static IHostBuilder CreateHostBuilder(string[] args) =>
    Host.CreateDefaultBuilder(args)
        .ConfigureWebHostDefaults(webBuilder =>
            webBuilder.ConfigureAppConfiguration((hostingContext, config) =>
            {
                var settings = config.Build();
                config.AddAzureAppConfiguration(options =>
                    options.Connect(new Uri(settings["AppConfig:Endpoint"]), new ManagedIdentityCredential()));
            })
            .UseStartup<Startup>());

    .NET Core 3.x

    public static IHostBuilder CreateHostBuilder(string[] args) =>
    Host.CreateDefaultBuilder(args)
        .ConfigureWebHostDefaults(webBuilder =>
            webBuilder.ConfigureAppConfiguration((hostingContext, config) =>
            {
                var settings = config.Build();
                config.AddAzureAppConfiguration(options =>
                    options.Connect(new Uri(settings["AppConfig:Endpoint"]), new ManagedIdentityCredential()));
            })
            .UseStartup<Startup>());

    .NET Core 2.x

    public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
    WebHost.CreateDefaultBuilder(args)
           .ConfigureAppConfiguration((hostingContext, config) =>
           {
               var settings = config.Build();
               config.AddAzureAppConfiguration(options =>
                   options.Connect(new Uri(settings["AppConfig:Endpoint"]), new ManagedIdentityCredential()));
           })
           .UseStartup<Startup>();

    [!NOTE] If you want to use a user-assigned managed identity, be sure to specify the clientId when creating the ManagedIdentityCredential.

    config.AddAzureAppConfiguration(options =>
      {
          options.Connect(new Uri(settings["AppConfig:Endpoint"]), new ManagedIdentityCredential("<your_clientId>"))
       });

    As explained in the Managed Identities for Azure resources FAQs, there is a default way to resolve which managed identity is used. In this case, the Azure Identity library enforces you to specify the desired identity to avoid posible runtime issues in the future (for instance, if a new user-assigned managed identity is added or if the system-assigned managed identity is enabled). So, you will need to specify the clientId even if only one user-assigned managed identity is defined, and there is no system-assigned managed identity.

:::zone-end

:::zone target="docs" pivot="framework-spring"

  1. Find the endpoint to your App Configuration store. This URL is listed on the Overview tab for the store in the Azure portal.

  2. Open bootstrap.properties, remove the connection-string property and replace it with endpoint:

spring.cloud.azure.appconfiguration.stores[0].endpoint=<service_endpoint>

Note

If you want to use user-assigned managed identity the property spring.cloud.azure.appconfiguration.stores[0].managed-identity.client-id, be sure to specify the clientId when creating the ManagedIdentityCredential.

:::zone-end

Deploy your application

:::zone target="docs" pivot="framework-dotnet"

Using managed identities requires you to deploy your app to an Azure service. Managed identities can't be used for authentication of locally-running apps. To deploy the .NET Core app that you created in the Create an ASP.NET Core app with App Configuration quickstart and modified to use managed identities, follow the guidance in Publish your web app.

:::zone-end

:::zone target="docs" pivot="framework-spring"

Using managed identities requires you to deploy your app to an Azure service. Managed identities can't be used for authentication of locally-running apps. To deploy the Spring app that you created in the Create a Java Spring app with Azure App Configuration quickstart and modified to use managed identities, follow the guidance in Publish your web app.

:::zone-end

In addition to App Service, many other Azure services support managed identities. For more information, see Services that support managed identities for Azure resources.

Clean up resources

[!INCLUDE azure-app-configuration-cleanup]

Next steps

In this tutorial, you added an Azure managed identity to streamline access to App Configuration and improve credential management for your app. To learn more about how to use App Configuration, continue to the Azure CLI samples.

[!div class="nextstepaction"] CLI samples