Skip to content
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Commit a41ffc1

Browse files
enkrumahenkrumah
committedMar 10, 2022
added docs for managed identity and user-assigned identity
1 parent 20a56bc commit a41ffc1

File tree

5 files changed

+150
-0
lines changed

5 files changed

+150
-0
lines changed
 

‎articles/stream-analytics/TOC.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -200,6 +200,12 @@
200200
href: geo-redundancy.md
201201
- name: Authenticate with managed identity
202202
items:
203+
- name: Managed Identities Overview
204+
href: stream-analytics-managed-identities-overview.md
205+
displayName: managed identity, identities, authenticate
206+
- name: User Assigned Managed Identities
207+
href: stream-analytics-user-assigned-managed-identity-overview.md
208+
displayName: managed identity, identities, authenticate
203209
- name: ADLS Gen 1
204210
href: stream-analytics-managed-identities-adls.md
205211
displayName: managed identity, identities, authenticate

‎articles/stream-analytics/media/common/create-managed-identity.png

35 KB
Loading

‎articles/stream-analytics/media/common/stream-analytics-enable-managed-identity-new.png

79.1 KB
Loading

‎articles/stream-analytics/stream-analytics-managed-identities-overview.md

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
---
2+
title: Managed Identities for Azure Stream Analytics
3+
description: This article describes managed identities for Azure Stream Analytics.
4+
author: enkrumah
5+
ms.author: ebnkruma
6+
ms.service: stream-analytics
7+
ms.topic: conceptual
8+
ms.date: 03/02/2022
9+
---
10+
11+
# Managed Identities for Azure Stream Analytics
12+
13+
Azure Stream Analytics currently allows you to use managed identities for Azure resources.
14+
A common challenge when building cloud applications is credential management in your code to authenticate cloud services. Keeping the credentials secure is an important task. The credentials shouldn't be stored in developer workstations or checked into source control. Azure Key Vault provides a way to store credentials, secrets securely, and other keys, but your code must authenticate to Key Vault to retrieve them.
15+
16+
The Azure Active Directory (Azure AD) managed identities for Azure resources feature solves this problem. The feature provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code. See [managed identities for Azure resources overview page](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview) for more information about this service.
17+
18+
Here are some of the benefits of using Managed identities:
19+
* You don't need to manage credentials. Credentials are not even accessible to you.
20+
* You can use managed identities to authenticate any resource that supports [Azure Active Directory authentication](https://docs.microsoft.com/azure/active-directory/authentication/overview-authentication), including your applications.
21+
* You can use managed identities without any additional cost.
22+
23+
24+
## Managed Identity types
25+
26+
There are two types of managed identities:
27+
28+
* System-assigned Identity: Some Azure services allow you to enable a managed identity directly on a service instance. When you enable a system-assigned managed identity, you create an identity in Azure AD that is tied to the lifecycle of that service instance. So when you delete the resource, Azure automatically deletes the identity for you. By design, only that Azure resource can use this identity to request tokens from Azure AD.
29+
* User-assigned Identity: You may also create a managed identity as a standalone Azure resource. You can create a user-assigned managed identity and assign it to one or more instances of an Azure service. In the case of user-assigned managed identities, the identity is managed separately from the resources that use it.
30+
31+
To learn more about managed identities, see [What are managed identities for Azure resources?](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview).
32+
33+
34+
35+
> [!IMPORTANT]
36+
> Regardless of the type of identity chosen, a managed identity is a service principal of a special type that may only be used with Azure resources. The corresponding service principal is automatically removed when the managed identity is deleted.
37+
38+
## Supported Inputs and Outputs
39+
40+
Below is a table that shows Azure Stream Analytics inputs and outputs that support System Assigned Managed Identity or User Assigned Managed Identity:
41+
42+
| Type |  Adapter | User-Assigned Managed Identity Support | System Assigned Managed Identity Support |
43+
|-----------------|-------------------------------|------------------------------------------------------------------------|------------------------------------------|
44+
| Storage Account | Blob/ADLS Gen 2 | Yes | Yes |
45+
| Inputs | Event Hubs | Yes | Yes |
46+
| | IoT Hubs | No (available with a workaround: users can route events to Event Hubs) | No |
47+
| | Blob/ADLS Gen 2 | Yes | Yes |
48+
| Reference Data | Blob/ADLS Gen 2 | Yes | Yes |
49+
| | SQL | Yes (preview) | Yes |
50+
| Outputs | Event Hubs | Yes | Yes |
51+
| | SQL Database | Yes | Yes |
52+
| | Blob/ADLS Gen 2 | Yes | Yes |
53+
| | Table Storage | No | No |
54+
| | Service Bus Topic | No | No |
55+
| | Service Bus Queue | No | No |
56+
| | Cosmos DB | No | No |
57+
| | Power BI | Yes | No |
58+
| | Data Lake Storage Gen1 | Yes | Yes |
59+
| | Azure Functions | No | No |
60+
| | Azure Database for PostgreSQL | No | No |
61+
| | Azure Data Explorer | Yes | Yes |
62+
| | Azure Synapse Analytics | Yes | Yes |
63+
64+
65+
66+
## Next steps
67+
68+
* [Quickstart: Create a Stream Analytics job by using the Azure portal](stream-analytics-quick-create-portal.md)

‎articles/stream-analytics/stream-analytics-user-assigned-managed-identity-overview.md

Lines changed: 76 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,76 @@
1+
---
2+
title: User Assigned Managed Identities for Azure Stream Analytics
3+
description: This article describes configuring user assigned managed identities for Azure Stream Analytics.
4+
author: enkrumah
5+
ms.author: ebnkruma
6+
ms.service: stream-analytics
7+
ms.topic: conceptual
8+
ms.date: 03/02/2022
9+
---
10+
11+
# User Assigned Managed Identities for Azure Stream Analytics
12+
13+
Azure Stream Analytics currently allows you to use user-assigned managed identities for Azure resources.
14+
User-assigned managed identities can be used on multiple resources. To learn more about managed identities, see [What are managed identities for Azure resources?](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview).
15+
16+
**In this article, you learn how to create a user-assigned managed identity for your Azure Stream Analytics job by using the Azure portal.**
17+
18+
> [!IMPORTANT]
19+
> Regardless of the type of identity chosen, a managed identity is a service principal of a special type that may only be used with Azure resources. The corresponding service principal is automatically removed when the managed identity is deleted.
20+
21+
22+
## Create a user-assigned managed identity
23+
24+
To create a user-assigned managed identity, your account needs the [Managed Identity Contributor role](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#managed-identity-contributor) assignment.
25+
26+
27+
There are two types of managed identities:
28+
29+
1. Sign in to the Azure portal by using an account associated with the Azure subscription to create the user-assigned managed identity.
30+
2. In the search box, enter **Managed Identities**. Under **Services**, select **Managed Identities**.
31+
3. Select **Add**, and enter values in the following boxes in the **Create User Assigned Managed Identity** pane:
32+
* **Subscription**: Choose the subscription to create the user-assigned managed identity under.
33+
* **Resource group**: Choose a resource group to create the user-assigned managed identity in, or select **Create new** to create a new resource group.
34+
* **Region**: Choose a region to deploy the user-assigned managed identity, for example, **West US**.
35+
* **Name**: Enter the name for your user-assigned managed identity, for example, UAI1.
36+
37+
38+
> [!NOTE]
39+
> Only alphanumeric characters (0-9, a-z, and A-Z) and the hyphen (-) are supported when you create user-assigned managed identities. For the assignment to a virtual machine or virtual machine scale set to work correctly, the name is limited to 24 characters. For more information, see [**FAQs and known issues**](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/known-issues).
40+
41+
![Create managed identity](./media/common/create-managed-identity.png)
42+
43+
1. Select **Review + create** to review changes
44+
2. Select **Create**
45+
46+
For more information on how to manager user-assigned managed identities please visit the [Managed user-assigned managed identities page](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp).
47+
48+
49+
## Switching to User Assigned Managed Identity
50+
**If you have an existing job, you can switch to a user assigned identity by following the instructions below:**
51+
52+
After creating your user-assigned identity and configuring your input and output, you can switch to user-assigned identity on the Managed Identity tab on the left side under Configure.
53+
54+
![Configure Stream Analytics managed identity](./media/common/stream-analytics-enable-managed-identity-new.png)
55+
56+
1. Click on the managed identity tab under configure.
57+
2. Select on Switch Identity and select the identity to use with the job.
58+
3. Select the subscription where your user-assigned identity is located and select the name of your identity.
59+
4. Review and save
60+
61+
62+
## Endpoint Management
63+
> [!NOTE]
64+
> After switching to a user-assigned identity for the job, you may have to re-grant access to the inputs and outputs associated with the stream analytics job to use the user-assigned identity for your job to run
65+
66+
1. Select Endpoint Management and grant access to each input and output under connection.
67+
2. Under connection status click on “try regranting access” to switch from System Assigned to User Assigned
68+
3. Wait for a few minutes for the input/output to be granted access to the job.
69+
70+
You can select each input and output on the endpoint management to manually configure an adapter to the job.
71+
72+
73+
74+
## Next steps
75+
76+
* [Quickstart: Create a Stream Analytics job by using the Azure portal](stream-analytics-quick-create-portal.md)

0 commit comments

Comments
 (0)
Please sign in to comment.