How to use managed identities for App Service and Azure Functions
For App Service and Azure Functions apps, this article demonstrates how to build a managed identity and how to utilize it to access other resources.Your app may simply access other Azure AD-protected resources like Azure Key Vault with the help of a managed identity from Azure Active Directory (Azure AD). You don’t need to provide or rotate any secrets because the Azure platform manages the identity. See Managed Identities for Azure Resources for additional information on managed identities in Azure AD.
Two different types of IDs may be issued for your application:
Your application is associated with a system-assigned identity, which is removed when your app is deleted. A system-given identity can only be assigned to one programmer.
An independent Azure resource that can be given to your app is a user-assigned identity. Multiple identities supplied by users are possible for an app.
Add a system-assigned identity
1. Find the Settings group by scrolling down in the left navigation of your app’s page.
2. Select Identity.
3. Within the system-assigned tab, switch Status to On. Click Save.
Add a user-assigned identity
1. Follow these guidelines to create a user-assigned managed identity resource.
2. Find the Settings group by scrolling down in the left menu on the app’s website.
3. Select Identity.
4. Within the User Assigned tab, click Add.
5. Look for and choose the identity you created earlier. Select Add.
Configure target resource
The target resource may need to be set up to permit access from your app or function. For instance, you must additionally include an access policy that contains the managed identity of your app or function if you want to request a token to access Key Vault. Otherwise, even if you use a valid token, your calls to Key Vault would be denied. This also applies to Azure SQL Database. See Azure services that enable Azure Active Directory authentication for more information on the resources that accept Azure Active Directory tokens.
Connect to Azure services in the app code
An app can obtain tokens for Azure resources protected by Azure Active Directory, such as Azure SQL Database, Azure Key Vault, and Azure Storage, using its managed identity. These tokens reflect the application, not a single application user, accessing the resource.
Token retrieval is made possible using an internally available REST endpoint offered by App Service and Azure Functions. With a standard HTTP GET, which can be implemented with a universal HTTP client in any language, the REST endpoint can be visited from within the app. The Azure Identity client library offers an abstraction over this REST service and makes development easier for .NET, JavaScript, Java, and Python. Simply adding a credential object to the service-specific client will let you connect to additional Azure services.
A raw HTTP GET request looks like the following example:
And a sample response might look like the following:
The response for the Azure AD service-to-service access token request is the same as this one. You must then add the access token’s value to a client connection with the vault in order to gain access to Key Vault.
Remove an identity
A system-assigned identity is deleted from Azure Active Directory when it is removed. When you delete the app resource itself, system-assigned identities are also automatically deleted from Azure Active Directory.
1. Find the Settings group by scrolling down in the left navigation of your app’s page.
2. Select your identity. Then follow the steps based on the identity type:
3. System-assigned identity: change the Status setting in the System Assigned tab to Off. Press Save.
4. User-assigned identity: Select the identity’s checkbox by clicking the User-assigned tab, then click Remove. To confirm, click "Yes."
REST endpoint reference
1. By specifying the following two environment variables, an app with a managed identity makes this endpoint accessible:
2. IDENTITY_ENDPOINT is the URL to the local token service.
3. IDENTITY_HEADER is a header used to help mitigate server-side request forgery (SSRF) attacks. The value is rotated by the platform.
4. Your app can get tokens by requesting them from the local URL known as IDENTITY ENDPOINT. Make an HTTP GET call to this endpoint with the following parameters to obtain a token for a resource:
Conclusion:
Using a managed identity from Azure Active Directory, your app can easily access other Azure AD-protected resources like Azure Key Vault (Azure AD). Because the Azure platform manages the identity, you don’t need to provide or rotate any secrets. For more details on managed identities in Azure AD, see Managed Identities for Azure Resources.
