| title | titleSuffix | description | author | ms.author | ms.service | ms.topic | ms.date |
|---|---|---|---|---|---|---|---|
Authenticate using Azure managed identities |
Azure App Configuration |
Authenticate to Azure App Configuration using Azure managed identities |
lisaguthrie |
lcozzens |
azure-app-configuration |
conceptual |
2/25/2020 |
Azure Active Directory managed identities simplify secrets management for your cloud application. With a managed identity, your code can use the service principal created for the Azure service it runs on. You use a managed identity instead of a separate credential stored in Azure Key Vault or a local connection string.
Azure App Configuration and its .NET Core, .NET Framework, and Java Spring client libraries have managed identity support built into them. Although you aren't required to use it, the managed identity eliminates the need for an access token that contains secrets. Your code can access the App Configuration store using only the service endpoint. You can embed this URL in your code directly without exposing any secret.
This article shows how you can take advantage of the managed identity to access App Configuration. It builds on the web app introduced in the quickstarts. Before you continue, Create an ASP.NET Core app with App Configuration first.
This article also shows how you can use the managed identity in conjunction with App Configuration's Key Vault references. With a single managed identity, you can seamlessly access both secrets from Key Vault and configuration values from App Configuration. If you wish to explore this capability, finish Use Key Vault References with ASP.NET Core first.
You can use any code editor to do the steps in this tutorial. Visual Studio Code is an excellent option available on the Windows, macOS, and Linux platforms.
In this article, you learn how to:
[!div class="checklist"]
- Grant a managed identity access to App Configuration.
- Configure your app to use a managed identity when you connect to App Configuration.
- Optionally, configure your app to use a managed identity when you connect to Key Vault through an App Configuration Key Vault reference.
To complete this tutorial, you must have:
[!INCLUDE quickstarts-free-trial-note]
To set up a managed identity in the portal, you first create an application and then enable the feature.
-
Create an App Services instance in the Azure portal as you normally do. Go to it in the portal.
-
Scroll down to the Settings group in the left pane, and select Identity.
-
On the System assigned tab, switch Status to On and select Save.
-
Answer Yes when prompted to enable system assigned managed identity.
-
In the Azure portal, select All resources and select the App Configuration store that you created in the quickstart.
-
Select Access control (IAM).
-
On the Check access tab, select Add in the Add role assignment card UI.
-
Under Role, select App Configuration Data Reader. Under Assign access to, select App Service under System assigned managed identity.
-
Under Subscription, select your Azure subscription. Select the App Service resource for your app.
-
Select Save.
-
Optional: If you wish to grant access to Key Vault as well, follow the directions in Provide Key Vault authentication with a managed identity.
-
Add a reference to the Azure.Identity package:
dotnet add package Azure.Identity -
Find the endpoint to your App Configuration store. This URL is listed on the Access keys tab for the store in the Azure portal.
-
Open appsettings.json, and add the following script. Replace <service_endpoint>, including the brackets, with the URL to your App Configuration store.
"AppConfig": { "Endpoint": "<service_endpoint>" }
-
Open Program.cs, and add a reference to the
Azure.IdentityandMicrosoft.Azure.Services.AppAuthenticationnamespaces:using Azure.Identity; -
If you wish to access only values stored directly in App Configuration, update the
CreateWebHostBuildermethod by replacing theconfig.AddAzureAppConfiguration()method.[!IMPORTANT]
CreateHostBuilderreplacesCreateWebHostBuilderin .NET Core 3.0. Select the correct syntax based on your environment.public static IWebHostBuilder CreateWebHostBuilder(string[] args) => WebHost.CreateDefaultBuilder(args) .ConfigureAppConfiguration((hostingContext, config) => { var settings = config.Build(); config.AddAzureAppConfiguration(options => options.Connect(new Uri(settings["AppConfig:Endpoint"]), new ManagedIdentityCredential())); }) .UseStartup<Startup>();
public static IHostBuilder CreateHostBuilder(string[] args) => Host.CreateDefaultBuilder(args) .ConfigureWebHostDefaults(webBuilder => webBuilder.ConfigureAppConfiguration((hostingContext, config) => { var settings = config.Build(); config.AddAzureAppConfiguration(options => options.Connect(new Uri(settings["AppConfig:Endpoint"]), new ManagedIdentityCredential())); }) .UseStartup<Startup>());
-
To use both App Configuration values and Key Vault references, update Program.cs as shown below. This code creates a new
KeyVaultClientusing anAzureServiceTokenProviderand passes this reference to a call to theUseAzureKeyVaultmethod.public static IWebHostBuilder CreateWebHostBuilder(string[] args) => WebHost.CreateDefaultBuilder(args) .ConfigureAppConfiguration((hostingContext, config) => { var settings = config.Build(); var credentials = new ManagedIdentityCredential(); config.AddAzureAppConfiguration(options => { options.Connect(new Uri(settings["AppConfig:Endpoint"]), credentials) .ConfigureKeyVault(kv => { kv.SetCredential(credentials); }); }); }) .UseStartup<Startup>();
public static IHostBuilder CreateHostBuilder(string[] args) => Host.CreateDefaultBuilder(args) .ConfigureWebHostDefaults(webBuilder => webBuilder.ConfigureAppConfiguration((hostingContext, config) => { var settings = config.Build(); var credentials = new ManagedIdentityCredential(); config.AddAzureAppConfiguration(options => { options.Connect(new Uri(settings["AppConfig:Endpoint"]), credentials) .ConfigureKeyVault(kv => { kv.SetCredential(credentials); }); }); }) .UseStartup<Startup>());
You can now access Key Vault references just like any other App Configuration key. The config provider will use the
KeyVaultClientthat you configured to authenticate to Key Vault and retrieve the value.
[!INCLUDE Prepare repository]
The easiest way to enable local Git deployment for your app with the Kudu build server is to use Azure Cloud Shell.
[!INCLUDE Configure a deployment user]
If you don't have a local git repository for your app, you'll need to initialize one. To initialize a local git repository, run the following commands from your app's project directory:
git init
git add .
git commit -m "Initial version"To enable local Git deployment for your app with the Kudu build server, run az webapp deployment source config-local-git in Cloud Shell.
az webapp deployment source config-local-git --name <app_name> --resource-group <group_name>
This command gives you something similar to the following output:
{
"url": "https://<username>@<app_name>.scm.azurewebsites.net/<app_name>.git"
}In the local terminal window, add an Azure remote to your local Git repository. Replace <url> with the URL of the Git remote that you got from Enable local Git with Kudu.
git remote add azure <url>Push to the Azure remote to deploy your app with the following command. When you're prompted for a password, enter the password you created in Configure a deployment user. Don't use the password you use to sign in to the Azure portal.
git push azure masterYou might see runtime-specific automation in the output, such as MSBuild for ASP.NET, npm install for Node.js, and pip install for Python.
Browse to your web app by using a browser to verify that the content is deployed.
http://<app_name>.azurewebsites.netApp Configuration providers for .NET Framework and Java Spring also have built-in support for managed identity. You can use your store's URL endpoint instead of its full connection string when you configure one of these providers.
For example, you can update the .NET Framework console app created in the quickstart to specify the following settings in the App.config file:
<configSections>
<section name="configBuilders" type="System.Configuration.ConfigurationBuildersSection, System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" restartOnExternalChanges="false" requirePermission="false" />
</configSections>
<configBuilders>
<builders>
<add name="MyConfigStore" mode="Greedy" endpoint="${Endpoint}" type="Microsoft.Configuration.ConfigurationBuilders.AzureAppConfigurationBuilder, Microsoft.Configuration.ConfigurationBuilders.AzureAppConfiguration" />
<add name="Environment" mode="Greedy" type="Microsoft.Configuration.ConfigurationBuilders.EnvironmentConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Environment" />
</builders>
</configBuilders>
<appSettings configBuilders="Environment,MyConfigStore">
<add key="AppName" value="Console App Demo" />
<add key="Endpoint" value ="Set via an environment variable - for example, dev, test, staging, or production endpoint." />
</appSettings>[!INCLUDE azure-app-configuration-cleanup]
In this tutorial, you added an Azure managed identity to streamline access to App Configuration and improve credential management for your app. To learn more about how to use App Configuration, continue to the Azure CLI samples.
[!div class="nextstepaction"] CLI samples