Use managed identities for Azure Load Testing

This article shows how to create a managed identity for Azure Load Testing. You can use a managed identity to authenticate with and read secrets from Azure Key Vault.

A managed identity from Azure Active Directory (Azure AD) allows your load testing resource to easily access other Azure AD-protected resources, such as Azure Key Vault. The identity is managed by the Azure platform and doesn't require you to manage or rotate any secrets. For more information about managed identities in Azure AD, see Managed identities for Azure resources.

Azure Load Testing supports two types of identities:

• A system-assigned identity is associated with your load testing resource and is deleted when your resource is deleted. A resource can only have one system-assigned identity.
• A user-assigned identity is a standalone Azure resource that you can assign to your load testing resource. When you delete the load testing resource, the managed identity remains available. You can assign multiple user-assigned identities to the load testing resource.

Prerequisites

• An Azure account with an active subscription. If you don't have an Azure subscription, create a free account before you begin.
• An Azure load testing resource. If you need to create an Azure load testing resource, see the quickstart Create and run a load test.
• To create a user-assigned managed identity, your account needs the Managed Identity Contributor role assignment.

Assign a system-assigned identity to a load testing resource

To assign a system-assigned identity for your Azure load testing resource, enable a property on the resource. You can set this property by using the Azure portal or by using an Azure Resource Manager (ARM) template.

Portal

To set up a managed identity in the portal, you first create an Azure load testing resource and then enable the feature.

1. In the Azure portal, go to your Azure load testing resource.

2. On the left pane, select Identity.

3. Select the System assigned tab.

4. Switch the Status to On, and then select Save.

   

5. On the confirmation window, select Yes to confirm the assignment of the managed identity.

6. After assigning the managed identity finishes, the page will show the Object ID of the managed identity, and let you assign permissions to it.

   

You can now grant your load testing resource access to your Azure key vault.

ARM template

You can use an ARM template to automate the deployment of your Azure resources. For more information about using ARM templates with Azure Load Testing, see the Azure Load Testing ARM reference documentation.

You can assign a system-assigned managed identity when you create a resource of type Microsoft.LoadTestService/loadtests. Configure the identity property with the SystemAssigned value in the resource definition:

"identity": {
    "type": "SystemAssigned"
}

By adding the system-assigned identity type, you're telling Azure to create and manage the identity for your resource. For example, an Azure load testing resource might look like the following:

{
    "type": "Microsoft.LoadTestService/loadtests",
    "apiVersion": "2021-09-01-preview",
    "name": "[parameters('name')]",
    "location": "[parameters('location')]",
    "tags": "[parameters('tags')]",
    "identity": {
        "type": "SystemAssigned"
    }
}

After the resource creation finishes, the following properties are configured for the resource:

"identity": {
    "type": "SystemAssigned",
    "tenantId": "00000000-0000-0000-0000-000000000000",
    "principalId": "00000000-0000-0000-0000-000000000000"
}

The tenantId property identifies which Azure AD tenant the managed identity belongs to. The principalId is a unique identifier for the resource's new identity. Within Azure AD, the service principal has the same name as the Azure load testing resource.

You can now grant your load testing resource access to your Azure key vault.

Assign a user-assigned identity to a load testing resource

Before you can add a user-assigned managed identity to an Azure load testing resource, you must first create this identity in Azure AD. Then, you can assign the identity by using its resource identifier.

You can add multiple user-assigned managed identities to your resource. For example, if you need to access multiple Azure resources, you can grant different permissions to each of these identities.

Portal

1. Create a user-assigned managed identity by following the instructions mentioned in Create a user-assigned managed identity.

   

2. In the Azure portal, go to your Azure load testing resource.

3. On the left pane, select Identity.

4. Select the User assigned tab, and select Add.

5. Search and select the managed identity you created previously. Then, select Add to add it to the Azure load testing resource.

   

You can now grant your load testing resource access to your Azure key vault.

ARM template

You can create an Azure load testing resource by using an ARM template and the resource type Microsoft.LoadTestService/loadtests. For more information about using ARM templates with Azure Load Testing, see the Azure Load Testing ARM reference documentation.

1. Create a user-assigned managed identity by following the instructions mentioned in Create a user-assigned managed identity.

2. Specify the user-assigned managed identity in the identity section of the resource definition.

   Replace the <RESOURCEID> text placeholder with the resource ID of your user-assigned identity:

   "identity": {
       "type": "UserAssigned",
       "userAssignedIdentities": {
           "<RESOURCEID>": {}
       }
   }
   

   The following code snippet shows an example of an Azure Load Testing ARM resource definition with a user-assigned identity:

   {
       "type": "Microsoft.LoadTestService/loadtests",
       "apiVersion": "2021-09-01-preview",
       "name": "[parameters('name')]",
       "location": "[parameters('location')]",
       "tags": "[parameters('tags')]",
       "identity": {
           "type": "UserAssigned",
           "userAssignedIdentities": {
               "<RESOURCEID>": {}
           }
   }
   

   After the Load Testing resource is created, Azure provides the principalId and clientId properties in the output:

   "identity": {
       "type": "UserAssigned",
       "userAssignedIdentities": {
           "<RESOURCEID>": {
               "principalId": "00000000-0000-0000-0000-000000000000",
               "clientId": "00000000-0000-0000-0000-000000000000"
           }
       }
   }
   

   The principalId is a unique identifier for the identity that's used for Azure AD administration. The clientId is a unique identifier for the resource's new identity that's used for specifying which identity to use during runtime calls.

You can now grant your load testing resource access to your Azure key vault.

Grant access to your Azure key vault

Using managed identities for Azure resources, your Azure load testing resource can access tokens that enable authentication to your Azure key vault. Grant the managed identity access by assigning the appropriate role to the managed identity.

To grant your Azure load testing resource permissions to read secrets from your Azure key vault:

1. In the Azure portal, go to your Azure key vault resource.

   If you don't have a key vault, follow the instructions in Azure Key Vault quickstart to create one.

2. On the left pane, under Settings, select Access Policies, and then Add Access Policy.

3. In the Secret permissions dropdown list, select Get.

   

4. Select Select principal, and then select the system-assigned or user-assigned principal for your Azure load testing resource.

   If you're using a system-assigned managed identity, the name matches that of your Azure load testing resource.

5. Select Add.

You've now granted access to your Azure load testing resource to read the secret values from your Azure key vault.

Next steps

• Learn how to Parameterize a load test with secrets.
• Learn how to Manage users and roles in Azure Load Testing.
• What are managed identities for Azure resources?