How can I use User-Assigned Managed Identity for a frontend Web App to perform Azure Cognitive Search

Borislav Boyadzhiev 25 Reputation points
2023-08-28T18:19:37.1033333+00:00

Hello!

I have some trouble understanding the usage of a User-assigned Managed Identity in the context of a JavaScript SPA Web App against Azure Cognitive Search Service.

I have created a Search Service that is currently accessed by a JS SPA via query API Key(s) and it works fine, but I want to switch to a Managed Identity for security reasons.

I think I have set it up properly. I have created the User-assigned Managed Identity (for the SPA) and added the RBAC Search Index Data Reader role for it to the Azure Cognitive Search Service.

But now how to actually use it?

I have found only this article where it explains that an /MSI endpoint exists.

Is this the correct way to do it?

Thank you!

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
752 questions
Azure AI Search
Azure AI Search
An Azure search service with built-in artificial intelligence capabilities that enrich information to help identify and explore relevant content at scale.
1,176 questions
0 comments No comments
{count} votes

Accepted answer
  1. Grmacjon-MSFT 18,816 Reputation points
    2023-08-31T20:01:29.9333333+00:00

    Hi @Borislav Boyadzhiev

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

    Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll summarized your issue & repost your solution in case you'd like to "Accept " the answer.

    Issue:

    • You wanted to understand the usage of a User-assigned Managed Identity in the context of a JavaScript SPA Web App against Azure Cognitive Search Service.
    • You created a Search Service that is accessed by a JS SPA via query API Key(s) and it worked fine, but you want to switch to a Managed Identity for security reasons.
    • You created the User-assigned Managed Identity (for the SPA) and added the RBAC Search Index Data Reader role for it to the Azure Cognitive Search Service but looking to understand how to use it.

    Solution:

    • You realized your mistake and utilized an API endpoint that has the Management Identity assigned to it to provide a token for your SPA app.

    Thanks again for sharing what works for you.

    Best,

    Grace

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Borislav Boyadzhiev 25 Reputation points
    2023-08-31T16:30:06.85+00:00

    I realized my mistake and utilized an API endpoint that has the Management Identity assigned to it to provide me with a token for my SPA app.

    [Authorize, HttpGet, Route(Routes.AzureSearchToken)]
    public async Task<ActionResult> GetToken()
    {
    	var credential = new Azure.Identity.ManagedIdentityCredential(_serviceEnvironmentConfiguration.ManagedIdentityClientId, null);
    	var token = await credential.GetTokenAsync(new Azure.Core.TokenRequestContext(new[] { "https://search.azure.com/.default" }));
    	return Ok(token);
    }
    
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.