Managed identities in Azure Container Apps
A managed identity from Azure Active Directory (Azure AD) allows your container app to access other Azure AD-protected resources. For more about managed identities in Azure AD, see Managed identities for Azure resources.
Your container app can be granted two types of identities:
- A system-assigned identity is tied to your container app and is deleted when your container app is deleted. An app can only have one system-assigned identity.
- A user-assigned identity is a standalone Azure resource that can be assigned to your container app and other resources. A container app can have multiple user-assigned identities. The identity exists until you delete them.
Why use a managed identity?
You can use a managed identity in a running container app to authenticate to any service that supports Azure AD authentication.
With managed identities:
- Your app connects to resources with the managed identity. You don't need to manage credentials in your container app.
- You can use role-based access control to grant specific permissions to a managed identity.
- System-assigned identities are automatically created and managed. They're deleted when your container app is deleted.
- You can add and delete user-assigned identities and assign them to multiple resources. They're independent of your container app's life cycle.
- You can use managed identity to authenticate with a private Azure Container Registry without a username and password to pull containers for your Container App.
- You can use managed identity to create connections for Dapr-enabled applications via Dapr components
Common use cases
System-assigned identities are best for workloads that:
- are contained within a single resource
- need independent identities
User-assigned identities are ideal for workloads that:
- run on multiple resources and can share a single identity
- need pre-authorization to a secure resource
Using managed identities in scale rules isn't supported. You'll still need to include the connection string or key in the
secretRef of the scaling rule.
Configure managed identities
You can configure your managed identities through:
- the Azure portal
- the Azure CLI
- your Azure Resource Manager (ARM) template
When a managed identity is added, deleted, or modified on a running container app, the app doesn't automatically restart and a new revision isn't created.
When adding a managed identity to a container app deployed before April 11, 2022, you must create a new revision.
Add a system-assigned identity
In the left navigation of your container app's page, scroll down to the Settings group.
Within the System assigned tab, switch Status to On. Select Save.
Add a user-assigned identity
Configuring a container app with a user-assigned identity requires that you first create the identity then add its resource identifier to your container app's configuration. You can create user-assigned identities via the Azure portal or the Azure CLI. For information on creating and managing user-assigned identities, see Manage user-assigned managed identities.
First, you'll need to create a user-assigned identity resource.
Create a user-assigned managed identity resource according to the steps found in Manage user-assigned managed identities.
In the left navigation for your container app's page, scroll down to the Settings group.
Within the User assigned tab, select Add.
Search for the identity you created earlier and select it. Select Add.
Configure a target resource
For some resources, you'll need to configure role assignments for your app's managed identity to grant access. Otherwise, calls from your app to services, such as Azure Key Vault and Azure SQL Database, will be rejected even if you use a valid token for that identity. To learn more about Azure role-based access control (Azure RBAC), see What is RBAC?. To learn more about which resources support Azure Active Directory tokens, see Azure services that support Azure AD authentication.
The back-end services for managed identities maintain a cache per resource URI for around 24 hours. If you update the access policy of a particular target resource and immediately retrieve a token for that resource, you may continue to get a cached token with outdated permissions until that token expires. There's currently no way to force a token refresh.
Connect to Azure services in app code
With managed identities, an app can obtain tokens to access Azure resources that use Azure Active Directory, such as Azure SQL Database, Azure Key Vault, and Azure Storage. These tokens represent the application accessing the resource, and not any specific user of the application.
For .NET apps, the simplest way to work with a managed identity is through the Azure Identity client library for .NET. See the respective documentation headings of the client library for information:
- Add Azure Identity client library to your project
- Access Azure service with a system-assigned identity
- Access Azure service with a user-assigned identity
The linked examples use
DefaultAzureCredential. It's useful for most the scenarios because the same pattern works in Azure (with managed identities) and on your local machine (without managed identities).
View managed identities
You can show the system-assigned and user-assigned managed identities using the following Azure CLI command. The output shows the managed identity type, tenant IDs and principal IDs of all managed identities assigned to your container app.
az containerapp identity show --name <APP_NAME> --resource-group <GROUP_NAME>
Remove a managed identity
When you remove a system-assigned identity, it's deleted from Azure Active Directory. System-assigned identities are also automatically removed from Azure Active Directory when you delete the container app resource itself. Removing user-assigned managed identities from your container app doesn't remove them from Azure Active Directory.
In the left navigation of your app's page, scroll down to the Settings group.
Select Identity. Then follow the steps based on the identity type:
- System-assigned identity: Within the System assigned tab, switch Status to Off. Select Save.
- User-assigned identity: Select the User assigned tab, select the checkbox for the identity, and select Remove. Select Yes to confirm.