Load test secured endpoints with Azure Load Testing

In this article, you learn how to load test secured applications with Azure Load Testing. Secured applications require authentication to access the endpoint. Azure Load Testing enables you to authenticate with endpoints by using shared secrets or credentials, or to authenticate with client certificates.

Prerequisites

• An Azure account with an active subscription. If you don't have an Azure subscription, create a free account before you begin.
• An Azure Load Testing resource. To create a load testing resource, see Create and run a load test.
• If you're using client certificates, an Azure key vault. To create a key vault, see the quickstart Create a key vault using the Azure portal.

Authenticate with a shared secret or credentials

In this scenario, the application endpoint requires that you use a shared secret, such as an access token, an API key, or user credentials to authenticate. In the JMeter script, you have to provide this security information with each application request. For example, to load test a web endpoint that uses OAuth 2.0, you add an Authorization header, which contains the access token, to the HTTP request.

The following diagram shows how to use shared secrets or credentials to authenticate with an application endpoint in your load test. To avoid storing, and disclosing, security information in the JMeter script, you can securely store secrets in Azure Key Vault or in the CI/CD secrets store. In the JMeter script, you then use a custom JMeter function GetSecret to retrieve the secret value. Finally, you specify the secret value in the JMeter request to the application endpoint.

1. Add the security information in a secrets store in either of two ways:

   • Add the secret information in Azure Key Vault. Follow the steps in Parameterize load tests with secrets to store a secret and authorize your load testing resource to read its value.

   • Add the secret information as a secret in CI/CD (GitHub Actions secrets or Azure Pipelines secret variables).

2. Add the secret to the load test configuration:

   Azure portal

   To add a secret to your load test in the Azure portal:

   1. Navigate to your load testing resource in the Azure portal. If you don't have a load test yet, create a new load test using a JMeter script.

   2. On the left pane, select Tests to view the list of load tests.

   3. Select your test from the list, and then select Edit, to edit the load test configuration.

      

   4. On the Parameters tab, enter the details of the secret.

      Field	Value
      Name	Name of the secret. You'll provide this name to the GetSecret function to retrieve the secret value in the JMeter script.
      Value	Matches the Azure Key Vault Secret identifier.

      

   5. Select Apply, to save the load test configuration changes.

   GitHub Actions

   To add a secret to your load test in GitHub Actions, update the GitHub Actions workflow YAML file. In the workflow, add a secrets parameter to the azure/load-testing action.

   Field	Value
   name	Name of the secret. You'll provide this name to the GetSecret function to retrieve the secret value in the JMeter script.
   value	References the GitHub Actions secret name.

   The following code snippet gives an example of how to configure a load test secret in GitHub Actions.

   - name: 'Azure Load Testing'
       uses: azure/load-testing@v1
       with:
       loadtestConfigFile: 'SampleApp.yaml'
       loadtestResource: 'MyTest'
       resourceGroup: 'loadtests-rg'
       secrets: |
       [
           {
           "name": "appToken",
           "value": "${{ secrets.APP_TOKEN }}"
           }
       ]
   

   Azure Pipelines

   To add a secret to your load test in Azure Pipelines, update the Azure Pipelines definition file. In the pipeline, add a secrets parameter to the AzureLoadTest task.

   Field	Value
   name	Name of the secret. You'll provide this name to the GetSecret function to retrieve the secret value in the JMeter script.
   value	References the Azure Pipelines secret variable name.

   The following code snippet gives an example of how to configure a load test secret in Azure Pipelines.

   - task: AzureLoadTest@1
       inputs:
       azureSubscription: 'MyAzureLoadTestingRG'
       loadTestConfigFile: 'SampleApp.yaml'
       loadTestResource: 'MyTest'
       resourceGroup: 'loadtests-rg'
       secrets: |
           [
               {
               "name": "appToken",
               "value": "$(appToken)"
               }
           ]
   

3. Update the JMeter script to retrieve the secret value:

   1. Create a user-defined variable that retrieves the secret value with the GetSecret custom function:

      

   2. Update the JMeter sampler component to pass the secret in the request. For example, to provide an OAuth2 access token, you configure the Authorization HTTP header:

      

When you now run your load test, the JMeter script can retrieve the secret information from the secrets store and authenticate with the application endpoint.

Authenticate with client certificates

In this scenario, the application endpoint requires that you use a client certificate to authenticate. Azure Load Testing supports Public Key Certificate Standard #12 (PKCS12) type of certificates. You can use only one client certificate in a load test.

The following diagram shows how to use a client certificate to authenticate with an application endpoint in your load test. To avoid storing, and disclosing, the client certificate alongside the JMeter script, you store the certificate in Azure Key Vault. When you run the load test, Azure Load Testing reads the certificate from the key vault, and automatically passes it to JMeter. JMeter then transparently passes the certificate in all application requests. You don't have to update the JMeter script to use the client certificate.

1. Follow the steps in Import a certificate to store your certificate in Azure Key Vault.

   Important

   Azure Load Testing only supports PKCS12 certificates. Upload the client certificate in PFX file format.

2. Verify that your load testing resource has permissions to retrieve the certificate from your key vault.

   Azure Load Testing retrieves the certificate as a secret to ensure that the private key for the certificate is available. Assign the Get secret permission to your load testing resource in Azure Key Vault.

3. Add the certificate to the load test configuration:

   Azure portal

   To add a client certificate to your load test in the Azure portal:

   1. Navigate to your load testing resource in the Azure portal. If you don't have a load test yet, create a new load test using a JMeter script.

   2. On the left pane, select Tests to view the list of load tests.

   3. Select your test from the list, and then select Edit, to edit the load test configuration.

      

   4. On the Parameters tab, enter the details of the certificate.

      Field	Value
      Name	Name of the certificate.
      Value	Matches the Azure Key Vault Secret identifier of the certificate.

      

   5. Select Apply, to save the load test configuration changes.

   GitHub Actions

   To add a client certificate for your load test, update the certificates property in the load test YAML configuration file.

   Field	Value
   name	Name of the client certificate.
   value	Matches the Azure Key Vault Secret identifier of the certificate.

   certificates:
     - name: <my-certificate-name>
       value: <my-keyvault-secret-ID>
   

   Azure Pipelines

   To add a client certificate for your load test, update the certificates property in the load test YAML configuration file.

   Field	Value
   name	Name of the client certificate.
   value	Matches the Azure Key Vault Secret identifier of the certificate.

   certificates:
     - name: <my-certificate-name>
       value: <my-keyvault-secret-ID>
   

When you now run your load test, Azure Load Testing retrieves the client certificate from Azure Key Vault, and injects it in the JMeter web requests.

Next steps

• Learn more about how to parameterize a load test.