Enable system-assigned managed identity for an application in Azure Spring Apps
Note
Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams.
This article applies to: ✔️ Basic/Standard tier ✔️ Enterprise tier
This article shows you how to enable and disable system-assigned managed identities for an application in Azure Spring Apps, using the Azure portal and CLI.
Managed identities for Azure resources provide an automatically managed identity in Azure Active Directory to an Azure resource such as your application in Azure Spring Apps. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.
Prerequisites
If you're unfamiliar with managed identities for Azure resources, see the Managed identities for Azure resources overview section.
- An already provisioned Azure Spring Apps Enterprise tier instance. For more information, see Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise tier.
- Azure CLI version 2.30.0 or higher.
-
The Azure Spring Apps extension for Azure CLI supports app user-assigned managed identity with version 1.0.0 or later. Use the following command to remove previous versions and install the latest extension:
az extension remove --name spring az extension add --name spring
- An already provisioned Azure Spring Apps instance. For more information, see Quickstart: Deploy your first application to Azure Spring Apps.
- Azure CLI version 2.30.0 or higher.
-
The Azure Spring Apps extension for Azure CLI supports app user-assigned managed identity with version 1.0.0 or later. Use the following command to remove previous versions and install the latest extension:
az extension remove --name spring az extension add --name spring
Add a system-assigned identity
Creating an app with a system-assigned identity requires setting an additional property on the application.
To set up a managed identity in the portal, first create an app, and then enable the feature.
- Create an app in the portal as you normally would. Navigate to it in the portal.
- Scroll down to the Settings group in the left navigation pane.
- Select Identity.
- Within the System assigned tab, switch Status to On. Select Save.
Obtain tokens for Azure resources
An app can use its managed identity to get tokens to access other resources protected by Azure Active Directory, such as Azure Key Vault. These tokens represent the application accessing the resource, not any specific user of the application.
You may need to configure the target resource to allow access from your application. For example, if you request a token to access Key Vault, make sure you have added an access policy that includes your application's identity. Otherwise, your calls to Key Vault will be rejected, even if they include the token. To learn more about which resources support Azure Active Directory tokens, see Azure services that support Azure AD authentication.
Azure Spring Apps shares the same endpoint for token acquisition with Azure Virtual Machine. We recommend using Java SDK or spring boot starters to acquire a token. See How to use VM token for various code and script examples and guidance on important topics such as handling token expiration and HTTP errors.
Disable system-assigned identity from an app
Removing a system-assigned identity will also delete it from Azure AD. Deleting the app resource automatically removes system-assigned identities from Azure AD.
To remove system-assigned managed identity from an app that no longer needs it:
- Sign in to the portal using an account associated with the Azure subscription that contains the Azure Spring Apps instance.
- Navigate to the desired application and select Identity.
- Under System assigned/Status, select Off and then select Save:
Next steps
Feedback
Submit and view feedback for