Manage user-assigned managed identities for an application in Azure Spring Apps

Note

Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams.

This article applies to: ✔️ Basic/Standard tier ✔️ Enterprise tier

This article shows you how to assign or remove user-assigned managed identities for an application in Azure Spring Apps, using the Azure portal and Azure CLI.

Managed identities for Azure resources provide an automatically managed identity in Azure Active Directory (Azure AD) to an Azure resource such as your application in Azure Spring Apps. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

Prerequisites

Assign user-assigned managed identities when creating an application

Create an application and assign user-assigned managed identity at the same time by using the following command:

az spring app create \
    --resource-group <resource-group-name> \
    --name <app-name> \
    --service <service-instance-name> \
    --user-assigned <space-separated user identity resource IDs to assign>

Assign user-assigned managed identities to an existing application

Assigning user-assigned managed identity requires setting an additional property on the application.

To assign user-assigned managed identity to an existing application in the Azure portal, follow these steps:

  1. Navigate to an application in the Azure portal as you normally would.
  2. Scroll down to the Settings group in the left navigation pane.
  3. Select Identity.
  4. Within the User assigned tab, select Add.
  5. Choose one or more user-assigned managed identities from right panel and then select Add from this panel.

Obtain tokens for Azure resources

An application can use its managed identity to get tokens to access other resources protected by Azure AD, such as Azure Key Vault. These tokens represent the application accessing the resource, not any specific user of the application.

You may need to configure the target resource to allow access from your application. For more information, see Assign a managed identity access to a resource by using the Azure portal. For example, if you request a token to access Key Vault, be sure you have added an access policy that includes your application's identity. Otherwise, your calls to Key Vault will be rejected, even if they include the token. To learn more about which resources support Azure Active Directory tokens, see Azure services that support Azure AD authentication

Azure Spring Apps shares the same endpoint for token acquisition with Azure Virtual Machines. We recommend using Java SDK or Spring Boot starters to acquire a token. For various code and script examples and guidance on important topics such as handling token expiration and HTTP errors, see How to use managed identities for Azure resources on an Azure VM to acquire an access token.

Remove user-assigned managed identities from an existing app

Removing user-assigned managed identities will remove the assignment between the identities and the application, and will not delete the identities themselves.

To remove user-assigned managed identities from an application that no longer needs it, follow these steps:

  1. Sign in to the Azure portal using an account associated with the Azure subscription that contains the Azure Spring Apps instance.
  2. Navigate to the desired application and select Identity.
  3. Under User assigned, select target identities and then select Remove.

Limitations

For user-assigned managed identity limitations, see Quotas and service plans for Azure Spring Apps.

Next steps