Use managed identities for Azure Load Testing

This article shows how to create a managed identity for Azure Load Testing. You can use a managed identity to securely read secrets or certificates from Azure Key Vault in your load test.

A managed identity from Microsoft Entra ID allows your load testing resource to easily access Microsoft Entra protected Azure Key Vault. The identity is managed by the Azure platform and doesn't require you to manage or rotate any secrets. For more information about managed identities in Microsoft Entra ID, see Managed identities for Azure resources.

Azure Load Testing supports two types of identities:

• A system-assigned identity is associated with your load testing resource and is deleted when your resource is deleted. A resource can only have one system-assigned identity.
• A user-assigned identity is a standalone Azure resource that you can assign to your load testing resource. When you delete the load testing resource, the managed identity remains available. You can assign multiple user-assigned identities to the load testing resource.

Currently, you can only use the managed identity for accessing Azure Key Vault.

Prerequisites

• An Azure account with an active subscription. If you don't have an Azure subscription, create a free account before you begin.
• An Azure load testing resource. If you need to create an Azure load testing resource, see the quickstart Create and run a load test.
• To create a user-assigned managed identity, your account needs the Managed Identity Contributor role assignment.

Assign a system-assigned identity to a load testing resource

To assign a system-assigned identity for your Azure load testing resource, enable a property on the resource. You can set this property by using the Azure portal or by using an Azure Resource Manager (ARM) template.

Portal

To set up a managed identity in the portal, you first create an Azure load testing resource and then enable the feature.

1. In the Azure portal, go to your Azure load testing resource.

2. On the left pane, select Identity.

3. In the System assigned tab, switch Status to On, and then select Save.

   

4. On the confirmation window, select Yes to confirm the assignment of the managed identity.

5. After this operation completes, the page shows the Object ID of the managed identity, and lets you assign permissions to it.

   

Azure CLI

Run the az load update command with --identity-type SystemAssigned to add a system-assigned identity to your load testing resource:

az load update --name <load-testing-resource-name> --resource-group <group-name> --identity-type SystemAssigned

ARM template

You can use an ARM template to automate the deployment of your Azure resources. For more information about using ARM templates with Azure Load Testing, see the Azure Load Testing ARM reference documentation.

You can assign a system-assigned managed identity when you create a resource of type Microsoft.LoadTestService/loadtests. Configure the identity property with the SystemAssigned value in the resource definition:

"identity": {
    "type": "SystemAssigned"
}

By adding the system-assigned identity type, you're telling Azure to create and manage the identity for your resource. For example, an Azure load testing resource might look like the following:

{
    "type": "Microsoft.LoadTestService/loadtests",
    "apiVersion": "2021-09-01-preview",
    "name": "[parameters('name')]",
    "location": "[parameters('location')]",
    "tags": "[parameters('tags')]",
    "identity": {
        "type": "SystemAssigned"
    }
}

After the resource creation finishes, the following properties are configured for the resource:

"identity": {
    "type": "SystemAssigned",
    "tenantId": "00000000-0000-0000-0000-000000000000",
    "principalId": "00000000-0000-0000-0000-000000000000"
}

The tenantId property identifies which Microsoft Entra tenant the managed identity belongs to. The principalId is a unique identifier for the resource's new identity. Within Microsoft Entra ID, the service principal has the same name as the Azure load testing resource.

Assign a user-assigned identity to a load testing resource

Before you can add a user-assigned managed identity to an Azure load testing resource, you must first create this identity in Microsoft Entra ID. Then, you can assign the identity by using its resource identifier.

You can add multiple user-assigned managed identities to your resource. For example, if you need to access multiple Azure resources, you can grant different permissions to each of these identities.

Portal

1. Create a user-assigned managed identity by following the instructions mentioned in Create a user-assigned managed identity.

   

2. In the Azure portal, go to your Azure load testing resource.

3. On the left pane, select Identity.

4. Select the User assigned tab, and select Add.

5. Search and select the managed identity you created previously. Then, select Add to add it to the Azure load testing resource.

   

Azure CLI

1. Create a user-assigned identity.

   az identity create --resource-group <group-name> --name <identity-name>
   

2. Run the az load update command with --identity-type UserAssigned to add a user-assigned identity to your load testing resource:

   az load update --name <load-testing-resource-name> --resource-group <group-name> --identity-type UserAssigned --user-assigned <identity-id>
   

ARM template

You can create an Azure load testing resource by using an ARM template and the resource type Microsoft.LoadTestService/loadtests. For more information about using ARM templates with Azure Load Testing, see the Azure Load Testing ARM reference documentation.

1. Create a user-assigned managed identity by following the instructions mentioned in Create a user-assigned managed identity.

2. Specify the user-assigned managed identity in the identity section of the resource definition.

   Replace the <RESOURCEID> text placeholder with the resource ID of your user-assigned identity:

   "identity": {
       "type": "UserAssigned",
       "userAssignedIdentities": {
           "<RESOURCEID>": {}
       }
   }
   

   The following code snippet shows an example of an Azure Load Testing ARM resource definition with a user-assigned identity:

   {
       "type": "Microsoft.LoadTestService/loadtests",
       "apiVersion": "2021-09-01-preview",
       "name": "[parameters('name')]",
       "location": "[parameters('location')]",
       "tags": "[parameters('tags')]",
       "identity": {
           "type": "UserAssigned",
           "userAssignedIdentities": {
               "<RESOURCEID>": {}
           }
   }
   

   After the Load Testing resource is created, Azure provides the principalId and clientId properties in the output:

   "identity": {
       "type": "UserAssigned",
       "userAssignedIdentities": {
           "<RESOURCEID>": {
               "principalId": "00000000-0000-0000-0000-000000000000",
               "clientId": "00000000-0000-0000-0000-000000000000"
           }
       }
   }
   

   The principalId is a unique identifier for the identity that's used for Microsoft Entra administration. The clientId is a unique identifier for the resource's new identity that's used for specifying which identity to use during runtime calls.

Configure target resource

You might need to configure the target resource to allow access from your load testing resource. For example, if you read a secret or certificate from Azure Key Vault, or if you use customer-managed keys for encryption, you must also add an access policy that includes the managed identity of your resource. Otherwise, your calls to Azure Key Vault are rejected, even if you use a valid token.

Similarly, if you want to set failure criteria on server metrics, you should specify a Metrics Reference Identity to fetch metrics for. You should configure the target resource such that the identity can read the metrics from the resource.

Related content

• Use secrets or certificates in your load test
• Configure customer-managed keys for encryption
• What are managed identities for Azure resources?