A managed identity from Microsoft Entra ID allows your container app to access other Microsoft Entra protected resources. For more about managed identities in Microsoft Entra ID, see Managed identities for Azure resources.
Your container app can be granted two types of identities:
A system-assigned identity is tied to your container app and is deleted when your container app is deleted. An app can only have one system-assigned identity.
A user-assigned identity is a standalone Azure resource that can be assigned to your container app and other resources. A container app can have multiple user-assigned identities. The identity exists until you delete them.
System-assigned identities are best for workloads that:
are contained within a single resource
need independent identities
User-assigned identities are ideal for workloads that:
run on multiple resources and can share a single identity
need pre-authorization to a secure resource
Limitations
Using managed identities in scale rules isn't supported. You'll still need to include the connection string or key in the secretRef of the scaling rule.
You can configure your managed identities through:
the Azure portal
the Azure CLI
your Azure Resource Manager (ARM) template
When a managed identity is added, deleted, or modified on a running container app, the app doesn't automatically restart and a new revision isn't created.
Note
When adding a managed identity to a container app deployed before April 11, 2022, you must create a new revision.
In the left navigation of your container app's page, scroll down to the Settings group.
Select Identity.
Within the System assigned tab, switch Status to On. Select Save.
Run the az containerapp identity assign command to create a system-assigned identity:
az containerapp identity assign --name myApp --resource-group myResourceGroup --system-assigned
An ARM template can be used to automate deployment of your container app and resources. To add a system-assigned identity, add an identity section to your ARM template.
"identity": {
"type": "SystemAssigned"
}
Adding the system-assigned type tells Azure to create and manage the identity for your application. For a complete ARM template example, see ARM API Specification.
Some Azure CLI commands, including az containerapp create and az containerapp job create, support YAML files for input. To add a system-assigned identity, add an identity section to your YAML file.
identity:
type: SystemAssigned
Adding the system-assigned type tells Azure to create and manage the identity for your application. For a complete YAML template example, see ARM API Specification.
Add a user-assigned identity
Configuring a container app with a user-assigned identity requires that you first create the identity then add its resource identifier to your container app's configuration. You can create user-assigned identities via the Azure portal or the Azure CLI. For information on creating and managing user-assigned identities, see Manage user-assigned managed identities.
Replace <IDENTITY_RESOURCE_ID> with the id property of the identity. To assign more than one user-assigned identity, supply a space-separated list of identity IDs to the --user-assigned parameter.
To add one or more user-assigned identities, add an identity section to your ARM template. Replace <IDENTITY1_RESOURCE_ID> and <IDENTITY2_RESOURCE_ID> with the resource identifiers of the identities you want to add.
Specify each user-assigned identity by adding an item to the userAssignedIdentities object with the identity's resource identifier as the key. Use an empty object as the value.
An application can have both system-assigned and user-assigned identities at the same time. In this case, the type property would be SystemAssigned,UserAssigned.
To add one or more user-assigned identities, add an identity section to your YAML configuration file. Replace <IDENTITY1_RESOURCE_ID> and <IDENTITY2_RESOURCE_ID> with the resource identifiers of the identities you want to add.
Specify each user-assigned identity by adding an item to the userAssignedIdentities object with the identity's resource identifier as the key. Use an empty object as the value.
An application can have both system-assigned and user-assigned identities at the same time. In this case, the type property would be SystemAssigned,UserAssigned.
Configure a target resource
For some resources, you'll need to configure role assignments for your app's managed identity to grant access. Otherwise, calls from your app to services, such as Azure Key Vault and Azure SQL Database, will be rejected even if you use a valid token for that identity. To learn more about Azure role-based access control (Azure RBAC), see What is RBAC?. To learn more about which resources support Microsoft Entra tokens, see Azure services that support Microsoft Entra authentication.
Important
The back-end services for managed identities maintain a cache per resource URI for around 24 hours. If you update the access policy of a particular target resource and immediately retrieve a token for that resource, you may continue to get a cached token with outdated permissions until that token expires. There's currently no way to force a token refresh.
Connect to Azure services in app code
With managed identities, an app can obtain tokens to access Azure resources that use Microsoft Entra ID, such as Azure SQL Database, Azure Key Vault, and Azure Storage. These tokens represent the application accessing the resource, and not any specific user of the application.
Container Apps provides an internally accessible REST endpoint to retrieve tokens. The REST endpoint can be accessed from within the app with a standard HTTP GET, which can be implemented with a generic HTTP client in every language. For .NET, JavaScript, Java, and Python, the Azure Identity client library provides an abstraction over this REST endpoint. Connecting to other Azure services is as simple as adding a credential object to the service-specific client.
Note
When using Azure Identity client library, the user-assigned managed identity client id must be specified.
For .NET apps, the simplest way to work with a managed identity is through the Azure Identity client library for .NET. See the respective documentation headings of the client library for information:
The linked examples use DefaultAzureCredential. It's useful for most the scenarios because the same pattern works in Azure (with managed identities) and on your local machine (without managed identities).
For Node.js apps, the simplest way to work with a managed identity is through the Azure Identity client library for JavaScript. See the respective documentation headings of the client library for information:
The linked examples use DefaultAzureCredential. It's useful for most the scenarios because the same pattern works in Azure (with managed identities) and on your local machine (without managed identities).
For more code examples of the Azure Identity client library for JavaScript, see Azure Identity examples.
For Python apps, the simplest way to work with a managed identity is through the Azure Identity client library for Python. See the respective documentation headings of the client library for information:
The linked examples use DefaultAzureCredential. It's useful for most the scenarios because the same pattern works in Azure (with managed identities) and on your local machine (without managed identities).
For Java apps and functions, the simplest way to work with a managed identity is through the Azure Identity client library for Java. See the respective documentation headings of the client library for information:
The linked examples use DefaultAzureCredential. It's useful for most the scenarios because the same pattern works in Azure (with managed identities) and on your local machine (without managed identities).
For more code examples of the Azure Identity client library for Java, see Azure Identity Examples.
Use the following script to retrieve a token from the local endpoint by specifying a resource URI of an Azure service. Replace the placeholder with the resource URI to obtain the token.
A raw HTTP GET request looks like the following example.
Obtain the token endpoint URL from the IDENTITY_ENDPOINT environment variable. x-identity-header contains the GUID that is stored in the IDENTITY_HEADER environment variable.
GET http://localhost:42356/msi/token?resource=https://vault.azure.net&api-version=2019-08-01 HTTP/1.1
x-identity-header: 853b9a84-5bfa-4b22-a3f3-0b9a43d9ad8a
The version of the token API to be used. Use "2019-08-01" or later.
X-IDENTITY-HEADER
Header
The value of the IDENTITY_HEADER environment variable. This header mitigates server-side request forgery (SSRF) attacks.
client_id
Query
(Optional) The client ID of the user-assigned identity to be used. Can't be used on a request that includes principal_id, mi_res_id, or object_id. If all ID parameters (client_id, principal_id, object_id, and mi_res_id) are omitted, the system-assigned identity is used.
principal_id
Query
(Optional) The principal ID of the user-assigned identity to be used. object_id is an alias that may be used instead. Can't be used on a request that includes client_id, mi_res_id, or object_id. If all ID parameters (client_id, principal_id, object_id, and mi_res_id) are omitted, the system-assigned identity is used.
mi_res_id
Query
(Optional) The Azure resource ID of the user-assigned identity to be used. Can't be used on a request that includes principal_id, client_id, or object_id. If all ID parameters (client_id, principal_id, object_id, and mi_res_id) are omitted, the system-assigned identity is used.
Important
If you are attempting to obtain tokens for user-assigned identities, you must include one of the optional properties. Otherwise the token service will attempt to obtain a token for a system-assigned identity, which may or may not exist.
View managed identities
You can show the system-assigned and user-assigned managed identities using the following Azure CLI command. The output shows the managed identity type, tenant IDs and principal IDs of all managed identities assigned to your container app.
az containerapp identity show --name <APP_NAME> --resource-group <GROUP_NAME>
Remove a managed identity
When you remove a system-assigned identity, it's deleted from Microsoft Entra ID. System-assigned identities are also automatically removed from Microsoft Entra ID when you delete the container app resource itself. Removing user-assigned managed identities from your container app doesn't remove them from Microsoft Entra ID.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
