Use managed identities for Azure Load Testing Preview

Članak
04/20/2022
4 min. za čitanje

This article shows how you can create a managed identity for an Azure Load Testing Preview resource and how to use it to read secrets from your Azure key vault.

A managed identity in Azure Active Directory (Azure AD) allows your resource to easily access other Azure AD-protected resources, such as Azure Key Vault. The identity is managed by the Azure platform. For more information about managed identities in Azure AD, see Managed identities for Azure resources.

Azure Load Testing supports two types of identities:

A system-assigned identity is associated with your Azure Load Testing resource and is removed when your resource is deleted. A resource can have only one system-assigned identity.
A user-assigned identity is a standalone Azure resource that you can assign to your Azure Load Testing resource. When you delete the Load Testing resource, the identity is not removed. You can assign multiple user-assigned identities to the Load Testing resource.

Important

Azure Load Testing is currently in preview. For legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability, see the Supplemental Terms of Use for Microsoft Azure Previews.

Prerequisites

An Azure account with an active subscription. If you don't have an Azure subscription, create a free account before you begin.
An Azure Load Testing resource. If you need to create an Azure Load Testing resource, see the quickstart Create and run a load test.

Set a system-assigned identity

To add a system-assigned identity for your Azure Load Testing resource, you need to enable a property on the resource. You can set this property by using the Azure portal or by using an Azure Resource Manager (ARM) template.

Portal
ARM template

To set up a managed identity in the portal, you first create an Azure Load Testing resource and then enable the feature.

In the Azure portal, go to your Azure Load Testing resource.
On the left pane, select Identity.
Switch the system-assigned identity status to On, and then select Save.

You can use an ARM template to automate the deployment of your Azure resources. You can create any resource of type Microsoft.LoadTestService/loadtests with an identity by including the following property in the resource definition:

"identity": {
    "type": "SystemAssigned"
}

By adding the system-assigned type, you're telling Azure to create and manage the identity for your resource. For example, an Azure Load Testing resource might look like the following:

{
    "type": "Microsoft.LoadTestService/loadtests",
    "apiVersion": "2021-09-01-preview",
    "name": "[parameters('name')]",
    "location": "[parameters('location')]",
    "tags": "[parameters('tags')]",
    "identity": {
        "type": "SystemAssigned"
    }
}

When the resource is created, it gets the following additional properties:

"identity": {
    "type": "SystemAssigned",
    "tenantId": "<TENANTID>",
    "principalId": "<PRINCIPALID>"
}

The tenantId property identifies which Azure AD tenant the identity belongs to. The principalId is a unique identifier for the resource's new identity. Within Azure AD, the service principal has the same name as the Azure Load Testing resource.

Set a user-assigned identity

Before you can add a user-assigned identity to an Azure Load Testing resource, you must first create this identity. You can then add the identity by using its resource identifier.

Portal
ARM template

Create a user-assigned managed identity by following the instructions mentioned here.
In the Azure portal, go to your Azure Load Testing resource.
On the left pane, select Identity.
Select User assigned tab and click Add.
Search and select the identity you created previously. Then select Add to add it to the Azure Load Testing resource.

You can create an Azure Load Testing resource by using an ARM template and the resource type Microsoft.LoadTestService/loadtests. You can specify a user-assigned identity in the identity section of the resource definition. Replace the <RESOURCEID> text placeholder with the resource ID of your user-assigned identity:

"identity": {
    "type": "UserAssigned",
    "userAssignedIdentities": {
        "<RESOURCEID>": {}
    }
}

The following code snippet shows an example of an Azure Load Testing ARM resource definition with a user-assigned identity:

{
    "type": "Microsoft.LoadTestService/loadtests",
    "apiVersion": "2021-09-01-preview",
    "name": "[parameters('name')]",
    "location": "[parameters('location')]",
    "tags": "[parameters('tags')]",
    "identity": {
        "type": "UserAssigned",
        "userAssignedIdentities": {
            "<RESOURCEID>": {}
        }
}

After the Load Testing resource is created, Azure provides the principalId and clientId properties:

"identity": {
    "type": "UserAssigned",
    "userAssignedIdentities": {
        "<RESOURCEID>": {
            "principalId": "<PRINCIPALID>",
            "clientId": "<CLIENTID>"
        }
    }
}

The principalId is a unique identifier for the identity that's used for Azure AD administration. The clientId is a unique identifier for the resource's new identity that's used for specifying which identity to use during runtime calls.

Grant access to your Azure key vault

A managed identity allows the Azure Load testing resource to access other Azure resources. In this section, you grant the Azure Load Testing service access to read secret values from your key vault.

If you don't already have a key vault, follow the instructions in Azure Key Vault quickstart to create it.

In the Azure portal, go to your Azure Key Vault resource.
On the left pane, under Settings, select Access Policies, and then Add Access Policy.
In the Secret permissions dropdown list, select Get.
Select Select principal, and then select the system-assigned or user-assigned principal for your Azure Load Testing resource.

The name of the system-assigned principal is the same name as the Azure Load Testing resource.
Select Add.

You've now granted access to your Azure Load Testing resource to read the secret values from your Azure key vault.

Next steps

To learn how to parameterize a load test by using secrets, see Parameterize a load test.
Learn how to Manage users and roles in Azure Load Testing.