Managed identities in Azure Container Apps

A managed identity from Azure Active Directory (Azure AD) allows your container app to access other Azure AD-protected resources. For more about managed identities in Azure AD, see Managed identities for Azure resources.

Your container app can be granted two types of identities:

  • A system-assigned identity is tied to your container app and is deleted when your container app is deleted. An app can only have one system-assigned identity.
  • A user-assigned identity is a standalone Azure resource that can be assigned to your container app and other resources. A container app can have multiple user-assigned identities. The identity exists until you delete them.

Why use a managed identity?

You can use a managed identity in a running container app to authenticate to any service that supports Azure AD authentication.

With managed identities:

  • Your app connects to resources with the managed identity. You don't need to manage credentials in your container app.
  • You can use role-based access control to grant specific permissions to a managed identity.
  • System-assigned identities are automatically created and managed. They're deleted when your container app is deleted.
  • You can add and delete user-assigned identities and assign them to multiple resources. They're independent of your container app's life cycle.
  • You can use managed identity to authenticate with a private Azure Container Registry without a username and password to pull containers for your Container App.

Common use cases

System-assigned identities are best for workloads that:

  • are contained within a single resource
  • need independent identities

User-assigned identities are ideal for workloads that:

  • run on multiple resources and can share a single identity
  • need pre-authorization to a secure resource

Limitations

The identity is only available within a running container, which means you can't use a managed identity in scaling rules or Dapr configuration. To access resources that require a connection string or key, such as storage resources, you'll still need to include the connection string or key in the secretRef of the scaling rule.

Configure managed identities

You can configure your managed identities through:

  • the Azure portal
  • the Azure CLI
  • your Azure Resource Manager (ARM) template

When a managed identity is added, deleted, or modified on a running container app, the app doesn't automatically restart and a new revision isn't created.

Note

When adding a managed identity to a container app deployed before April 11, 2022, you must create a new revision.

Add a system-assigned identity

  1. In the left navigation of your container app's page, scroll down to the Settings group.

  2. Select Identity.

  3. Within the System assigned tab, switch Status to On. Select Save.

Screenshot of system-assigned identities.

Add a user-assigned identity

Configuring a container app with a user-assigned identity requires that you first create the identity then add its resource identifier to your container app's configuration. You can create user-assigned identities via the Azure portal or the Azure CLI. For information on creating and managing user-assigned identities, see Manage user-assigned managed identities.

First, you'll need to create a user-assigned identity resource.

  1. Create a user-assigned managed identity resource according to the steps found in Manage user-assigned managed identities.

  2. In the left navigation for your container app's page, scroll down to the Settings group.

  3. Select Identity.

  4. Within the User assigned tab, select Add.

  5. Search for the identity you created earlier and select it. Select Add.

Screenshot of user-assigned identities.

Configure a target resource

For some resources, you'll need to configure role assignments for your app's managed identity to grant access. Otherwise, calls from your app to services, such as Azure Key Vault and Azure SQL Database, will be rejected even if you use a valid token for that identity. To learn more about Azure role-based access control (Azure RBAC), see What is RBAC?. To learn more about which resources support Azure Active Directory tokens, see Azure services that support Azure AD authentication.

Important

The back-end services for managed identities maintain a cache per resource URI for around 24 hours. If you update the access policy of a particular target resource and immediately retrieve a token for that resource, you may continue to get a cached token with outdated permissions until that token expires. There's currently no way to force a token refresh.

Connect to Azure services in app code

With managed identities, an app can obtain tokens to access Azure resources that use Azure Active Directory, such as Azure SQL Database, Azure Key Vault, and Azure Storage. These tokens represent the application accessing the resource, and not any specific user of the application.

Container Apps provides an internally accessible REST endpoint to retrieve tokens. The REST endpoint can be accessed from within the app with a standard HTTP GET, which can be implemented with a generic HTTP client in every language. For .NET, JavaScript, Java, and Python, the Azure Identity client library provides an abstraction over this REST endpoint. Connecting to other Azure services is as simple as adding a credential object to the service-specific client.

Note

When connecting to Azure SQL data sources with Entity Framework Core, consider using Microsoft.Data.SqlClient, which provides special connection strings for managed identity connectivity.

For .NET apps, the simplest way to work with a managed identity is through the Azure Identity client library for .NET. See the respective documentation headings of the client library for information:

The linked examples use DefaultAzureCredential. It's useful for most the scenarios because the same pattern works in Azure (with managed identities) and on your local machine (without managed identities).

View managed identities

You can show the system-assigned and user-assigned managed identities using the following Azure CLI command. The output will show the managed identity type, tenant IDs and principal IDs of all managed identities assigned to your container app.

az containerapps identity show --name <APP_NAME> --resource-group <GROUP_NAME>

Remove a managed identity

When you remove a system-assigned identity, it's deleted from Azure Active Directory. System-assigned identities are also automatically removed from Azure Active Directory when you delete the container app resource itself. Removing user-assigned managed identities from your container app doesn't remove them from Azure Active Directory.

  1. In the left navigation of your app's page, scroll down to the Settings group.

  2. Select Identity. Then follow the steps based on the identity type:

    • System-assigned identity: Within the System assigned tab, switch Status to Off. Select Save.
    • User-assigned identity: Select the User assigned tab, select the checkbox for the identity, and select Remove. Select Yes to confirm.

Next steps