Manage user-assigned managed identities for an application in Azure Spring Apps
Note
The Basic, Standard, and Enterprise plans will be deprecated starting from mid-March, 2025, with a 3 year retirement period. We recommend transitioning to Azure Container Apps. For more information, see the Azure Spring Apps retirement announcement.
The Standard consumption and dedicated plan will be deprecated starting September 30, 2024, with a complete shutdown after six months. We recommend transitioning to Azure Container Apps. For more information, see Migrate Azure Spring Apps Standard consumption and dedicated plan to Azure Container Apps.
This article applies to: ✅ Basic/Standard ✅ Enterprise
This article shows you how to assign or remove user-assigned managed identities for an application in Azure Spring Apps, using the Azure portal and Azure CLI.
Managed identities for Azure resources provide an automatically managed identity in Microsoft Entra ID to an Azure resource such as your application in Azure Spring Apps. You can use this identity to authenticate to any service that supports Microsoft Entra authentication, without having credentials in your code.
Prerequisites
- If you're unfamiliar with managed identities for Azure resources, see What are managed identities for Azure resources?
- An already provisioned Azure Spring Apps Enterprise plan instance. For more information, see Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan.
- Azure CLI version 2.45.0 or higher.
-
The Azure Spring Apps extension for Azure CLI supports app user-assigned managed identity with version 1.0.0 or later. Use the following command to remove previous versions and install the latest extension:
az extension remove --name spring az extension add --name spring
- At least one already provisioned user-assigned managed identity. For more information, see Manage user-assigned managed identities.
- An already provisioned Azure Spring Apps instance. For more information, see Quickstart: Deploy your first application to Azure Spring Apps.
- Azure CLI version 2.45.0 or higher.
-
The Azure Spring Apps extension for Azure CLI supports app user-assigned managed identity with version 1.0.0 or later. Use the following command to remove previous versions and install the latest extension:
az extension remove --name spring az extension add --name spring
- At least one already provisioned user-assigned managed identity. For more information, see Manage user-assigned managed identities.
Assign user-assigned managed identities when creating an application
Create an application and assign user-assigned managed identity at the same time by using the following command:
az spring app create \
--resource-group <resource-group-name> \
--name <app-name> \
--service <service-instance-name> \
--user-assigned <space-separated user identity resource IDs to assign>
Assign user-assigned managed identities to an existing application
Assigning user-assigned managed identity requires setting another property on the application.
To assign user-assigned managed identity to an existing application in the Azure portal, follow these steps:
- Navigate to an application in the Azure portal as you normally would.
- Scroll down to the Settings group in the left navigation pane.
- Select Identity.
- Within the User assigned tab, select Add.
- Choose one or more user-assigned managed identities from right panel and then select Add from this panel.
Obtain tokens for Azure resources
An application can use its managed identity to get tokens to access other resources protected by Microsoft Entra ID, such as Azure Key Vault. These tokens represent the application accessing the resource, not any specific user of the application.
You might need to configure the target resource to enable access from your application. For more information, see Assign a managed identity access to an Azure resource or another resource. For example, if you request a token to access Key Vault, be sure you've added an access policy that includes your application's identity. Otherwise, your calls to Key Vault are rejected, even if they include the token. To learn more about which resources support Microsoft Entra tokens, see Azure services that support Microsoft Entra authentication
Azure Spring Apps shares the same endpoint for token acquisition with Azure Virtual Machines. We recommend using Java SDK or Spring Boot starters to acquire a token. For various code and script examples, and guidance on important topics such as handling token expiration and HTTP errors, see How to use managed identities for Azure resources on an Azure VM to acquire an access token.
Remove user-assigned managed identities from an existing app
Removing user-assigned managed identities removes the assignment between the identities and the application, and doesn't delete the identities themselves.
To remove user-assigned managed identities from an application that no longer needs it, follow these steps:
- Sign in to the Azure portal using an account associated with the Azure subscription that contains the Azure Spring Apps instance.
- Navigate to the desired application and select Identity.
- Under User assigned, select target identities and then select Remove.
Limitations
For user-assigned managed identity limitations, see Quotas and service plans for Azure Spring Apps.