User assigned managed identities

APPLIES TO: Azure Database for PostgreSQL - Flexible Server

This article provides step-by-step instructions to add or remove user assigned managed identities to an Azure Database for PostgreSQL flexible server.

Steps to assign to existing servers

This article assumes you created the user assigned managed identities that you want to associate to an existing instance of Azure Database for PostgreSQL flexible server.

For more information, see how to manage user assigned managed identities in Microsoft Entra ID.

You can associate as many user assigned managed identities as you want to an instance of Azure Database for PostgreSQL flexible server.

Portal

There's no support to associate user assigned managed identities to an instance of Azure Database for PostgreSQL flexible server via the portal.

CLI

You can associate a user assigned identity to an instance of Azure Database for PostgreSQL flexible server via the az postgres flexible-server identity assign command.

# Associate user assigned managed identity
resourceGroup=<resource-group>
server=<server>
identity=<identity>
az postgres flexible-server identity assign --resource-group $resourceGroup --server-name $server --identity $identity

Steps to remove from existing servers

The service supports dissociating user assigned managed identities which are associated to an instance of Azure Database for PostgreSQL flexible server.

An exception to that rule is any of the user assigned managed identities that are designated as the ones that should be used to access the encryption keys. This case is only possible on servers that were deployed with data encryption using customer managed keys.

Portal

There's no support to dissociate user assigned managed identities from an instance of Azure Database for PostgreSQL flexible server via the portal.

CLI

You can dissociate a user assigned identity from an instance of Azure Database for PostgreSQL flexible server via the az postgres flexible-server identity remove command.

# Dissociate user assigned managed identity
resourceGroup=<resource-group>
server=<server>
identity=<identity>
az postgres flexible-server identity remove --resource-group $resourceGroup --server-name $server --identity $identity

If you try to remove a user assigned managed identity which is used to access a data encryption key, you get the following error:

Cannot remove identity <identity> because it's used for data encryption.

Steps to show currently assigned

Portal

Using the Azure portal:

1. Locate your server in the portal, if you don't have it open. One way to do it is by typing the name of the server in the search bar. When the resource with the matching name is shown, select that resource.

   

2. In the resource menu, under Overview, select JSON View.

   

3. In the Resource JSON panel that opens, find the identity property and, inside it, you can find the userAssignedIdentities. That object consists of one or more key/value pairs, where each key represents the resource identifier of one user assigned managed identity, and their corresponding value is made of principalId and clientId associated to that managed identity.

   

CLI

# List all associated user assigned managed identities
resourceGroup=<resource-group>
server=<server>
az postgres flexible-server identity list --resource-group $resourceGroup --server-name $server --query "userAssignedIdentities"

Related content

• System assigned managed identity.