Configure system or user assigned managed identities in Azure Database for PostgreSQL - Flexible Server

APPLIES TO: Azure Database for PostgreSQL - Flexible Server

In this article, you can learn how to enable or disable a system assigned managed identity for your instance of Azure Database for PostgreSQL flexible server. You can also learn how to add or remove one or more user assigned managed identities to your instance.

Enable the system assigned managed identity for existing servers

Portal

Using the Azure portal:

1. Locate your server in the portal, if you don't have it open. One way to do it is by typing the name of the server in the search bar. When the resource with the matching name is shown, select that resource.

   

2. In the resource menu, under Security, select Identity. Then, in the System assigned managed identity section, select the On option. Select Save.

   

3. When the process completes, a notification informs you that the system assigned managed identity is enabled.

   

CLI

The az postgres flexible-server update command doesn't provide built-in support to enable and disable the system assigned managed identity yet. As a workaround, you can use the az rest command to directly invoke the Servers - Update REST API.

# Enable system assigned managed identity
subscriptionId=<subscription-id>
resourceGroup=<resource-group>
server=<server>
result=$(az postgres flexible-server show --resource-group $resourceGroup --name $server --query "identity.type" --output tsv)
if [ -z "$result" ]; then
    az rest --method patch --url https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.DBforPostgreSQL/flexibleServers/$server?api-version=2024-08-01 --body '{"identity":{"type":"SystemAssigned"}}'
elif [ "$result" == "UserAssigned" ]; then
    az rest --method patch --url https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.DBforPostgreSQL/flexibleServers/$server?api-version=2024-08-01 --body '{"identity":{"type":"SystemAssigned,UserAssigned"}}'
else
    echo "System Assigned Managed identity is already enabled."
fi

Disable the system assigned managed identity for existing servers

Portal

Using the Azure portal:

1. Locate your server in the portal, if you don't have it open. One way to do it is by typing the name of the server in the search bar. When the resource with the matching name is shown, select that resource.

   

2. In the resource menu, under Security, select Identity. Then, in the System assigned managed identity section, select the Off option. Select Save.

   

3. When the process completes, a notification informs you that the system assigned managed identity is disabled.

   

CLI

The az postgres flexible-server update command doesn't provide built-in support to enable and disable the system assigned managed identity yet. As a workaround, you can use the az rest command to directly invoke the Servers - Update REST API.

# Disable system assigned managed identity
subscriptionId=<subscription-id>
resourceGroup=<resource-group>
server=<server>
result=$(az postgres flexible-server show --resource-group $resourceGroup --name $server --query "identity.type" --output tsv)
if [ "$result" == "SystemAssigned" ]; then
    az rest --method patch --url https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.DBforPostgreSQL/flexibleServers/$server?api-version=2024-08-01 --body '{"identity":{"type":"None"}}'
elif [ "$result" == "SystemAssigned,UserAssigned" ]; then
    echo "System Assigned Managed identity cannot be disabled as the instance has User Assigned Managed identities assigned."
else
    echo "System Assigned Managed identity is already disabled."
fi

Show the system assigned managed identity

Portal

Using the Azure portal:

1. Locate your server in the portal, if you don't have it open. One way to do it is by typing the name of the server in the search bar. When the resource with the matching name is shown, select that resource.

   

2. In the resource menu, under Overview, select JSON View.

   

3. In the Resource JSON panel that opens, find the identity property and, inside it, you can find the principalId and tenantId for the system assigned managed identity.

   

CLI

# Show the system assigned managed identity
resourceGroup=<resource-group>
server=<server>
az postgres flexible-server identity list --resource-group $resourceGroup --server-name $server --query "{principalId:principalId, tenantId:tenantId}" --output table

Verify the system assigned managed identity

Portal

Using the Azure portal:

1. Locate the Enterprise Applications service in the portal, if you don't have it open. One way to do it is by typing its name in the search bar. When the service with the matching name is shown, select it.

   

2. Choose Application Type == Managed Identity.

3. Provide the name of your instance of Azure Database for PostgreSQL flexible server in the Search by application name or object ID text box.

   

CLI

# Verify the system assigned managed identity
server=<server>
az ad sp list --display-name $server

Associate user assigned managed identities to existing servers

This article assumes you created the user assigned managed identities that you want to associate to an existing instance of Azure Database for PostgreSQL flexible server.

For more information, see how to manage user assigned managed identities in Microsoft Entra ID.

You can associate as many user assigned managed identities as you want to an instance of Azure Database for PostgreSQL flexible server.

Portal

There's no support to associate user assigned managed identities to an instance of Azure Database for PostgreSQL flexible server via the portal.

CLI

You can associate a user assigned identity to an instance of Azure Database for PostgreSQL flexible server via the az postgres flexible-server identity assign command.

# Associate user assigned managed identity
resourceGroup=<resource-group>
server=<server>
identity=<identity>
az postgres flexible-server identity assign --resource-group $resourceGroup --server-name $server --identity $identity

Dissociate user assigned managed identities to existing servers

The service supports dissociating user assigned managed identities which are associated to an instance of Azure Database for PostgreSQL flexible server.

An exception to that rule is any of the user assigned managed identities that are designated as the ones that should be used to access the encryption keys. This case is only possible on servers that were deployed with data encryption using customer managed keys.

Portal

There's no support to dissociate user assigned managed identities from an instance of Azure Database for PostgreSQL flexible server via the portal.

CLI

You can dissociate a user assigned identity from an instance of Azure Database for PostgreSQL flexible server via the az postgres flexible-server identity remove command.

# Dissociate user assigned managed identity
resourceGroup=<resource-group>
server=<server>
identity=<identity>
az postgres flexible-server identity remove --resource-group $resourceGroup --server-name $server --identity $identity

Show the associated user assigned managed identities

Portal

Using the Azure portal:

1. Locate your server in the portal, if you don't have it open. One way to do it is by typing the name of the server in the search bar. When the resource with the matching name is shown, select that resource.

   

2. In the resource menu, under Overview, select JSON View.

   

3. In the Resource JSON panel that opens, find the identity property and, inside it, you can find the userAssignedIdentities. That object consists of one or more key/value pairs, where each key represents the resource identifier of one user assigned managed identity, and their corresponding value is made of principalId and clientId associated to that managed identity.

   

CLI

# List all associated user assigned managed identities
resourceGroup=<resource-group>
server=<server>
az postgres flexible-server identity list --resource-group $resourceGroup --server-name $server --query "userAssignedIdentities"

Share your suggestions and bugs with the Azure Database for PostgreSQL product team.

Related content

• Managed identities in Azure Database for PostgreSQL - Flexible Server.
• Firewall rules in Azure Database for PostgreSQL - Flexible Server.
• Public access and private endpoints in Azure Database for PostgreSQL - Flexible Server.
• Virtual network integration in Azure Database for PostgreSQL - Flexible Server.