Skip to content

Communicating with other Azure services

You may require the Azure agent to communicate with other Azure services, such as Azure Key Vault or Azure Blob Storage. For this, you will use an Azure managed identity, as described below. The managed identity will be linked to a container app, allowing the app to then impersonate this identity when it's performing actions that need authentication, such as downloading a file from Azure Blob Storage. An environment variable is used to pass the information the agent needs for this process.

This process requires the following configuration steps:

  1. Create a managed identity.
  2. Assign the managed identity to roles.
  3. Link the managed identity and a container app.
  4. Set the Azure client ID environment variable.

Note

If your container app itself has been deployed by the ARM template, and you do not want to use an existing managed identity, you do not need to take any action. The template will create and assign a managed identity to the container app with the correct roles.

For more information on the use of managed identities, read Manage user-assigned managed identities in the Microsoft documentation.


Create a managed identity

  1. Log in to the Azure Portal.
  2. Use the search bar to search for "managed identities", and click the Managed Identities result.
  3. Click + Create.
  4. Select a Resource group and choose a Name for the managed identity.
  5. If your organization has a policy that mandates managed identity tags, click Tags and assign tags as required.
  6. Click Review + create, and then click Create if you are satisfied with your managed identity configuration.

Assign the managed identity to roles

  1. Use the search bar to search for "resource groups", and click the Resource groups result.
  2. Select the resource group you used for your managed identity.
  3. In the resource group, click Access control (IAM).
  4. Click + Add then Add role assignment.
  5. Search for the role you want to add the managed identity to, and click it to select it, then click Next.
  6. On the Members tab, click Managed identity, and then click + Select members.
  7. In the Select managed identities panel, select User-assigned managed identity from the Managed identity drop-down, and click the required identity in the resulting list.
  8. Click Select, and the selection will be added to the Members list in the main panel.
  9. Click Review + assign.

Repeat steps 4 to 9 for each role you want to add the managed identity to.


  1. Use the search bar to search for "container apps", and click the Container Apps result.
  2. Select the container app you want to link.
  3. Click SettingsIdentity.
  4. Click the User assigned tab, then click + Add.
  5. In the Add user assigned managed identity panel, select the identities that you want to link, then click Add.

Set the Azure client ID environment variable

With the managed identity and container app linked, you now need to provide the Azure client ID to the agent, so that the agent can use it to authenticate. The agent looks for the client ID in an environment variable called AZURE_CLIENT_ID.

  1. Use the search bar to search for "managed identities", and click the Managed Identities result.
  2. Select the managed identity you created previously.
  3. Copy the Client ID displayed on the managed identity Overview page.

If creating the container manually for the first time, add the AZURE_CLIENT_ID environment variable at the same time as you add other environment variables (such as AGENT_ID). Read Agent installation using an ARM template for details.

If editing an existing container app, add the Client ID value as follows:

  1. Use the search bar to search for "container apps", and click the Container Apps result.
  2. Select the container app you want to edit.
  3. Click ApplicationContainers, and then click Edit and deploy.
  4. Click the name of the container in the Container image list.
  5. In the Edit a container panel, scroll down to Environment variables, and click + Add.
  6. Complete the following fields:

    • Name: Enter AZURE_CLIENT_ID.
    • Source: Select Manual entry.
    • Value: Paste the Client ID you copied from the managed identity.
  7. Click Save.