One of the core proficiencies of Logic Apps is the ability to connect a broad range of services together, and authentication is a central piece in keeping communications safe and secure. We also want an easy development experience, and managed identity allows users to connect to resources without the hassle of managing credentials themselves. We have supported system-assigned managed identity in Standard and we’re very excited to now bring user-assigned managed identity to this platform.
Key capabilities:
- Ability to associate a system-assigned managed identity multiple user-assigned identities to a Logic App (during authoring time, the user can choose which identity to use with which action)
- Managed identity support for HTTP actions (documented here)
- Managed identity support for managed connectors
- Ability to configure managed identity used for token store authentication (advanced)
First, we will walk through how to use a user-assigned managed identity with a managed connector Second, we will discuss what it means to configure token store, which is not something that’s required to use user-assigned identities in general, but can be useful to users who want more fine-grained control of their API connections.
Using a user-assigned managed identity with a managed connector (Azure Key Vault):
Prerequisites
- Create or use an existing Standard Logic App.
- Create or use an existing user-assigned managed identity.
- Create or use an existing Azure Key Vault.
Steps
- Assign the user-assigned managed identity to the Logic App using the “Identity” blade.
- Create a new workflow and add an HTTP trigger.
-
Search for the Key Vault connector and choose an action to add. We will use “List Secrets” in this example.
- Select “Connect with managed identity (preview)”, choose a connection name, fill in the vault name, select the user-assigned managed identity that was added in step 1, and click “Create”.
- Save the workflow.
- Give the user-assigned managed identity access to the key vault.
- Go to the key vault --> access policies --> Create.
- Check the “List” permission under “Secret permissions” and click next.
- Search for and select the user-assigned managed identity and click next.
- Skip the optional “Application” section and create the access policy.
- Go to the key vault --> access policies --> Create.
- Create a secret in the key vault if one doesn’t already exist.
- Go back to the workflow’s overview page, click “Run Trigger”, and it should run successfully.
- Open the run history and you should be able to see that the key vault action successfully authenticated to your key vault using your managed identity and fetched the list of secrets.
Token Store Authentication
What is it?
In connections.json, where information is stored for each API connection, you may notice that there are two separate “authentication” sections for each connection.
The orange one under “connectionProperties” is what is used to authenticate to the target resource (Outlook, KeyVault, etc.) and will change depending on the type of authentication selected in the designer.
The green one is the authentication being used to communicate with token store, which, until now, has always been set to “ManagedServiceIdentity” for an app deployed to Azure, with no configurability.
How does token store come into the picture?
When using an API connection, Logic Apps talks to the target resource in two steps.
Connection #1 uses the authentication configured for token store and connection #2 uses the authentication configured for the target resource.
In Logic Apps Consumption, #1 was abstracted away from the user, but that is no longer the case in Standard as the user now has much more ownership and control over their Logic App resource. Now, with the addition of user-assigned managed identity, this authentication can be switched from the default system-assigned identity to any user-assigned identity, and since this is at a per-connection granularity, user- and system- assigned identities can be mix-and-matched between connections.
Why would I want to change token store auth?
Changing the token store auth can be useful if you want to share the same API connection between multiple Logic Apps but not add every Logic App’s system-assigned identity to the access policy of the API connection resource. Or, if you don’t want to have system-assigned identity configured on the Logic App at all, you can choose to switch to using user-assigned and disable system-assigned identity on the app altogether.
How do I configure token store auth to use a different identity?
- In the portal, go to the “Connections” blade of your Logic App and select the “JSON View” tab.
- Add a new “identity” property with the resource ID of the user-assigned managed identity.
Note: If the “identity” property is missing, system-assigned managed identity is implicitly used.
- Go to the API connection resource in the portal and add the user-assigned managed identity in the “Access policies” blade.
- Now, your Logic App will start using the user-assigned managed identity that you have configured to authenticate with the token store.
We hope this provides a helpful starting point for using user-assigned managed identities with Logic Apps Standard. For more information, see our official documentation here. As always, we appreciate any feedback or suggestions that you may have.