Azurecloud~5 mins

Managed identity integration in Azure - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Managed identity integration lets your Azure services securely access other resources without needing passwords or keys. It solves the problem of safely managing credentials by automatically handling them for you.

When you want an Azure virtual machine to access Azure Key Vault secrets without storing credentials.

When an Azure App Service needs to read data from an Azure Storage account securely.

When you want to grant an Azure Function permission to access a database without embedding connection strings.

When you want to avoid manual credential rotation and reduce security risks.

When you want to simplify authentication between Azure services in your cloud applications.

Config File - azure-pod.yaml

azure-pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: my-app-pod
  namespace: example-namespace
spec:
  containers:
  - name: my-app-container
    image: mcr.microsoft.com/azure-cli
    command: ["sleep", "3600"]
  identity:
    type: UserAssigned
    userAssignedIdentities:
      /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-identity: {}

This Kubernetes pod manifest shows how to assign a user-assigned managed identity to a pod.

metadata: Names the pod and sets its namespace.

spec.containers: Defines the container image and command.

spec.identity: Assigns the user-assigned managed identity by its full Azure resource ID.

Commands

Create a user-assigned managed identity in the resource group example-rg in the eastus region.

Terminal

az identity create --resource-group example-rg --name my-identity --location eastus

Expected OutputExpected

{ "clientId": "11111111-1111-1111-1111-111111111111", "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-identity", "location": "eastus", "name": "my-identity", "principalId": "22222222-2222-2222-2222-222222222222", "resourceGroup": "example-rg", "type": "Microsoft.ManagedIdentity/userAssignedIdentities" }

→

--resource-group - Specifies the resource group where the identity is created

→

--name - Names the managed identity

→

--location - Sets the Azure region for the identity

Deploy the Kubernetes pod with the user-assigned managed identity attached so the pod can use it to access Azure resources securely.

Terminal

kubectl apply -f azure-pod.yaml

Expected OutputExpected

pod/my-app-pod created

Check that the pod is running and ready to use the managed identity.

Terminal

kubectl get pods

Expected OutputExpected

NAME READY STATUS RESTARTS AGE my-app-pod 1/1 Running 0 10s

Inside the pod, log in to Azure using the managed identity's client ID to authenticate without credentials.

Terminal

kubectl exec my-app-pod -- az login --identity --username 11111111-1111-1111-1111-111111111111

Expected OutputExpected

{ "cloudName": "AzureCloud", "homeTenantId": "33333333-3333-3333-3333-333333333333", "id": "22222222-2222-2222-2222-222222222222", "isDefault": true, "managedByTenants": [], "name": "my-identity", "state": "Enabled", "tenantId": "33333333-3333-3333-3333-333333333333", "user": { "name": "my-identity", "type": "servicePrincipal" } }

→

--identity - Use managed identity for login

→

--username - Specify the client ID of the user-assigned managed identity

Key Concept

If you remember nothing else from this pattern, remember: managed identities let Azure services authenticate securely without storing or managing passwords.

Common Mistakes

Not assigning the managed identity to the resource before trying to use it.

The service cannot authenticate without the identity attached, causing authentication failures.

Always create and assign the managed identity to the resource before using it.

Using the wrong client ID or resource ID when configuring the identity in the pod manifest.

The pod will not be able to find or use the identity, causing login errors.

Copy the exact client ID and resource ID from the Azure identity creation output.

Trying to use managed identity login outside of an Azure environment or without proper permissions.

Managed identity authentication only works within Azure resources that support it.

Use managed identity only inside Azure services that support it, like VMs, App Services, or AKS pods.

Summary

Create a user-assigned managed identity in Azure with az identity create.

Attach the managed identity to your Kubernetes pod in the pod manifest.

Deploy the pod and verify it is running with kubectl commands.

Use az login inside the pod with the managed identity to authenticate securely.