How to Use Managed Identity in Azure App Service
To use
managed identity in Azure App Service, first enable the identity in the App Service settings. Then, use Azure SDKs or REST APIs within your app to request tokens for accessing Azure resources securely without storing credentials.Syntax
Enable managed identity in your Azure App Service and use the following pattern to get an access token:
IDENTITY_ENDPOINT: Environment variable URL to request tokens.IDENTITY_HEADER: Secret header for token request.- Use HTTP GET to
${IDENTITY_ENDPOINT}?resource={resource}withX-IDENTITY-HEADERheader. - Use the returned token to authenticate Azure SDK clients or REST calls.
javascript
const axios = require('axios'); const resource = 'https://management.azure.com/'; const identityEndpoint = process.env.IDENTITY_ENDPOINT; const identityHeader = process.env.IDENTITY_HEADER; async function getAccessToken() { const response = await axios.get(`${identityEndpoint}?resource=${encodeURIComponent(resource)}&api-version=2019-08-01`, { headers: { 'X-IDENTITY-HEADER': identityHeader } }); return response.data.access_token; }
Example
This example shows how to enable system-assigned managed identity in Azure App Service and use it in a Node.js app to get an access token for Azure Key Vault.
javascript
const axios = require('axios'); async function getToken() { const resource = 'https://vault.azure.net'; const identityEndpoint = process.env.IDENTITY_ENDPOINT; const identityHeader = process.env.IDENTITY_HEADER; const response = await axios.get(`${identityEndpoint}?resource=${encodeURIComponent(resource)}&api-version=2019-08-01`, { headers: { 'X-IDENTITY-HEADER': identityHeader } }); return response.data.access_token; } (async () => { try { const token = await getToken(); console.log('Access token:', token.substring(0, 20) + '...'); } catch (error) { console.error('Error getting token:', error.message); } })();
Output
Access token: eyJ0eXAiOiJKV1QiLCJhbGci...
Common Pitfalls
- Not enabling managed identity in the App Service settings before using it.
- Using incorrect resource URI when requesting tokens (must match the Azure service).
- Ignoring environment variables
IDENTITY_ENDPOINTandIDENTITY_HEADERwhich are required for token requests. - Trying to use managed identity locally without Azure environment (use Azure CLI or Visual Studio credentials instead).
javascript
/* Wrong: Trying to call Azure resource without token */ const axios = require('axios'); async function callResource() { // Missing token request const response = await axios.get('https://management.azure.com/subscriptions?api-version=2020-01-01'); return response.data; } /* Right: Get token first, then call resource */ async function callResourceWithToken(token) { const response = await axios.get('https://management.azure.com/subscriptions?api-version=2020-01-01', { headers: { Authorization: `Bearer ${token}` } }); return response.data; }
Quick Reference
- Enable managed identity in Azure Portal under your App Service > Identity.
- Use environment variables
IDENTITY_ENDPOINTandIDENTITY_HEADERto request tokens. - Request token for the exact Azure resource URI you want to access.
- Use the token in Authorization header as
Bearer <token>. - Managed identity works only inside Azure environment; use local credentials for development.
Key Takeaways
Enable managed identity in your Azure App Service before using it.
Use environment variables IDENTITY_ENDPOINT and IDENTITY_HEADER to request access tokens.
Request tokens for the specific Azure resource URI you want to access.
Use the access token in Authorization headers to authenticate requests.
Managed identity works only inside Azure; use other credentials for local development.