Authenticate to Azure on Dapr Docs

Authenticating to Azure

Mon, 01 Jan 0001 00:00:00 +0000

About authentication with Microsoft Entra ID

Microsoft Entra ID is Azure’s identity and access management (IAM) solution, which is used to authenticate and authorize users and services. It’s built on top of open standards such OAuth 2.0, which allows services (applications) to obtain access tokens to make requests to Azure services, including Azure Storage, Azure Service Bus, Azure Key Vault, Azure Cosmos DB, Azure Database for Postgres, Azure SQL, etc.

How to: Use workload identity federation

Mon, 01 Jan 0001 00:00:00 +0000

This guide will help you configure your Kubernetes cluster to run Dapr with Azure workload identity federation.

What is it?

Workload identity federation is a way for your applications to authenticate to Azure without having to store or manage credentials as part of your releases.

By using workload identity federation, any Dapr components running on Kubernetes and AKS that target Azure can authenticate transparently with no extra configuration.

Guide

We’ll show how to configure an Azure Key Vault resource against your AKS cluster. You can adapt this guide for different Dapr Azure components by substituting component definitions as necessary.

How to: Generate a new Microsoft Entra ID application and Service Principal

Mon, 01 Jan 0001 00:00:00 +0000

Prerequisites

An Azure subscription
Azure CLI
jq
OpenSSL (included by default on all Linux and macOS systems, as well as on WSL)
Make sure you’re using a bash or zsh shell

Log into Azure using the Azure CLI

In a new terminal, run the following command:

az login
az account set -s [your subscription id]

Create an Microsoft Entra ID application

Create the Microsoft Entra ID application with:

# Friendly name for the application / Service Principal
APP_NAME="dapr-application"

# Create the app
APP_ID=$(az ad app create --display-name "${APP_NAME}" | jq -r .appId)

Select how you’d prefer to pass credentials.

How to: Use managed identities

Mon, 01 Jan 0001 00:00:00 +0000

Using managed identities, authentication happens automatically by virtue of your application running on top of an Azure service that has either a system-managed or a user-assigned identity.

To get started, you need to enable a managed identity as a service option/functionality in various Azure services, independent of Dapr. Enabling this creates an identity (or application) under the hood for Microsoft Entra ID (previously Azure Active Directory ID) purposes.

Your Dapr services can then leverage that identity to authenticate with Microsoft Entra ID, transparently and without you having to specify any credentials.