Create a Container Instance Managed Identity in Logic Apps
After the announcement by Microsoft 365 CLI: Run in Docker I decided it was time to learn a bit more on how it all works. The goal was to work with docker containers in an Azure Container Instance to see if we could run some of our ‘automation’ in a container in the cloud. So after catching up on some Microsoft Learn and a sample on sentiment analyses I figured out the first step was to work with Managed Identity.
Managed Identity
Managed Identity is supported by both Logic Apps and Azure Container Instances. They are still in preview, but do provide some great advantages:
- There is no need to manage credentials, and credentials are not even accessible to you.
- Authenticate to any Azure service that supports Azure AD authentication.
- Managed identities are free.
Logic Apps
Using the create or update container instance you can add the managed identity parameters. You will need to add them explicitly because by default they are omitted. If you choose to add them, you can select both the UserAssigned
or SystemAssigned
option. In my case I wanted to go with UserAssigned
.
I did however get confused with the user object that needed to be passed. According to the documentation it should look like the following snippet.
"/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/microsoft.managedidentity/userassignedidentities/{identityName}"
Yet if you add that you get an invalid JSON error while saving the Logic App. I couldn’t find any documentation that explained how to create it. But found that if you used the peak code option on the Logic App action you could see the exact request. It’s just a piece of ARM template, so that was something I could search for. The exact syntax that you need to pass is the following snippet.
{
"/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/microsoft.managedidentity/userassignedidentities/{identityName}": {}
}
If you ever need to add multiple user managed identities you can easily use the following, as it is just an array:
{
"/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/microsoft.managedidentity/userassignedidentities/{identityName}": {},
"/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/microsoft.managedidentity/userassignedidentities/{identityName}": {},
}
I hate to admit that it took me quite some time to figure out what the correct syntax was. But once I did get it right it all made some sense. Next time I will be working with Azure Container Instances I guess it makes some sense to create them through the UI or using the az
commands. THat way I can later export them using the GUI to match the results that the Logic App is sending…