You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-signalr/howto-use-managed-identity.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,7 +15,7 @@ In Azure SignalR Service, you can use a managed identity from Azure Active Direc
15
15
- Obtain access tokens
16
16
- Access secrets in Azure Key Vault
17
17
18
-
The service supports only one managed identity, so you can create either a system-assigned or user-assigned identity. A system-assigned identity is dedicated to your SignalR instance and is deleted when you delete the instance. A user-assigned identity is managed independently of your SignalR resource.
18
+
The service supports only one managed identity; you can create either a system-assigned or user-assigned identity. A system-assigned identity is dedicated to your SignalR instance and is deleted when you delete the instance. A user-assigned identity is managed independently of your SignalR resource.
19
19
20
20
This article shows you how to create a managed identity for Azure SignalR Service and how to use it in serverless scenarios.
21
21
@@ -44,6 +44,8 @@ To add a system-managed identity to your SignalR instance:
44
44
45
45
:::image type="content" source="media/signalr-howto-use-managed-identity/system-identity-portal.png" alt-text="Add a system-assigned identity in the portal":::
46
46
47
+
1. Select **Yes** to confirm the change.
48
+
47
49
### Add a user-assigned identity
48
50
49
51
To add a user-assigned identity to your SignalR instance, you need to create the identity then add it to your service.
@@ -60,7 +62,7 @@ To add a user-assigned identity to your SignalR instance, you need to create the
60
62
61
63
Azure SignalR Service is a fully managed service. It uses a managed identity to obtain an access token. In serverless scenarios, the service adds the access token into the `Authorization` header in an upstream request.
62
64
> [!NOTE]
63
-
> Is this a specific type of upstream request? If so, we should say so.
65
+
> QUESTION: Is this a specific type of upstream request? If so, we should say so.
64
66
65
67
### Enable managed identity authentication in upstream settings
66
68
@@ -71,7 +73,7 @@ Once you've added a [system-assigned identity](#add-a-system-assigned-identity)
71
73
1. Select the **Serverless** service mode.
72
74
1. Enter the upstream URL pattern in the **Add an upstream URL pattern** text box.
73
75
> [!NOTE]
74
-
> Where do I get the upstream URL pattern?
76
+
> QUESTION: Where do I get the upstream URL pattern?
75
77
1. Select Add one Upstream Setting and select any asterisk to get into a detailed page as shown below.
@@ -86,7 +88,7 @@ Once you've added a [system-assigned identity](#add-a-system-assigned-identity)
86
88
- Resource ID of an Azure service (For a list of Azure services that support managed identities, see [Azure services that support managed identities](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication).)
87
89
88
90
> [!NOTE]
89
-
> If you validate an access token by yourself in your service, you can choose any one of the resource formats. Just make sure that the **Resource** value in **Auth** settings and the validation are consistent. If you use Azure role-based access control (Azure RBAC) for a data plane, you must use the resource that the service provider requests.
91
+
> If you manually validate an access token your service, you can choose any one of the resource formats. Make sure that the **Resource** value in **Auth** settings and the validation are consistent. When you use Azure role-based access control (Azure RBAC) for a data plane, you must use the resource format that the service provider requests.
90
92
91
93
### Validate access tokens
92
94
@@ -111,11 +113,11 @@ You can easily set access validation for a Function App without code changes usi
111
113
1. go to **Upstream settings** in SignalR Service and choose **Use Managed Identity** and **Select from existing Applications**. Select the application you created previously.
112
114
113
115
> [!NOTE]
114
-
> What application was created previously? The Function App?
116
+
> QUESTION: What application was created previously? The Function App?
115
117
116
118
After configuring these settings, the Function App will reject requests without an access token in the header.
117
119
118
-
> [!Important]
120
+
> [!IMPORTANT]
119
121
> To pass the authentication, the *Issuer Url* must match the *iss* claim in token. Currently, we only support v1 endpoint (see [v1.0 and v2.0](../active-directory/develop/access-tokens.md)).
120
122
121
123
To verify the *Issuer Url* format in your Function app:
@@ -127,7 +129,6 @@ To verify the *Issuer Url* format in your Function app:
127
129
1. Select **Issuer Url**.
128
130
1. Verify that the *Issuer Url* has the format `https://sts.windows.net/<tenant-id>/`.
129
131
130
-
131
132
## Use a managed identity for Key Vault reference
132
133
133
134
SignalR Service can access Key Vault to get secrets using the managed identity.
@@ -137,7 +138,6 @@ SignalR Service can access Key Vault to get secrets using the managed identity.
137
138
138
139
Currently, this feature can be used to [Reference secret in Upstream URL Pattern](./concept-upstream.md#key-vault-secret-reference-in-url-template-settings)
139
140
140
-
141
141
## Next steps
142
142
143
143
-[Azure Functions development and configuration with Azure SignalR Service](signalr-concept-serverless-development-config.md)
0 commit comments