Merge pull request #192749 from jiec-msft/mason/app_msi

[Spring-cloud] App managed identities

Author: v-regandowner

articles/spring-cloud/how-to-enable-system-assigned-managed-identity.md

@@ -6,7 +6,7 @@ author: karlerickson
 ms.author: xiading
 ms.service: spring-cloud
 ms.topic: how-to
-ms.date: 02/09/2022
+ms.date: 04/15/2022
 ms.custom: devx-track-java, devx-track-azurecli
 zone_pivot_groups: spring-cloud-tier-selection
 ---
@@ -26,22 +26,24 @@ If you're unfamiliar with managed identities for Azure resources, see the [Manag
 ::: zone pivot="sc-enterprise-tier"
 
 - An already provisioned Azure Spring Cloud Enterprise tier instance. For more information, see [Quickstart: Provision an Azure Spring Cloud service instance using the Enterprise tier](quickstart-provision-service-instance-enterprise.md).
-- [Azure CLI version 2.0.67 or later](/cli/azure/install-azure-cli).
-- [!INCLUDE [install-enterprise-extension](includes/install-enterprise-extension.md)]
+- [Azure CLI version 2.30.0 or higher](/cli/azure/install-azure-cli).
+- [!INCLUDE [install-app-user-identity-extension](includes/install-app-user-identity-extension.md)]
 
 ::: zone-end
 
 ::: zone pivot="sc-standard-tier"
 
 - An already provisioned Azure Spring Cloud instance. For more information, see [Quickstart: Deploy your first application to Azure Spring Cloud](./quickstart.md).
+- [Azure CLI version 2.30.0 or higher](/cli/azure/install-azure-cli).
+- [!INCLUDE [install-app-user-identity-extension](includes/install-app-user-identity-extension.md)]
 
 ::: zone-end
 
 ## Add a system-assigned identity
 
 Creating an app with a system-assigned identity requires setting an additional property on the application.
 
-# [Portal](#tab/azure-portal)
+### [Portal](#tab/azure-portal)
 
 To set up a managed identity in the portal, first create an app, and then enable the feature.
 
@@ -50,13 +52,13 @@ To set up a managed identity in the portal, first create an app, and then enable
 3. Select **Identity**.
 4. Within the **System assigned** tab, switch **Status** to *On*. Select **Save**.
 
-![Managed identity in portal](./media/enterprise/msi/msi-enable.png)
+:::image type="content" source="media/enterprise/msi/msi-enable.png" alt-text="Azure portal screenshot showing the Identity screen for an application." lightbox="media/enterprise/msi/msi-enable.png":::
 
-# [Azure CLI](#tab/azure-cli)
+### [Azure CLI](#tab/azure-cli)
 
 You can enable system-assigned managed identity during app creation or on an existing app.
 
-**Enable system-assigned managed identity during creation of an app**
+### Enable system-assigned managed identity during creation of an app
 
 The following example creates an app named *app_name* with a system-assigned managed identity, as requested by the `--assign-identity` parameter.
 
@@ -65,18 +67,19 @@ az spring-cloud app create \
     --resource-group <resource-group-name> \
     --name <app-name> \
     --service <service-instance-name> \
-    --assign-identity
+    --system-assigned
 ```
 
-**Enable system-assigned managed identity on an existing app**
+### Enable system-assigned managed identity on an existing app**
 
 Use `az spring-cloud app identity assign` command to enable the system-assigned identity on an existing app.
 
 ```azurecli
 az spring-cloud app identity assign \
     --resource-group <resource-group-name> \
     --name <app-name> \
-    --service <service-instance-name>
+    --service <service-instance-name> \
+    --system-assigned
 ```
 
 ---
@@ -93,25 +96,34 @@ Azure Spring Cloud shares the same endpoint for token acquisition with Azure Vir
 
 Removing a system-assigned identity will also delete it from Azure AD. Deleting the app resource automatically removes system-assigned identities from Azure AD.
 
-# [Portal](#tab/azure-portal)
+### [Portal](#tab/azure-portal)
 
 To remove system-assigned managed identity from an app that no longer needs it:
 
 1. Sign in to the portal using an account associated with the Azure subscription that contains the Azure Spring Cloud instance.
 1. Navigate to the desired application and select **Identity**.
 1. Under **System assigned**/**Status**, select **Off** and then select **Save**:
 
-![Managed identity](./media/enterprise/msi/msi-disable.png)
+:::image type="content" source="media/enterprise/msi/msi-disable.png" alt-text="Azure portal screenshot showing the Identity screen for an application, with the Status switch set to Off." lightbox="media/enterprise/msi/msi-disable.png":::
 
-# [Azure CLI](#tab/azure-cli)
+### [Azure CLI](#tab/azure-cli)
 
 To remove system-assigned managed identity from an app that no longer needs it, use the following command:
 
 ```azurecli
 az spring-cloud app identity remove \
     --resource-group <resource-group-name> \
     --name <app-name> \
-    --service <service-instance-name>
+    --service <service-instance-name> \
+    --system-assigned
+```
+
+## Get the client ID from the object ID (principal ID)
+
+Use the following command to get the client ID from the object/principle ID value:
+
+```azurecli
+az ad sp show --id <object-ID> --query appId
 ```
 
 ---

articles/spring-cloud/how-to-manage-user-assigned-managed-identities.md

@@ -118,8 +118,7 @@ az spring-cloud app identity remove \
 
 For user-assigned managed identity limitations, see [Quotas and service plans for Azure Spring Cloud](./quotas.md).
 
-
 ## Next steps
 
-* [Learn more about managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md)
-* [How to use managed identities with Java SDK](https://github.com/Azure-Samples/Azure-Spring-Cloud-Samples)
+- [Learn more about managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md)
+- [How to use managed identities with Java SDK](https://github.com/Azure-Samples/Azure-Spring-Cloud-Samples)

articles/spring-cloud/how-to-use-managed-identities.md

@@ -0,0 +1,89 @@
+---
+title: Managed identities for applications in Azure Spring Cloud
+titleSuffix: Azure Spring Cloud Enterprise Tier
+description: Home page for managed identities for applications.
+author: karlerickson
+ms.author: jiec
+ms.service: spring-cloud
+ms.topic: how-to
+ms.date: 04/15/2022
+ms.custom: devx-track-java, devx-track-azurecli
+zone_pivot_groups: spring-cloud-tier-selection
+---
+
+# Use managed identities for applications in Azure Spring Cloud
+
+**This article applies to:** ✔️ Basic/Standard tier ✔️ Enterprise tier
+
+This article shows you how to use system-assigned and user-assigned managed identities for applications in Azure Spring Cloud.
+
+Managed identities for Azure resources provide an automatically managed identity in Azure Active Directory (Azure AD) to an Azure resource such as your application in Azure Spring Cloud. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.
+
+## Feature status
+
+| System-assigned | User-assigned |
+| -               | -             |
+| GA              | Preview       |
+
+## Manage managed identity for an application
+
+For system-assigned managed identities, see [How to enable and disable system-assigned managed identity](./how-to-enable-system-assigned-managed-identity.md).
+
+For user-assigned managed identities, see [How to assign and remove user-assigned managed identities](./how-to-manage-user-assigned-managed-identities.md).
+
+## Obtain tokens for Azure resources
+
+An application can use its managed identity to get tokens to access other resources protected by Azure AD, such as Azure Key Vault. These tokens represent the application accessing the resource, not any specific user of the application.
+
+You may need to configure the target resource to allow access from your application. For more information, see [Assign a managed identity access to a resource by using the Azure portal](../active-directory/managed-identities-azure-resources/howto-assign-access-portal.md). For example, if you request a token to access Key Vault, be sure you have added an access policy that includes your application's identity. Otherwise, your calls to Key Vault will be rejected, even if they include the token. To learn more about which resources support Azure Active Directory tokens, see [Azure services that support Azure AD authentication](../active-directory/managed-identities-azure-resources/services-azure-active-directory-support.md).
+
+Azure Spring Cloud shares the same endpoint for token acquisition with Azure Virtual Machines. We recommend using Java SDK or Spring Boot starters to acquire a token. For various code and script examples and guidance on important topics such as handling token expiration and HTTP errors, see [How to use managed identities for Azure resources on an Azure VM to acquire an access token](../active-directory/managed-identities-azure-resources/how-to-use-vm-token.md).
+
+## Examples of connecting Azure services in application code
+
+The following table provides links to articles that contain examples:
+
+| Azure service   | tutorial                                                                                                                              |
+|-----------------|---------------------------------------------------------------------------------------------------------------------------------------|
+| Key Vault       | [Tutorial: Use a managed identity to connect Key Vault to an Azure Spring Cloud app](tutorial-managed-identities-key-vault.md)        |
+| Azure Functions | [Tutorial: Use a managed identity to invoke Azure Functions from an Azure Spring Cloud app](tutorial-managed-identities-functions.md) |
+| Azure SQL       | [Use a managed identity to connect Azure SQL Database to an Azure Spring Cloud app](connect-managed-identity-to-azure-sql.md)         |
+
+## Best practices when using managed identities
+
+We highly recommend that you use system-assigned and user-assigned managed identities separately unless you have a valid use case. If you use both kinds of managed identity together, failure might happen if an application is using system-assigned managed identity and the application gets the token without specifying the client ID of that identity. This scenario may work fine until one or more user-assigned managed identities are assigned to that application, then the application may fail to get the correct token.
+
+## Limitations
+
+### Maximum number of user-assigned managed identities per application
+
+For the maximum number of user-assigned managed identities per application, see [Quotas and Service Plans for Azure Spring Cloud](./quotas.md).
+
+### Azure services that aren't supported
+
+The following services do not currently support managed identity-based access:
+
+- Azure Redis Cache
+- Azure Flexible MySQL
+- Azure Flexible PostgreSQL
+- Azure Database for MariaDB
+- Azure Cosmos DB - Mongo DB
+- Azure Cosmos DB - Cassandra
+- Azure Databricks
+
+---
+
+## Concept mapping
+
+The following table shows the mappings between concepts in Managed Identity scope and Azure AD scope:
+
+| Managed Identity scope | Azure AD scope |
+|------------------------|----------------|
+| Principal ID           | Object ID      |
+| Client ID              | Application ID |
+
+## Next steps
+
+- [Access Azure Key Vault with managed identities in Spring boot starter](https://github.com/Azure/azure-sdk-for-java/blob/master/sdk/spring/azure-spring-boot-starter-keyvault-secrets/README.md#use-msi--managed-identities)
+- [Learn more about managed identities for Azure resources](https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory/managed-identities-azure-resources/overview.md)
+- [How to use managed identities with Java SDK](https://github.com/Azure-Samples/Azure-Spring-Cloud-Samples)

articles/spring-cloud/media/tutorial-managed-identities-key-vault/app-user-managed-identity-key-vault.png

@@ -9,27 +9,27 @@ ms.author: karler
 ms.custom: devx-track-java
 ---
 
-# Quotas and Service Plans for Azure Spring Cloud
+# Quotas and service plans for Azure Spring Cloud
 
 **This article applies to:** ✔️ Java ✔️ C#
 
 **This article applies to:** ✔️ Basic/Standard tier ✔️ Enterprise tier
 
-All Azure services set default limits and quotas for resources and features.   Azure Spring Cloud offers two pricing tiers: Basic and Standard. We will detail limits for both tiers in this article.
+All Azure services set default limits and quotas for resources and features. Azure Spring Cloud offers two pricing tiers: Basic and Standard. We will detail limits for both tiers in this article.
 
 ## Azure Spring Cloud service tiers and limits
 
-| Resource                             | Scope                                   | Basic              | Standard/Enterprise |
-|--------------------------------------|-----------------------------------------|--------------------|---------------------|
-| vCPU                                 | per app instance                        | 1                  | 4                   |
-| Memory                               | per app instance                        | 2 GB               | 8 GB                |
-| Azure Spring Cloud service instances | per region per subscription             | 10                 | 10                  |
-| Total app instances                  | per Azure Spring Cloud service instance | 25                 | 500                 |
-| Custom Domains                       | per Azure Spring Cloud service instance | 0                  | 25                  |
-| Persistent volumes                   | per Azure Spring Cloud service instance | 1 GB/app x 10 apps | 50 GB/app x 10 apps |
-| Inbound Public Endpoints             | per Azure Spring Cloud service instance | 10 <sup>1</sup>    | 10 <sup>1</sup>     |
+| Resource                             | Scope                                   | Basic              | Standard/Enterprise                             |
+|--------------------------------------|-----------------------------------------|--------------------|-------------------------------------------------|
+| vCPU                                 | per app instance                        | 1                  | 4                                               |
+| Memory                               | per app instance                        | 2 GB               | 8 GB                                            |
+| Azure Spring Cloud service instances | per region per subscription             | 10                 | 10                                              |
+| Total app instances                  | per Azure Spring Cloud service instance | 25                 | 500                                             |
+| Custom Domains                       | per Azure Spring Cloud service instance | 0                  | 25                                              |
+| Persistent volumes                   | per Azure Spring Cloud service instance | 1 GB/app x 10 apps | 50 GB/app x 10 apps                             |
+| Inbound Public Endpoints             | per Azure Spring Cloud service instance | 10 <sup>1</sup>    | 10 <sup>1</sup>                                 |
 | Outbound Public IPs                  | per Azure Spring Cloud service instance | 1 <sup>2</sup>     | 2 <sup>2</sup> <br> 1 if using VNet<sup>2</sup> |
-| User-assigned managed identities     | per app instance                        | 20                 | 20                  |
+| User-assigned managed identities     | per app instance                        | 20                 | 20                                              |
 
 <sup>1</sup> You can increase this limit via support request to a maximum of 1 per app.
 

articles/spring-cloud/quotas.md

@@ -204,6 +204,8 @@ items:
       href: troubleshooting-vnet.md
   - name: Secure
     items:
+    - name: Use managed identities for applications in Azure Spring Cloud
+      href: how-to-use-managed-identities.md
     - name: Enable system-assigned managed identity
       href: how-to-enable-system-assigned-managed-identity.md
     - name: Manage user-assigned managed identities