| title | Managed Identity |
|---|---|
| description | Get started with Azure Managed Identity on LocalStack |
| template | doc |
import AzureFeatureCoverage from "../../../../components/feature-coverage/AzureFeatureCoverage";
Azure Managed Identity provides identities for Azure resources so applications can authenticate without storing credentials in code. It supports user-assigned identities (standalone resources) and system-assigned identities (bound to a resource lifecycle). Managed identities are commonly used to access Azure services securely from apps and automation workflows.
LocalStack for Azure allows you to build and test Managed Identity workflows in your local environment. The supported APIs are available on our API Coverage section, which provides information on the extent of Managed Identity's integration with LocalStack.
This guide is designed for users new to Managed Identity and assumes basic knowledge of the Azure CLI and our azlocal wrapper script.
Start your LocalStack container using your preferred method. Then start CLI interception:
azlocal start_interceptionCreate a resource group for the identity resources:
az group create \
--name rg-managedidentity-demo \
--location westeurope{
"name": "rg-managedidentity-demo",
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-managedidentity-demo",
"location": "westeurope",
"properties": {
"provisioningState": "Succeeded"
},
...
}Create a user-assigned identity:
az identity create \
--name mi-doc77 \
--resource-group rg-managedidentity-demo \
--location westeurope \
--tags environment=test{
"name": "mi-doc77",
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-managedidentity-demo/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mi-doc77",
"location": "westeurope",
"principalId": "a55f8986-0187-48fd-ac82-e87db6b80376",
"clientId": "216de8da-baf0-4403-925d-ac69c6ad67e3",
"tenantId": "00000000-0000-0000-0000-000000000000",
"tags": {
"environment": "test"
},
...
}Get the identity:
az identity show \
--name mi-doc77 \
--resource-group rg-managedidentity-demo{
"name": "mi-doc77",
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-managedidentity-demo/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mi-doc77",
"principalId": "a55f8986-0187-48fd-ac82-e87db6b80376",
"clientId": "216de8da-baf0-4403-925d-ac69c6ad67e3",
"tags": {
"environment": "test"
},
...
}List identities by resource group:
az identity list --resource-group rg-managedidentity-demo[
{
"name": "mi-doc77",
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-managedidentity-demo/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mi-doc77",
"resourceGroup": "rg-managedidentity-demo",
"tags": {"environment": "test"},
...
}
]List identities by subscription:
az identity list[
{
"name": "mi-doc77",
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"resourceGroup": "rg-managedidentity-demo",
...
}
]Update identity tags:
az identity update \
--name mi-doc77 \
--resource-group rg-managedidentity-demo \
--tags environment=dev{
"name": "mi-doc77",
"tags": {
"environment": "dev"
},
...
}Delete the identity and verify it no longer appears in the resource group:
az identity delete --name mi-doc77 --resource-group rg-managedidentity-demo
az identity list --resource-group rg-managedidentity-demo[]Create an App Service plan and a Web App:
az appservice plan create \
--name asp-doc77 \
--resource-group rg-managedidentity-demo \
--location westeurope \
--sku F1
az webapp create \
--name ls-app-doc77 \
--resource-group rg-managedidentity-demo \
--plan asp-doc77 \
--runtime "PYTHON:3.11"{
"name": "asp-doc77",
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-managedidentity-demo/providers/Microsoft.Web/serverfarms/asp-doc77",
"location": "westeurope",
"provisioningState": "Succeeded",
...
}
{
"name": "ls-app-doc77",
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-managedidentity-demo/providers/Microsoft.Web/sites/ls-app-doc77",
"type": "Microsoft.Web/sites",
"location": "westeurope",
...
}Assign a system-managed identity to the web app:
az webapp identity assign \
--name ls-app-doc77 \
--resource-group rg-managedidentity-demo{
"type": "SystemAssigned",
"principalId": "78b44418-f917-4f3a-ac29-a9821d3d8e7c",
"tenantId": "00000000-0000-0000-0000-000000000000",
...
}Retrieve the system-assigned identity by scope:
SITE_ID=$(az webapp show --name ls-app-doc77 --resource-group rg-managedidentity-demo --query id -o tsv)
az rest --method get \
--url "http://management.localhost.localstack.cloud:4566${SITE_ID}/providers/Microsoft.ManagedIdentity/identities/default?api-version=2024-11-30"{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-managedidentity-demo/providers/microsoft.web/sites/ls-app-doc77",
"name": "ls-app-doc77",
"type": "microsoft.web/sites",
"location": "westeurope",
"properties": {
"principalId": "78b44418-f917-4f3a-ac29-a9821d3d8e7c",
"clientId": "4364940c-ede7-43d8-8043-3dbad79377ee",
"tenantId": "00000000-0000-0000-0000-000000000000",
...
}
}