add Azure Managed Identities service doc#464
Open
HarshCasper wants to merge 1 commit intoazure-docsfrom
Open
Conversation
HarshCasper
requested review from
quetzalliwrites and
remotesynth
as code owners
HarshCasper
requested review from
bblommers,
lazarkanelov and
paolosalvatori
Deploying localstack-docs with
|
| Latest commit: |
e9d79fa
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://f1d1793f.localstack-docs.pages.dev |
| Branch Preview URL: | https://harshmishra-doc-77.localstack-docs.pages.dev |
paolosalvatori
requested review from
DrisDary,
alexlave100,
bryansan-local and
mmaureenliu
paolosalvatori
approved these changes
Apr 1, 2026
paolosalvatori
left a comment
paolosalvatori
left a comment
There was a problem hiding this comment.
Hi @HarshCasper please review and integrate my comments, suggestions, and additions, thanks.
Comment on lines
+11
to
+13
| Azure Managed Identity provides identities for Azure resources so applications can authenticate without storing credentials in code. | ||
| It supports user-assigned identities (standalone resources) and system-assigned identities (bound to a resource lifecycle). | ||
| Managed identities are commonly used to access Azure services securely from apps and automation workflows. |
There was a problem hiding this comment.
Suggested change
| Azure Managed Identity provides identities for Azure resources so applications can authenticate without storing credentials in code. | |
| It supports user-assigned identities (standalone resources) and system-assigned identities (bound to a resource lifecycle). | |
| Managed identities are commonly used to access Azure services securely from apps and automation workflows. | |
| Azure Managed Identity provides identities for Azure resources so applications can authenticate without storing credentials in code. The Azure platform supports two types of identities: | |
| - **System-assigned**: Tied directly to the lifecycle of a specific resource; when the resource is deleted, Azure automatically cleans up the identity. | |
| - **User-assigned**: Created as a standalone Azure resource that can be assigned to one or more instances, making it ideal for shared workloads and scale sets. | |
| Managed identities are commonly used to access Azure services securely from apps and automation workflows. For more information, see [What are managed identities for Azure resources?](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/overview). |
| It supports user-assigned identities (standalone resources) and system-assigned identities (bound to a resource lifecycle). | ||
| Managed identities are commonly used to access Azure services securely from apps and automation workflows. | ||
|
|
||
| LocalStack for Azure allows you to build and test Managed Identity workflows in your local environment. |
There was a problem hiding this comment.
Suggested change
| LocalStack for Azure allows you to build and test Managed Identity workflows in your local environment. | |
| LocalStack for Azure allows you to build and emulate applications that make use of system-assigned or user-assigned Managed Identities directly in your local environment. This enables you to validate your secret-less authentication logic with high fidelity, ensuring your code is production-ready without needing to provision live cloud resources. |
Comment on lines
+22
to
+27
| Start your LocalStack container using your preferred method. | ||
| Then start CLI interception: | ||
|
|
||
| ```bash | ||
| azlocal start_interception | ||
| ``` |
There was a problem hiding this comment.
Suggested change
| Start your LocalStack container using your preferred method. | |
| Then start CLI interception: | |
| ```bash | |
| azlocal start_interception | |
| ``` | |
| Launch LocalStack using your preferred method. For more information, see [Introduction to LocalStack for Azure](/azure/getting-started/). Once the container is running, enable Azure CLI interception by running: | |
| ```bash | |
| azlocal start-interception | |
| ``` | |
| :::note | |
| As an alternative to using the `azlocal` CLI, users can run: | |
| `azlocal start-interception` | |
| This command points the `az` CLI away from the public Azure management REST API and toward the LocalStack for Azure emulator API. | |
| To revert this configuration, run: | |
| `azlocal stop-interception` | |
| This reconfigures the `az` CLI to send commands to the official Azure management REST API. | |
| ::: |
|
|
||
| ### User-assigned managed identity | ||
|
|
||
| Create a user-assigned identity: |
There was a problem hiding this comment.
Suggested change
| Create a user-assigned identity: | |
| Create a user-assigned managed identity: |
| } | ||
| ``` | ||
|
|
||
| Get the identity: |
There was a problem hiding this comment.
Suggested change
| Get the identity: | |
| Get the new user-assigned managed identity: |
| } | ||
| ``` | ||
|
|
||
| List identities by resource group: |
There was a problem hiding this comment.
Suggested change
| List identities by resource group: | |
| List user-assigned managed identities by resource group: |
| } | ||
| ``` | ||
|
|
||
| Retrieve the system-assigned identity by scope: |
There was a problem hiding this comment.
Suggested change
| Retrieve the system-assigned identity by scope: | |
| Retrieve the system-assigned managed identity by scope: |
| } | ||
| ``` | ||
|
|
||
| Assign a system-managed identity to the web app: |
There was a problem hiding this comment.
Suggested change
| Assign a system-managed identity to the web app: | |
| Enable the system-assigned managed identity on the web app |
|
|
||
| ### System-assigned managed identity | ||
|
|
||
| Create an App Service plan and a Web App: |
There was a problem hiding this comment.
For consistency, since you use lower case for web app below, we need to use lower case here as well.
Suggested change
| Create an App Service plan and a Web App: | |
| Create an app service plan and a web app: |
Comment on lines
+218
to
+238
| ```bash | ||
| SITE_ID=$(az webapp show --name ls-app-doc77 --resource-group rg-managedidentity-demo --query id -o tsv) | ||
|
|
||
| az rest --method get \ | ||
| --url "http://management.localhost.localstack.cloud:4566${SITE_ID}/providers/Microsoft.ManagedIdentity/identities/default?api-version=2024-11-30" | ||
| ``` | ||
|
|
||
| ```bash title="Output" | ||
| { | ||
| "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-managedidentity-demo/providers/microsoft.web/sites/ls-app-doc77", | ||
| "name": "ls-app-doc77", | ||
| "type": "microsoft.web/sites", | ||
| "location": "westeurope", | ||
| "properties": { | ||
| "principalId": "78b44418-f917-4f3a-ac29-a9821d3d8e7c", | ||
| "clientId": "4364940c-ede7-43d8-8043-3dbad79377ee", | ||
| "tenantId": "00000000-0000-0000-0000-000000000000", | ||
| ... | ||
| } | ||
| } | ||
| ``` |
There was a problem hiding this comment.
Suggested change
| ```bash | |
| SITE_ID=$(az webapp show --name ls-app-doc77 --resource-group rg-managedidentity-demo --query id -o tsv) | |
| az rest --method get \ | |
| --url "http://management.localhost.localstack.cloud:4566${SITE_ID}/providers/Microsoft.ManagedIdentity/identities/default?api-version=2024-11-30" | |
| ``` | |
| ```bash title="Output" | |
| { | |
| "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-managedidentity-demo/providers/microsoft.web/sites/ls-app-doc77", | |
| "name": "ls-app-doc77", | |
| "type": "microsoft.web/sites", | |
| "location": "westeurope", | |
| "properties": { | |
| "principalId": "78b44418-f917-4f3a-ac29-a9821d3d8e7c", | |
| "clientId": "4364940c-ede7-43d8-8043-3dbad79377ee", | |
| "tenantId": "00000000-0000-0000-0000-000000000000", | |
| ... | |
| } | |
| } | |
| ``` | |
| ```bash | |
| az webapp identity show \ | |
| --name ls-app-doc77 \ | |
| --resource-group rg-managedidentity-demo | |
| ``` | |
| ```bash title="Output" | |
| { | |
| "type": "SystemAssigned", | |
| "principalId": "78b44418-f917-4f3a-ac29-a9821d3d8e7c", | |
| "tenantId": "00000000-0000-0000-0000-000000000000", | |
| ... | |
| } | |
| ``` | |
| You can also retrieve the system-assigned managed identity of a web app by calling the control plane REST API as follows: | |
| ```bash | |
| SITE_ID=$(az webapp show --name ls-app-doc77 --resource-group rg-managedidentity-demo --query id -o tsv) | |
| az rest --method get \ | |
| --url "http://management.localhost.localstack.cloud:4566${SITE_ID}/providers/Microsoft.ManagedIdentity/identities/default?api-version=2024-11-30" | |
| ``` | |
| ```bash title="Output" | |
| { | |
| "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-managedidentity-demo/providers/microsoft.web/sites/ls-app-doc77", | |
| "name": "ls-app-doc77", | |
| "type": "microsoft.web/sites", | |
| "location": "westeurope", | |
| "properties": { | |
| "principalId": "78b44418-f917-4f3a-ac29-a9821d3d8e7c", | |
| "clientId": "4364940c-ede7-43d8-8043-3dbad79377ee", | |
| "tenantId": "00000000-0000-0000-0000-000000000000", | |
| ... | |
| } | |
| } | |
| ``` | |
| ## Features | |
| The Managed Identity emulator supports the following features: | |
| - **User-assigned identity lifecycle**: Full create, read, update, and delete operations for user-assigned managed identities, including tag management and cross-region relocation. | |
| - **System-assigned identity retrieval**: Retrieve the system-assigned identity of any resource by scope, returning the associated principal ID, client ID, and tenant ID. | |
| - **Service principal auto-provisioning**: When a managed identity is created, a corresponding service principal is automatically registered in the Microsoft Graph store, mirroring Azure's built-in identity-to-directory integration. | |
| - **Role assignments**: Create, retrieve, delete, and list role assignments at subscription and scope levels. Scope-based filtering matches assignments by resource hierarchy. | |
| - **Role definitions**: Create and manage custom role definitions with granular permissions and assignable scopes. Over 549 builtin Azure role definitions are preloaded and available for immediate use. | |
| - **Management locks**: Create, delete, retrieve, and list management locks at the resource group level. Supported lock levels are `CanNotDelete` and `ReadOnly`. | |
| - **Microsoft Graph service principal queries**: List, create, and delete service principals through the Microsoft Graph `/v1.0/servicePrincipals` endpoint with OData query support including `$filter`, `$select`, `$top`, `$count`, and `$orderby`. | |
| - **Directory object lookups**: Resolve multiple directory objects by ID through the `/v1.0/directoryObjects/getByIds` endpoint. | |
| ## Limitations | |
| The Managed Identity emulator has the following limitations: | |
| - **Federated identity credentials**: Federated identity credential operations (create, get, delete, list) are not yet implemented. | |
| - **No token issuance**: The emulator does not issue actual OAuth 2.0 tokens or enforce authentication. Identity objects are created and stored, but no real credential exchange occurs. | |
| - **Management locks scope**: Management locks are supported only at the resource group level. Subscription-level and individual-resource-level locks are not implemented. | |
| - **Microsoft Graph pagination**: The `@odata.nextLink` pagination mechanism is not implemented. Large result sets are returned in a single response. | |
| - **No data persistence across restarts**: Identity, role assignment, role definition, and service principal data is held in memory and is lost when the emulator is stopped or restarted. | |
| ## Samples | |
| The following samples demonstrate how to use Managed Identity with LocalStack for Azure: | |
| - [Azure Functions App with Managed Identity](https://github.com/localstack/localstack-azure-samples/tree/main/samples/function-app-managed-identity/python) | |
| - [Azure Web App with Managed Identity](https://github.com/localstack/localstack-azure-samples/tree/main/samples/web-app-managed-identity/python) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.