This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Integrations with Azure

Dapr integrations with Azure services

1: Authenticate to Azure

1.1: Authenticating to Azure
1.2: How to: Use workload identity federation
1.3: How to: Generate a new Microsoft Entra ID application and Service Principal
1.4: How to: Use managed identities

2: Dapr integration policies for Azure API Management
3: Dapr extension for Azure Functions runtime
4: Dapr extension for Azure Kubernetes Service (AKS)

1 - Authenticate to Azure

Learn about authenticating Azure components using Microsoft Entra ID or Managed Identities

1.1 - Authenticating to Azure

How to authenticate Azure components using Microsoft Entra ID and/or Managed Identities

About authentication with Microsoft Entra ID

Microsoft Entra ID is Azure’s identity and access management (IAM) solution, which is used to authenticate and authorize users and services. It’s built on top of open standards such OAuth 2.0, which allows services (applications) to obtain access tokens to make requests to Azure services, including Azure Storage, Azure Service Bus, Azure Key Vault, Azure Cosmos DB, Azure Database for Postgres, Azure SQL, etc.

Options to authenticate

Applications can authenticate with Microsoft Entra ID and obtain an access token to make requests to Azure services through several methods:

Workload identity federation - The recommended way to configure your Microsoft Entra ID tenant to trust an external identity provider. This includes service accounts from Kubernetes or AKS clusters. Learn more about workload identity federation.
System and user assigned managed identities - Less granular than workload identity federation, but retains some of the benefits. Learn more about system and user assigned managed identities.
[Client ID and secret]({{ < ref howto-aad.md >}}) - Not recommended as it requires you to maintian and associate credentials at the application level.
Pod Identities - Deprecated approach for authenticating applications running on Kubernetes pods at a pod level. This should no longer be used.

If you are just getting started, it is recommended to use workload identity federation.

Managed identities and workload identity federation

When your application is running on a supported Azure service (such as Azure VMs, Azure Container Apps, Azure Web Apps, etc), an identity for your application can be assigned at the infrastructure level.

This is done through system or user assigned managed identities, or workload identity federation.

Once using managed identities, your code doesn’t have to deal with credentials, which:

Removes the challenge of managing credentials safely
Allows greater separation of concerns between development and operations teams
Reduces the number of people with access to credentials
Simplifies operational aspects–especially when multiple environments are used

While some Dapr Azure components offer alternative authentication methods, such as systems based on “shared keys” or “access tokens”, you should always try to authenticate your Dapr components using Microsoft Entra ID whenever possible. This offers many benefits, including:

It’s recommended that applications running on Azure Kubernetes Service leverage workload identity federation to automatically provide an identity to individual pods.

Role-Based Access Control

When using Azure Role-Based Access Control (RBAC) with supported services, permissions given to an application can be fine-tuned. For example, you can restrict access to a subset of data or make the access read-only.

Auditing

Using Microsoft Entra ID provides an improved auditing experience for access. Tenant administrators can consult audit logs to track authentication requests.

(Optional) Authentication using certificates

While Microsoft Entra ID allows you to use MI, you still have the option to authenticate using certificates.

Support for other Azure environments

By default, Dapr components are configured to interact with Azure resources in the “public cloud”. If your application is deployed to another cloud, such as Azure China or Azure Government (“sovereign clouds”), you can enable that for supported components by setting the azureEnvironment metadata property to one of the supported values:

Azure public cloud (default): "AzurePublicCloud"
Azure China: "AzureChinaCloud"
Azure Government: "AzureUSGovernmentCloud"

Support for sovereign clouds is experimental.

Credentials metadata fields

To authenticate with Microsoft Entra ID, you will need to add the following credentials as values in the metadata for your Dapr component.

Metadata options

Depending on how you’ve passed credentials to your Dapr services, you have multiple metadata options.

Authenticating using client credentials

Field	Required	Details	Example
`azureTenantId`	Y	ID of the Microsoft Entra ID tenant	`"cd4b2887-304c-47e1-b4d5-65447fdd542b"`
`azureClientId`	Y	Client ID (application ID)	`"c7dd251f-811f-4ba2-a905-acd4d3f8f08b"`
`azureClientSecret`	Y	Client secret (application password)	`"Ecy3XG7zVZK3/vl/a2NSB+a1zXLa8RnMum/IgD0E"`

When running on Kubernetes, you can also use references to Kubernetes secrets for any or all of the values above.

Authenticating using a certificate

Field	Required	Details	Example
`azureTenantId`	Y	ID of the Microsoft Entra ID tenant	`"cd4b2887-304c-47e1-b4d5-65447fdd542b"`
`azureClientId`	Y	Client ID (application ID)	`"c7dd251f-811f-4ba2-a905-acd4d3f8f08b"`
`azureCertificate`	One of `azureCertificate` and `azureCertificateFile`	Certificate and private key (in PFX/PKCS#12 format)	`"-----BEGIN PRIVATE KEY-----\n MIIEvgI... \n -----END PRIVATE KEY----- \n -----BEGIN CERTIFICATE----- \n MIICoTC... \n -----END CERTIFICATE-----`
`azureCertificateFile`	One of `azureCertificate` and `azureCertificateFile`	Path to the PFX/PKCS#12 file containing the certificate and private key	`"/path/to/file.pem"`
`azureCertificatePassword`	N	Password for the certificate if encrypted	`"password"`

When running on Kubernetes, you can also use references to Kubernetes secrets for any or all of the values above.

Authenticating with Managed Identities (MI)

Field	Required	Details	Example
`azureClientId`	N	Client ID (application ID)	`"c7dd251f-811f-4ba2-a905-acd4d3f8f08b"`

Using Managed Identities, the azureClientId field is generally recommended. The field is optional when using a system-assigned identity, but may be required when using user-assigned identities.

Authenticating with Workload Identity on AKS

When running on Azure Kubernetes Service (AKS), you can authenticate components using Workload Identity. Refer to the Azure AKS documentation on enabling Workload Identity for your Kubernetes resources.

Authenticating using Azure CLI credentials (development-only)

Important: This authentication method is recommended for development only.

This authentication method can be useful while developing on a local machine. You will need:

The Azure CLI installed
Have successfully authenticated using the az login command

When Dapr is running on a host where there are credentials available for the Azure CLI, components can use those to authenticate automatically if no other authentication method is configuration.

Using this authentication method does not require setting any metadata option.

Example usage in a Dapr component

In this example, you will set up an Azure Key Vault secret store component that uses Microsoft Entra ID to authenticate.

To use a client secret, create a file called azurekeyvault.yaml in the components directory, filling in with the details from the above setup process:

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: azurekeyvault
  namespace: default
spec:
  type: secretstores.azure.keyvault
  version: v1
  metadata:
  - name: vaultName
    value: "[your_keyvault_name]"
  - name: azureTenantId
    value: "[your_tenant_id]"
  - name: azureClientId
    value: "[your_client_id]"
  - name: azureClientSecret
    value : "[your_client_secret]"

If you want to use a certificate saved on the local disk, instead, use:

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: azurekeyvault
  namespace: default
spec:
  type: secretstores.azure.keyvault
  version: v1
  metadata:
  - name: vaultName
    value: "[your_keyvault_name]"
  - name: azureTenantId
    value: "[your_tenant_id]"
  - name: azureClientId
    value: "[your_client_id]"
  - name: azureCertificateFile
    value : "[pfx_certificate_file_fully_qualified_local_path]"

In Kubernetes, you store the client secret or the certificate into the Kubernetes Secret Store and then refer to those in the YAML file.

To use a client secret:

Create a Kubernetes secret using the following command:
```
kubectl create secret generic [your_k8s_secret_name] --from-literal=[your_k8s_secret_key]=[your_client_secret]
```
- [your_client_secret] is the application’s client secret as generated above
- [your_k8s_secret_name] is secret name in the Kubernetes secret store
- [your_k8s_secret_key] is secret key in the Kubernetes secret store

Create an azurekeyvault.yaml component file.

The component yaml refers to the Kubernetes secretstore using auth property and secretKeyRef refers to the client secret stored in the Kubernetes secret store.

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: azurekeyvault
  namespace: default
spec:
  type: secretstores.azure.keyvault
  version: v1
  metadata:
  - name: vaultName
    value: "[your_keyvault_name]"
  - name: azureTenantId
    value: "[your_tenant_id]"
  - name: azureClientId
    value: "[your_client_id]"
  - name: azureClientSecret
    secretKeyRef:
      name: "[your_k8s_secret_name]"
      key: "[your_k8s_secret_key]"
auth:
  secretStore: kubernetes

Apply the azurekeyvault.yaml component:
```
kubectl apply -f azurekeyvault.yaml
```

To use a certificate:

Create a Kubernetes secret using the following command:
```
kubectl create secret generic [your_k8s_secret_name] --from-file=[your_k8s_secret_key]=[pfx_certificate_file_fully_qualified_local_path]
```
- [pfx_certificate_file_fully_qualified_local_path] is the path to the PFX file you obtained earlier
- [your_k8s_secret_name] is secret name in the Kubernetes secret store
- [your_k8s_secret_key] is secret key in the Kubernetes secret store

Create an azurekeyvault.yaml component file.

The component yaml refers to the Kubernetes secretstore using auth property and secretKeyRef refers to the certificate stored in the Kubernetes secret store.

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: azurekeyvault
  namespace: default
spec:
  type: secretstores.azure.keyvault
  version: v1
  metadata:
  - name: vaultName
    value: "[your_keyvault_name]"
  - name: azureTenantId
    value: "[your_tenant_id]"
  - name: azureClientId
    value: "[your_client_id]"
  - name: azureCertificate
    secretKeyRef:
      name: "[your_k8s_secret_name]"
      key: "[your_k8s_secret_key]"
auth:
  secretStore: kubernetes

Apply the azurekeyvault.yaml component:
```
kubectl apply -f azurekeyvault.yaml
```

Next steps

Generate a new Microsoft Entra ID application and Service Principal >>

References

1.2 - How to: Use workload identity federation

Learn how to configure Dapr to use workload identity federation on Azure.

This guide will help you configure your Kubernetes cluster to run Dapr with Azure workload identity federation.

What is it?

Workload identity federation is a way for your applications to authenticate to Azure without having to store or manage credentials as part of your releases.

By using workload identity federation, any Dapr components running on Kubernetes and AKS that target Azure can authenticate transparently with no extra configuration.

Guide

We’ll show how to configure an Azure Key Vault resource against your AKS cluster. You can adapt this guide for different Dapr Azure components by substituting component definitions as necessary.

For this How To, we’ll use this Dapr AKS secrets sample app.

Prerequisites

AKS cluster with workload identity enabled
Microsoft Entra ID tenant

1 - Enable workload identity federation

Follow the Azure documentation for enabling workload identity federation on your AKS cluster.

The HowTo walks through configuring your Azure Entra ID tenant to trust an identity that originates from your AKS cluster issuer. It also guides you in setting up a Kubernetes service account which is associated with an Azure managed identity you create.

Once completed, return here to continue with step 2.

2 - Add a secret to Azure Key Vault

In the Azure Key Vault you created and add a secret called dapr with the value of Hello Dapr!.

3 - Configure the Azure Key Vault dapr component

By this point, you should have a Kubernetes service account with a name similar to workload-identity-sa0a1b2c.

Apply the following to your Kubernetes cluster, remembering to update your-key-vault with the name of your key vault:

---
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: demo-secret-store # Be sure not to change this, as our app will be looking for it.
spec:
  type: secretstores.azure.keyvault
  version: v1
  metadata:
  - name: vaultName
    value: your-key-vault # Replace

You’ll notice that we have not provided any details specific to authentication in the component definition. This is intentional, as Dapr is able to leverage the Kubernetes service account to transparently authenticate to Azure.

4 - Deploy the test application

Go to the workload identity federation sample application and prepare a build of the image.

Make sure the image is pushed up to a registry that your AKS cluster has visibility and permission to pull from.

Next, create a deployment for our sample AKS secrets app container along with a Dapr sidecar.

Remember to update dapr-wif-k8s-service-account with your service account name and dapraksworkloadidentityfederation with an image your cluster can resolve:

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: aks-dapr-wif-secrets
  labels:
    app: aks-dapr-wif-secrets
spec:
  replicas: 1
  selector:
    matchLabels:
      app: aks-dapr-wif-secrets
  template:
    metadata:
      labels:
        app: aks-dapr-wif-secrets
        azure.workload.identity/use: "true" # Important
      annotations:
        dapr.io/enabled: "true" # Enable Dapr
        dapr.io/app-id: "aks-dapr-wif-secrets"
    spec:
      serviceAccountName: dapr-wif-k8s-service-account # Remember to replace
      containers:
        - name: workload-id-demo
          image: dapraksworkloadidentityfederation # Remember to replace
          imagePullPolicy: Always

Once the application is up and running, it should output the following:

Fetched Secret: Hello dapr!

1.3 - How to: Generate a new Microsoft Entra ID application and Service Principal

Learn how to generate an Microsoft Entra ID and use it as a Service Principal

Prerequisites

An Azure subscription
Azure CLI
jq
OpenSSL (included by default on all Linux and macOS systems, as well as on WSL)
Make sure you’re using a bash or zsh shell

Log into Azure using the Azure CLI

In a new terminal, run the following command:

az login
az account set -s [your subscription id]

Create an Microsoft Entra ID application

Create the Microsoft Entra ID application with:

# Friendly name for the application / Service Principal
APP_NAME="dapr-application"

# Create the app
APP_ID=$(az ad app create --display-name "${APP_NAME}"  | jq -r .appId)

Select how you’d prefer to pass credentials.

To create a client secret, run the following command.

az ad app credential reset \
  --id "${APP_ID}" \
  --years 2

This generates a random, 40-characters long password based on the base64 charset. This password will be valid for 2 years, before you need to rotate it.

Save the output values returned; you’ll need them for Dapr to authenticate with Azure. The expected output:

{
  "appId": "<your-app-id>",
  "password": "<your-password>",
  "tenant": "<your-azure-tenant>"
}

When adding the returned values to your Dapr component’s metadata:

appId is the value for azureClientId
password is the value for azureClientSecret (this was randomly-generated)
tenant is the value for azureTenantId

For a PFX (PKCS#12) certificate, run the following command to create a self-signed certificate:

az ad app credential reset \
  --id "${APP_ID}" \
  --create-cert

Note: Self-signed certificates are recommended for development only. For production, you should use certificates signed by a CA and imported with the --cert flag.

The output of the command above should look like:

Save the output values returned; you’ll need them for Dapr to authenticate with Azure. The expected output:

{
  "appId": "<your-app-id>",
  "fileWithCertAndPrivateKey": "<file-path>",
  "password": null,
  "tenant": "<your-azure-tenant>"
}

When adding the returned values to your Dapr component’s metadata:

appId is the value for azureClientId
tenant is the value for azureTenantId
fileWithCertAndPrivateKey indicates the location of the self-signed PFX certificate and private key. Use the contents of that file as azureCertificate (or write it to a file on the server and use azureCertificateFile)

Note: While the generated file has the .pem extension, it contains a certificate and private key encoded as PFX (PKCS#12).

Create a Service Principal

Once you have created an Microsoft Entra ID application, create a Service Principal for that application. With this Service Principal, you can grant it access to Azure resources.

To create the Service Principal, run the following command:

SERVICE_PRINCIPAL_ID=$(az ad sp create \
  --id "${APP_ID}" \
  | jq -r .id)
echo "Service Principal ID: ${SERVICE_PRINCIPAL_ID}"

Expected output:

Service Principal ID: 1d0ccf05-5427-4b5e-8eb4-005ac5f9f163

The returned value above is the Service Principal ID, which is different from the Microsoft Entra ID application ID (client ID). The Service Principal ID is defined within an Azure tenant and used to grant access to Azure resources to an application
You’ll use the Service Principal ID to grant permissions to an application to access Azure resources.

Meanwhile, the client ID is used by your application to authenticate. You’ll use the client ID in Dapr manifests to configure authentication with Azure services.

Keep in mind that the Service Principal that was just created does not have access to any Azure resource by default. Access will need to be granted to each resource as needed, as documented in the docs for the components.

Next steps

Use Managed Identities >>

1.4 - How to: Use managed identities

Learn how to use managed identities

Using managed identities, authentication happens automatically by virtue of your application running on top of an Azure service that has either a system-managed or a user-assigned identity.

To get started, you need to enable a managed identity as a service option/functionality in various Azure services, independent of Dapr. Enabling this creates an identity (or application) under the hood for Microsoft Entra ID (previously Azure Active Directory ID) purposes.

Your Dapr services can then leverage that identity to authenticate with Microsoft Entra ID, transparently and without you having to specify any credentials.

In this guide, you learn how to:

Grant your identity to the Azure service you’re using via official Azure documentation
Set up either a system-managed or user-assigned identity in your component

That’s about all there is to it.

Note

In your component YAML, you only need the azureClientId property if using user-assigned identity. Otherwise, you can omit this property for system-managed identity to be used by default.

Grant access to the service

Set the requisite Microsoft Entra ID role assignments or custom permissions to your system-managed or user-assigned identity for a particular Azure resource (as identified by the resource scope).

You can set up a managed identity to a new or existing Azure resource. The instructions depend on the service use. Check the following official documentation for the most appropriate instructions:

Azure Kubernetes Service (AKS)
Azure Container Apps (ACA)
Azure App Service (including Azure Web Apps and Azure Functions)
Azure Virtual Machines (VM)
Azure Virtual Machines Scale Sets (VMSS)
Azure Container Instance (ACI)

After assigning a system-managed identity to your Azure resource, you’ll have credentials like the following:

{
    "principalId": "<object-id>",
    "tenantId": "<tenant-id>",
    "type": "SystemAssigned",
    "userAssignedIdentities": null
}

From the returned values, take note of the principalId value, which is the Service Principal ID created for your identity. Use that to grant access permissions for your Azure resources component to access the identity.

Managed identities in Azure Container Apps

Every container app has a completely different system-managed identity, making it very unmanageable to handle the required role assignments across multiple apps.

Instead, it’s strongly recommended to use a user-assigned identity and attach this to all the apps that should load the component. Then, you should scope the component to those same apps.

Set up identities in your component

By default, Dapr Azure components look up the system-managed identity of the environment they run in and authenticate as that. Generally, for a given component, there are no required properties to use system-managed identity other than the service name, storage account name, and any other properites required by the Azure service (listed in the documentation).

For user-assigned idenitities, in addition to the basic properties required by the service you’re using, you need to specify the azureClientId (user-assigned identity ID) in the component. Make sure the user-assigned identity is attached to the Azure service Dapr is running on, or else you won’t be able to use that identity.

Note

If the sidecar loads a component which does not specify azureClientId, it only tries the system-assigned identity. If the component specifies the azureClientId property, it only tries the particular user-assigned identity with that ID.

The following examples demonstrate setting up either a system-managed or user-assigned identity in an Azure KeyVault secrets component.

If you set up system-managed identity using an Azure KeyVault component, the YAML would look like the following:

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: azurekeyvault
spec:
  type: secretstores.azure.keyvault
  version: v1
  metadata:
  - name: vaultName
    value: mykeyvault

In this example, the system-managed identity looks up the service identity and communicates with the mykeyvault vault. Next, grant your system-managed identiy access to the desired service.

If you set up user-assigned identity using an Azure KeyVault component, the YAML would look like the following:

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: azurekeyvault
spec:
  type: secretstores.azure.keyvault
  version: v1
  metadata:
  - name: vaultName
    value: mykeyvault
  - name: azureClientId
    value: someAzureIdentityClientIDHere

Once you’ve set up the component YAML with the azureClientId property, you can grant your user-assigned identity access to your service.

For component configuration in Kubernetes or AKS, refer to the Workload Identity guidance.

Troubleshooting

If you receive an error or your managed identity doesn’t work as expected, check if the following items are true:

The system-managed identity or user-assigned identity don’t have the required permissions on the target resource.
The user-assigned identity isn’t attached to the Azure service (container app or pod) from which you’re loading the component. This can especially happen if:
- You have an unscoped component (a component loaded by all container apps in an environment, or all deployments in your AKS cluster).
- You attached the user-assigned identity to only one container app or one deployment in AKS (using Azure Workload Identity).
In this scenario, since the identity isn’t attached to every other container app or deployment in AKS, the component referencing the user-assigned identity via azureClientId fails.

Best practice: When using user-assigned identities, make sure to scope your components to specific apps!

Next steps

Refer to Azure component specs >>

2 - Dapr integration policies for Azure API Management

Publish APIs for Dapr services and components through Azure API Management policies

Azure API Management is a way to create consistent and modern API gateways for back-end services, including those built with Dapr. You can enable Dapr support in self-hosted API Management gateways to allow them to:

Forward requests to Dapr services
Send messages to Dapr Pub/Sub topics
Trigger Dapr output bindings

Try out the Dapr & Azure API Management Integration sample.

Learn more about Dapr integration policies

3 - Dapr extension for Azure Functions runtime

Access Dapr capabilities from your Azure Functions runtime application

Dapr integrates with the Azure Functions runtime via an extension that lets a function seamlessly interact with Dapr.

Azure Functions provides an event-driven programming model.
Dapr provides cloud-native building blocks.

The extension combines the two for serverless and event-driven apps.

Try out the Dapr extension for Azure Functions

4 - Dapr extension for Azure Kubernetes Service (AKS)

Provision Dapr on your Azure Kubernetes Service (AKS) cluster with the Dapr extension

The recommended approach for installing Dapr on AKS is to use the AKS Dapr extension. The extension offers:

Support for all native Dapr configuration capabilities through command-line arguments via the Azure CLI
The option of opting into automatic minor version upgrades of the Dapr runtime

Note

If you install Dapr through the AKS extension, best practice is to continue using the extension for future management of Dapr instead of the Dapr CLI. Combining the two tools can cause conflicts and result in undesired behavior.

Prerequisites for using the Dapr extension for AKS:

Learn more about the Dapr extension for AKS