Managed Identity Authentication in Logic Apps
PythonTo implement managed identity authentication in Azure Logic Apps with Pulumi, you would typically use the
IntegrationServiceEnvironment
andWorkflow
resources from theazure-native
provider. TheIntegrationServiceEnvironment
resource allows you to scale and manage multiple logic apps within a dedicated environment, and theWorkflow
resource is used to represent Logic Apps workflows themselves.A Managed Identity in Azure provides an identity for your application to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. It eliminates the need for credentials in your code, reducing the risk of credential leakage.
In this program, I will create an Azure Logic App with a system-assigned managed identity within an Integration Service Environment (ISE). The managed identity will then be used for authenticating to other Azure services that the Logic App needs to interact with, which supports Azure AD authentication.
Here's a high-level explanation of the program:
- We'll create an instance of
IntegrationServiceEnvironment
, which is a fully isolated and dedicated environment for all Logic App resources. - We'll then create a
Workflow
, which is essentially a Logic App, and we'll enable a managed identity for it. - We'll set the managed identity type of the workflow to 'SystemAssigned' to create an identity that will be managed by Azure.
Below is the detailed Python program using Pulumi:
import pulumi import pulumi_azure_native as azure_native # Create a resource group to host all the resources resource_group = azure_native.resources.ResourceGroup('logicapps-resource-group') # Create an Integration Service Environment which Logic Apps can run within # Replace "<location>" with your desired Azure region, like "East US" or "West Europe" integration_service_environment = azure_native.logic.IntegrationServiceEnvironment( 'ise', resource_group_name=resource_group.name, location='<location>', # Your specific location sku=azure_native.logic.SkuArgs( name='Developer', # Choose the SKU that suits your needs; 'Developer' is used for demo purposes capacity=0 # Capacity setting is mandatory; '0' for Developer SKU ), properties=azure_native.logic.IntegrationServiceEnvironmentPropertiesArgs( network_configuration=azure_native.logic.NetworkConfigurationArgs( access_endpoint=azure_native.logic.AccessEndpointArgs( type='Developer', # The type of access endpoint; should align with the chosen SKU ) ) ) ) # Create a Logic App Workflow with Managed Identity logic_app = azure_native.logic.Workflow( 'logicapp', resource_group_name=resource_group.name, location=integration_service_environment.location, integration_service_environment=azure_native.logic.ResourceReferenceArgs( id=integration_service_environment.id, ), identity=azure_native.logic.ManagedServiceIdentityArgs( type='SystemAssigned', ) # You can add more configurations for triggers, actions, and definitions as needed ) # Export the Logic App Workflow URL and Managed Identity Principal ID pulumi.export('logic_app_url', logic_app.endpoint_configuration.apply(lambda c: c.workflow_endpoint_access_control_configuration_maps)) pulumi.export('managed_identity_principal_id', logic_app.identity.apply(lambda i: i.principal_id if i else None))
Remember to replace the placeholder
'<location>'
with the Azure region you wish to deploy your resources to. The program defines aResourceGroup
, creates theIntegrationServiceEnvironment
with necessary properties using a billing SKU suited for development, and sets up aWorkflow
to represent the Logic App.The workflow is configured with a system-assigned identity by setting the
type
property ofManagedServiceIdentityArgs
to'SystemAssigned'
. The Logic App can now use the managed identity to authenticate to other Azure services that support Azure AD without storing credentials in your Logic App.Lastly, we export two values: the URL of the Logic App and the principal ID of the managed identity associated with the Logic App. These values can be used to interact with the Logic App outside of Pulumi and to configure role assignments for the managed identity, granting it the necessary permissions to other resources.
Be sure to install the required Pulumi Azure Native package using pip:
pip install pulumi_azure_native
After running
pulumi up
, this program will deploy the described resources in your Azure subscription. The program assumes you have already logged into Azure and have set up Pulumi to communicate with your Azure subscription.- We'll create an instance of