Managed Identity

Learn how to add a user asigned managed identity.

NGINX for Azure leverages a user asigned managed identity for some of its integrations with Azure such as:

  • Azure Key Vault (AKV): to fetch SSL/TLS certificates from AKV to your NGINX for Azure deployment, so that they can be referenced by your NGINX configuration.

  • Azure Monitor: to publish metrics from your NGINX deployment to Azure Monitor.


  • A user asigned managed identity. If you are unfamiliar with managed identities for Azure resources, refer to the Managed Identity documentation from Microsoft.

  • Owner access on the resource group or subscription to assign the managed identity to the NGINX deployment.

Adding a Managed Identity

  1. Go to your NGINX for Azure deployment.

  2. Select the Identity tab in the left menu, then select Add.

    Identity > Add
  3. Select the appropriate subscription and user asigned managed identity, then select Add.

    Identity Add Subscription

    NGINX for Azure supports a single user asigned managed identity per deployment. Adding more than a single managed identity is not supported.

  4. The added user asigned managed identity will show up in the main table.

    Managed Identity Added

Removing a managed identity

  1. Select the managed identity you want to remove.

    Select Identity to Remove
  2. Confirm the operation.

    Confirm Identity Removal

Removing a Managed Identity from an NGINX deployment has the following effects:

  • If the NGINX deployment uses any SSL/TLS certificates, then any updates to the deployment (including deployment properties, certificates, and configuration) will result in a failure. If the configuration is updated to not use any certificates, then those requests will succeed.

  • If publishing metrics is enabled for the NGINX deployment, then the metrics will no longer be published to Azure Monitor for this deployment until a Managed Identity is added.

What’s next

SSL/TLS Certificates