Assign Managed Identities

Learn how to add a user assigned or a system assigned managed identity.

NGINX as a Service for Azure leverages a user assigned or a system assigned managed identity for some of its integrations with Azure, such as:

  • Azure Key Vault (AKV): fetch SSL/TLS certificates from AKV to your NGINXaaS deployment, so that they can be referenced by your NGINX configuration.

  • Azure Monitor: publish metrics from your NGINX deployment to Azure Monitor.

  • Azure Storage: export logs from your NGINX deployment to Azure Blob Storage Container.

Prerequisites

  • A user assigned or a system assigned managed identity. If you are unfamiliar with managed identities for Azure resources, refer to the Managed Identity documentation from Microsoft.

  • Owner access on the resource group or subscription to assign the managed identity to the NGINX deployment.

Adding User Assigned Managed Identity

  1. Go to your NGINXaaS for Azure deployment.

  2. Select the Identity tab in the left menu, choose User Assigned and then select Add.

    User Identity > Add
  3. Select the appropriate subscription and user assigned managed identity, then select Add.

    User Identity Add Subscription

    Note:
    NGINXaaS supports a single user assigned managed identity per deployment. Adding more than a single managed identity is not supported.

  4. The added user assigned managed identity will show up in the main table.

    User Assigned Identity Added

Removing User Assigned Managed Identity

  1. Select the managed identity you want to remove.

    Select User Identity to Remove
  2. Confirm the operation.

    Confirm User Identity Removal

Adding System Assigned Managed Identity

  1. Go to your NGINXaaS for Azure deployment.

  2. Select the Identity tab in the left menu, choose System Assigned and then toggle Status to On. Select Save.

    Select System Identity to Add

  3. Confirm the operation.

    Confirm System Identity Removal

    Note:
    NGINXaaS supports using only one type of managed identity per deployment at a time. User assigned and system assigned identities cannot be present simultaneously.

  4. To provide the role assignments necessary for the deployment, Select Azure Role Assignments.

    Azure Role Assignments
  5. Select Add Role Assignments and Choose the appropriate Scope and Role and select Save.

    System MI Add Role Assignments
  6. The system assigned managed identity will be shown as enabled on the main Identity page.

    System MI Main

Removing System Assigned Managed Identity

  1. Toggle Status to Off and select Save.

    System MI Toggle Off
  2. Confirm the operation.

    System MI Remove Confirm
Note:

Removing a Managed Identity from an NGINX deployment has the following effects:

  • If the NGINX deployment uses any SSL/TLS certificates, then any updates to the deployment (including deployment properties, certificates, and configuration) will result in a failure. If the configuration is updated not to use any certificates, then those requests will succeed.

  • If publishing metrics is enabled for the NGINX deployment, then the metrics will no longer be published to Azure Monitor for this deployment until a Managed Identity is added.

  • If logging is enabled for the NGINX deployment, then the logs will no longer be exported to the Azure Blob Storage Container for this deployment until a Managed Identity is added.

What’s Next

Add SSL/TLS Certificates