NGINXaaS Managed Identity on dataplane

Overview

F5 NGINX as a Service for Azure (NGINXaaS) supports using the Managed Identity (MI) assigned to the NGINXaaS deployment to access other Azure resources in the same virtual network or those that are publicly accessible.

NGINX Plus instances that are part of the NGINXaaS deployment now have access to query the identity endpoint in Instance Metadata Service to fetch access tokens.

Important

Exposing the IMDS endpoint externally can allow unintended third parties to retrieve the access tokens associated with the managed identities assigned to the deployment. To mitigate this risk, ensure the endpoint is restricted to internal access or apply appropriate access controls.

Configuration

The example below contains a sample NGINX config that uses njs and the NGINXaaS MI to query a blob storage container. You can also use the standard MSAL libraries to query IMDS.

1. Assign a system-assigned identity to the NGINXaaS deployment and grant the identity access to blob storage. Dataplane managed identity access only works with system-assigned managed identities.

2. Create an NGINX config named nginx.conf with the following content:

3. Create a javascript file named query_blob.js with the following content:

Sending an HTTP request to the queryBlob endpoint triggers njs, which fetches an access token from IMDS and uses it to query blob storage.

IMDS enforces a rate limit of 5 requests per second. To optimize performance, cache the access token in NGINX instead of retrieving it for every request.