Use managed identities for Web PubSub Services
March 21, 2025 ยท View on GitHub
SYNOPSIS
Configure Web PubSub Services to use managed identities to access Azure resources securely.
DESCRIPTION
A managed identity allows your service to access other Azure AD-protected resources such as Azure Functions. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets.
Using Azure managed identities have the following benefits:
- You don't need to store or manage credentials. Azure automatically generates tokens and performs rotation.
- You can use managed identities to authenticate to any Azure service that supports Azure AD authentication.
- Managed identities can be used without any additional cost.
RECOMMENDATION
Consider configuring a managed identity for each Web PubSub Service. Also consider using managed identities to authenticate to related Azure services.
EXAMPLES
Configure with Azure template
To deploy services that pass this rule:
- Set the
identity.typetoSystemAssignedorUserAssigned. - If
identity.typeisUserAssigned, reference the identity withidentity.userAssignedIdentities.
For example:
{
"type": "Microsoft.SignalRService/webPubSub",
"apiVersion": "2023-02-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_S1"
},
"identity": {
"type": "SystemAssigned"
},
"properties": {
"disableLocalAuth": true
}
}
Configure with Bicep
To deploy services that pass this rule:
- Set the
identity.typetoSystemAssignedorUserAssigned. - If
identity.typeisUserAssigned, reference the identity withidentity.userAssignedIdentities.
For example:
resource service 'Microsoft.SignalRService/webPubSub@2023-02-01' = {
name: name
location: location
sku: {
name: 'Standard_S1'
}
identity: {
type: 'SystemAssigned'
}
properties: {
disableLocalAuth: true
}
}