> ## Documentation Index
> Fetch the complete documentation index at: https://docs.maia.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Azure managed identity

export const m_runner = "Maia runner";

export const maia = "Maia";

export const RunnerMetadata = ({runnerType, platforms = []}) => {
  return <div style={{
    background: 'var(--colors-background-light, #f9fafb)',
    border: '1px solid var(--colors-border-default, #e5e7eb)',
    borderRadius: '12px',
    padding: '20px 28px',
    marginBottom: '28px'
  }}>
      <table style={{
    width: '100%',
    borderCollapse: 'collapse'
  }}>
        <tbody>
          <tr>
            <td style={{
    fontWeight: '600',
    paddingRight: '32px',
    paddingBottom: '14px',
    whiteSpace: 'nowrap',
    verticalAlign: 'middle',
    width: '180px'
  }}>Runner type</td>
            <td style={{
    paddingBottom: '14px',
    verticalAlign: 'middle'
  }}>{runnerType}</td>
          </tr>
          <tr>
            <td style={{
    fontWeight: '600',
    paddingRight: '32px',
    whiteSpace: 'nowrap',
    verticalAlign: 'middle'
  }}>Runner platform</td>
            <td style={{
    verticalAlign: 'middle'
  }}>
              <div style={{
    display: 'flex',
    flexWrap: 'wrap',
    gap: '8px'
  }}>
                {platforms.map((platform, i) => <span key={i} style={{
    background: '#dcfce7',
    color: '#15803d',
    border: '1px solid #bbf7d0',
    borderRadius: '9999px',
    padding: '3px 12px',
    fontSize: '0.85rem',
    fontWeight: '500',
    whiteSpace: 'nowrap'
  }}>
                    {platform} ✅
                  </span>)}
              </div>
            </td>
          </tr>
        </tbody>
      </table>
    </div>;
};

<RunnerMetadata runnerType={`${maia} Hybrid`} platforms={["Azure"]} />

You may require the Azure {m_runner} to communicate with other Azure services, such as Azure Key Vault or Azure Blob Storage. For this, you will use an Azure managed identity, as described below. The managed identity will be linked to a container app, allowing the app to then impersonate this identity when it's performing actions that need authentication, such as downloading a file from Azure Blob Storage. An environment variable is used to pass the information the {m_runner} needs for this process.

This process requires the following configuration steps:

1. [Create a managed identity](#create-a-managed-identity).
2. [Assign the managed identity to roles](#assign-the-managed-identity-to-roles).
3. [Link the managed identity and a container app](#link-the-managed-identity-and-a-container-app).
4. [Set the Azure client ID environment variable](#set-the-azure-client-id-environment-variable).

<Note>
  Using pre-created managed identities and custom roles allows for more granular control over permissions.
</Note>

If your container app itself has been deployed by the ARM template, and you do not want to use an existing managed identity, you do not need to take any action. The template will create and assign a managed identity to the container app with the correct roles.

For more information on the use of managed identities, read [Manage user-assigned managed identities](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp) in the Microsoft documentation.

***

## Create a managed identity

1. Log in to the [Azure Portal](https://portal.azure.com/#home).
2. Use the search bar to search for "managed identities", and click the **Managed Identities** result.
3. Click **+ Create**.
4. Select a **Resource group** and choose a **Name** for the managed identity.
5. If your organization has a policy that mandates managed identity tags, click **Tags** and assign tags as required.
6. Click **Review + create**, and then click **Create** if you are satisfied with your managed identity configuration.

***

## Assign the managed identity to roles

1. Use the search bar to search for "resource groups", and click the **Resource groups** result.
2. Select the resource group you used for your managed identity.
3. In the resource group, click **Access control (IAM)**.
4. Click **+ Add** then **Add role assignment**.
5. Search for the role you want to add the managed identity to, and click it to select it, then click **Next**.
6. On the **Members** tab, click **Managed identity**, and then click **+ Select members**.
7. In the **Select managed identities** panel, select **User-assigned managed identity** from the **Managed identity** drop-down, and click the required identity in the resulting list.
8. Click **Select**, and the selection will be added to the **Members** list in the main panel.
9. Click **Review + assign**.

Repeat steps 4 to 9 for each role you want to add the managed identity to.

***

## Link the managed identity and a container app

1. Use the search bar to search for "container apps", and click the **Container Apps** result.
2. Select the container app you want to link.
3. Click **Settings** → **Identity**.
4. Click the **User assigned** tab, then click **+ Add**.
5. In the **Add user assigned managed identity** panel, select the identities that you want to link, then click **Add**.

***

## Set the Azure client ID environment variable

With the managed identity and container app linked, you now need to provide the Azure client ID to the {m_runner}, so that the {m_runner} can use it to authenticate. The {m_runner} looks for the client ID in an environment variable called `AZURE_CLIENT_ID`.

1. Use the search bar to search for "managed identities", and click the **Managed Identities** result.
2. Select the managed identity you created previously.
3. Copy the **Client ID** displayed on the managed identity **Overview** page.

If creating the container manually for the first time, add the `AZURE_CLIENT_ID` environment variable at the same time as you add other environment variables (such as `AGENT_ID`). Read [{m_runner} installation using an ARM template](/docs/guides/azure-arm-runner-install) for details.

If editing an existing container app, add the **Client ID** value as follows:

1. Use the search bar to search for "container apps", and click the **Container Apps** result.

2. Select the container app you want to edit.

3. Click **Application** → **Containers**, and then click **Edit and deploy**.

4. Click the name of the container in the **Container image** list.

5. In the **Edit a container** panel, scroll down to **Environment variables**, and click **+ Add**.

6. Complete the following fields:

   * **Name:** Enter **AZURE\_CLIENT\_ID**.
   * **Source:** Select **Manual entry**.
   * **Value:** Paste the **Client ID** you copied from the managed identity.

7. Click **Save**.