-
Login and set subscription
$ az login $ az account set -s “mysubscription”
-
Create resource group
$ az group create --name demo-rg --location westus
-
Create Service Principal
$ az ad sp create-for-rbac --name "demo-sp"
{ "appId": "xxx-sp-app-id-xxx", "displayName": "demo-sp", "name": "http://demo", "password": "xxx-password-xxx", "tenant": "xxx-tenant-xxx" }
-
Create Key Vault
$ az keyvault create --name demo-keyvault --resource-group demo-rg
-
Grant permission to demo-sp
$ az keyvault set-policy --name demo-keyvault \ --secret-permission set get list delete \ --spn "xxx-sp-app-id-xxx"
-
Add secret to Key Vault
$ az keyvault secret set --vault-name demo-keyvault \ --name your-key \ --value your-value
-
In application.properties set
# Specify if Key Vault should be used to retrieve secrets. azure.keyvault.enabled=true # Specify the URI of your Key Vault (e.g.: https://name.vault.azure.net/). azure.keyvault.uri=https://demo-keyvault.vault.azure.net/ # Specify the Service Principal Client ID with access to your Key Vault. azure.keyvault.client-id=xxx-sp-app-id-xxx # Specify the Service Principal Client Secret. azure.keyvault.client-key=xxx-password-xxx
-
Run application
$ mvn clean package $ mvn spring-boot:run
-
Create Azure Container Registry (for App Service to pull image from)
$ az acr create --name demoacr \ --resource-group demo-rg \ --sku Basic \ --admin-enabled true \ --location westus
-
Create App Service plan
$ az appservice plan create --name demo-plan \ --resource-group demo-rg \ --sku B1 \ --is-linux
-
Create App Service
$ az webapp create --resource-group demo-rg \ --plan demo-plan \ --name demo-app \ --deployment-container-image-name demoacr.azurecr.io/demo:test
-
Assign identity to App Service
$ az webapp identity assign --name demo-app \ --resource-group demo-rg
-
Grant permission to MSI
$ az keyvault set-policy --name demo-keyvault \ --object-id your-managed-identity-objectId \ --secret-permissions get list
-
In application.properties set
# Specify if Key Vault should be used to retrieve secrets. azure.keyvault.enabled=true # Specify the URI of your Key Vault (e.g.: https://name.vault.azure.net/). azure.keyvault.uri=https://demo-keyvault.vault.azure.net/
Or you perfer to set via Application Settings
az webapp config appsettings set \ --name demo-app \ --resource-group demo-rg \ --settings \ "AZURE_KEYVAULT_URI=https://demo-keyvault.vault.azure.net/"
-
Build docker image and push
$ mvn clean package $ docker build -t demoacr.azurecr.io/demo:test . $ docker push demoacr.azurecr.io/demo:test
-
Add config to App Service
az webapp config appsettings set --resource-group demo-rg \ --name demo-app \ --settings WEBSITES_PORT=8080
-
Restart App Service
-
Enable App Service logs and Stream log
$ az webapp log tail --name demo-app --resource-group demo-rg
refer to this
-
Create App Service
-
Assign identity to App Service
$ az webapp identity assign --name demo-app \ --resource-group demo-rg
-
Grant permission to MSI
$ az keyvault set-policy --name demo-keyvault \ --object-id your-managed-identity-objectId \ --secret-permissions get list
-
Deploy executable JAR file to App Service
Attention
If you're using FTP/S, the executable JAR must be named as
app.jar
.
-
In application.properties set
# Specify if Key Vault should be used to retrieve secrets. azure.keyvault.enabled=true # Specify the URI of your Key Vault (e.g.: https://name.vault.azure.net/). azure.keyvault.uri=https://demo-keyvault.vault.azure.net/
Or you perfer to set via Application Settings
az webapp config appsettings set \ --name demo-app \ --resource-group demo-rg \ --settings \ "AZURE_KEYVAULT_URI=https://demo-keyvault.vault.azure.net/"
-
Restart App Service
-
Enable App Service logs and Stream log
$ az webapp log tail --name demo-app --resource-group demo-rg
-
Check this URL in browser
https://demo-app.azurewebsites.net/get
Run a custom Linux container in Azure App Service
How to use managed identities for App Service and Azure Functions