Use managed identities for Azure Load Testing

This article shows how to create a managed identity for Azure Load Testing. You can use a managed identity to securely read secrets or certificates from Azure Key Vault in your load test.

A managed identity from Microsoft Entra ID allows your load testing resource to easily access Microsoft Entra protected Azure Key Vault. The identity is managed by the Azure platform and doesn't require you to manage or rotate any secrets. For more information about managed identities in Microsoft Entra ID, see Managed identities for Azure resources.

Azure Load Testing supports two types of identities:

  • A system-assigned identity is associated with your load testing resource and is deleted when your resource is deleted. A resource can only have one system-assigned identity.
  • A user-assigned identity is a standalone Azure resource that you can assign to your load testing resource. When you delete the load testing resource, the managed identity remains available. You can assign multiple user-assigned identities to the load testing resource.

Currently, you can only use the managed identity for accessing Azure Key Vault.

Prerequisites

  • An Azure account with an active subscription. If you don't have an Azure subscription, create a free account before you begin.
  • An Azure load testing resource. If you need to create an Azure load testing resource, see the quickstart Create and run a load test.
  • To create a user-assigned managed identity, your account needs the Managed Identity Contributor role assignment.

Assign a system-assigned identity to a load testing resource

To assign a system-assigned identity for your Azure load testing resource, enable a property on the resource. You can set this property by using the Azure portal or by using an Azure Resource Manager (ARM) template.

To set up a managed identity in the portal, you first create an Azure load testing resource and then enable the feature.

  1. In the Azure portal, go to your Azure load testing resource.

  2. On the left pane, select Identity.

  3. In the System assigned tab, switch Status to On, and then select Save.

    Screenshot that shows how to assign a system-assigned managed identity for Azure Load Testing in the Azure portal.

  4. On the confirmation window, select Yes to confirm the assignment of the managed identity.

  5. After this operation completes, the page shows the Object ID of the managed identity, and lets you assign permissions to it.

    Screenshot that shows the system-assigned managed identity information for a load testing resource in the Azure portal.

Assign a user-assigned identity to a load testing resource

Before you can add a user-assigned managed identity to an Azure load testing resource, you must first create this identity in Microsoft Entra ID. Then, you can assign the identity by using its resource identifier.

You can add multiple user-assigned managed identities to your resource. For example, if you need to access multiple Azure resources, you can grant different permissions to each of these identities.

  1. Create a user-assigned managed identity by following the instructions mentioned in Create a user-assigned managed identity.

    Screenshot that shows how to create a user-assigned managed identity in the Azure portal.

  2. In the Azure portal, go to your Azure load testing resource.

  3. On the left pane, select Identity.

  4. Select the User assigned tab, and select Add.

  5. Search and select the managed identity you created previously. Then, select Add to add it to the Azure load testing resource.

    Screenshot that shows how to turn on user-assigned managed identity for Azure Load Testing.

Configure target resource

You might need to configure the target resource to allow access from your load testing resource. For example, if you read a secret or certificate from Azure Key Vault, or if you use customer-managed keys for encryption, you must also add an access policy that includes the managed identity of your resource. Otherwise, your calls to Azure Key Vault are rejected, even if you use a valid token.