Connecting to Application Insights with Managed Service Identities
Overview
A lot of services can drop data into Application Insights - Azure VMs, Azure App Services, Azure Functions, custom web services and on-premise services. Getting access to this data typically requires an API key though, which can add complexity. If you don’t want to deal with managing a secret, you can also use Azure AD authentication. This will allow you to access the API using the identity your Azure VM, Function or App Service is running as.
NuGet Packages
Microsoft.Azure.ApplicationInsights
Microsoft.Azure.Services.AppAuthentication
Microsoft.Rest.ClientRuntime
Method
Rather than generating an API key, we’ll get an access token for the Application Insights resource (https://api.applicationinsights.io/
) and pass those as TokenCredentials.
Sample Code
1
2
3
4
5
6
7
8
9
10
public static async Task<ApplicationInsightsDataClient>
CreateDataClientAsync(string appId, string tenantId)
{
var ApplicationInsightsResource = "https://api.applicationinsights.io/"
var tokenProvider = new AzureServiceTokenProvider();
var accessToken = await tokenProvider.GetAccessTokenAsync(ApplicationInsightsResource, tenantId);
var wrappedTokenCredentials = new TokenCredentials(accessToken);
return new ApplicationInsightsDataClient(wrappedTokenCredentials) { AppId = appId };
}
Notes
- I’ve found that
tenantId
needs to be specified - unlike other services, it can’t be left blank. appId
is not the instrumentation key. There are two ways to find this:- In the Azure portal, open your Application Insights resource, select the “API Access” section and use the “Application ID” field.
- In an Azure Resource Manager template, this is the
AppId
property of a component of typeMicrosoft.Insights/components
. API version 2015-05-01 and higher should work.
Wrapping Up
Use Azure’s standard RBAC mechanisms to add your application’s Managed Service Identity to the Application Insights resource’s Reader role.