Authentication (preview) - Azure Monitor Application Insights for Java
[!NOTE] The Authentication feature is in preview. This feature is available only in version 3.2.0 and later.
The Application Insights Java agent takes a dependency on Azure Identity library which focuses on OAuth authentication with Azure Active Directory(AAD). This library offers different kinds of credential classes which are capable of acquiring an AAD token to authenticate service requests. It is the responsibility of the user of the Java agent to provide the necessary details for the agent to build the TokenCredentials required for authentication with AAD.
Prerequisites
We assume users to be familiar with the following articles before enabling authentication with AAD.
- Managed Identities for Azure resources.
- Assign Azure roles using the Azure portal.
Steps to enable AAD authentication
Following are the high level view of the steps involved in enabling AAD authentication on Java agent to securely send telemetry to Azure Application Insights resource:
- The first step depends on the type of authentication used by the user.
- If using System assigned managed identity or User assigned managed identity, follow these steps to configure managed identities for Azure resources on a VM using azure portal.
- If using service principal, follow these steps to create an Azure AD application and service principal that can access resources. We recommend to use this type of authentication only during development.
- Follow these steps to add
"Monitoring Metrics Publisher"role from the Application Insights resource to the Azure resource from which the telemetry is sent. - Add the authentication related configuration to the ApplicationInsights.json configuration file.
- Follow these steps to create a Application Insights resource with
"DisableLocalAuth=true"setting.
Supported types of authentication
The following are types of authentication that are supported by Java agent. We recommend users to use managed identities, since the ultimate goal is to eliminate secrets and also to eliminate the need for developers to manage credentials.
System Assigned Managed Identity
Here is an example on how to configure Java agent to use system assigned managed identity for authentication with AAD.
"preview" : {
"authentication" : {
"enabled": true,
"type": "SAMI"
}
}
User Assigned Managed Identity
Here is an example on how to configure Java agent to use user assigned managed identity for authentication with AAD.
"preview" : {
"authentication" : {
"enabled": true,
"type": "UAMI",
"clientId":"<USER ASSIGNED MANAGED IDENTITY CLIENT ID>"
}
}
Client Secret
Here is an example on how to configure Java agent to use service principal for authentication with AAD. We recommend users to use this type of authentication only during development. The ultimate goal of adding authentication feature is to eliminate secrets.
"preview" : {
"authentication" : {
"enabled": true,
"type": "CLIENTSECRET",
"clientId":"<YOUR CLIENT ID>",
"clientSecret":"<YOUR CLIENT SECRET>",
"tenantId":"<YOUR TENANT ID>"
}
}
Steps to create Application Insights resource using a template
[!NOTE] As of today Application Insights UI donot support adding the
"DisableLocalAuth=true"to the resource. The following steps might change when this feature is enabled in UI
- Search for
"Templates"in Azure Portal and create a new template. - Paste the following template in the template creation page.
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"type": "string"
},
"type": {
"type": "string"
},
"regionId": {
"type": "string"
},
"tagsArray": {
"type": "object"
},
"requestSource": {
"type": "string"
},
"workspaceResourceId": {
"type": "string"
}
},
"resources": [
{
"name": "[parameters('name')]",
"type": "microsoft.insights/components",
"location": "[parameters('regionId')]",
"tags": "[parameters('tagsArray')]",
"apiVersion": "2020-02-02-preview",
"dependsOn": [],
"properties": {
"ApplicationId": "[parameters('name')]",
"Application_Type": "[parameters('type')]",
"Flow_Type": "Redfield",
"Request_Source": "[parameters('requestSource')]",
"WorkspaceResourceId": "[parameters('workspaceResourceId')]",
"DisableLocalAuth": true
}
}
]
}
- Once the template is created, click on
deploy. This will take you to a menu where the user can edit both the template and parameters. - Click on
Edit parametersand paste the following json
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"type": {
"value": "web"
},
"name": {
"value": "Your Application Insights Resource name"
},
"regionId": {
"value": "Your desired region(for example:westus2)"
},
"tagsArray": {
"value": {}
},
"requestSource": {
"value": "CustomDeployment"
},
"workspaceResourceId": {
"value": "Your workspace resource Id"
}
}
}
- Follow these steps to get the correct workspace resource id.
- Click on purchase/deploy to create the application insights resource
Steps to get workspaceResourceId
- Follow these steps to create a workspace based Application Insights resource. During the last step of creation do not click on
Create. - Click
'Download a template for automation', which will take you to a sample template. - Click on
'Parameters'tab, copy the "workspaceResourceId" from this resource and use it in the template creation.