End-to-end guide: containerizing Backstage, provisioning Azure resources (with Bicep & CLI), enabling Microsoft Entra (formerly Azure AD) sign-in, managing secrets, scaling, observing, troubleshooting, and cleaning up — all aligned with current Azure best practices (managed identities, least privilege, and no hard‑coded secrets). Why Backstage + Azure Container Apps Backstage centralizes your internal developer portal (catalog,… Continue reading Backstage on Azure Container Apps with Microsoft Entra ID (Azure AD) Authentication
Tag: MSI
AKS Workload identity – A Deeper look
Background Recently, I found myself delving into the intricacies of Workload Identity Federation within Azure Kubernetes Service (AKS) while explaining it to some friends. As I delved deeper into the topic, I realized the importance of documenting and summarizing this information for anyone else navigating the same waters - including my future self. So, let's… Continue reading AKS Workload identity – A Deeper look
Azure Communication Service with Managed Identity
Background A few months ago, I have written a Demo application that shows how to send email and SMS via Azure Communication Service. The code was written in Spring Boot (Java) and hosted on Azure Container Apps. During the demo, I have used Connection strings of Azure Communication Service which is not ideal for production… Continue reading Azure Communication Service with Managed Identity
Azure DevOps Container agents without PAT
Azure DevOps now supports Service principals and Managed identities for authentication. This is currently (at the time of writing) in Public Preview. This is quite an interesting feature and addresses many concerns related to personal access tokens (PATs). I have a self-hosted container agent runs on Docker which needs PAT to spin up. With the new development… Continue reading Azure DevOps Container agents without PAT
Demystifying Azure Container Apps & Dapr – Part 5
Read Part 1 here. Read Part 2 here. Read Part 3 here. Read Part 4 here. Today I will be using the traffic-splitting capability of Azure Container Apps. Azure Container Apps implements container app versioning by creating revisions. A revision is an immutable snapshot of a container app version. Revisions in Azure Container App The… Continue reading Demystifying Azure Container Apps & Dapr – Part 5
Demystifying Azure Container Apps & Dapr – Part 4
Read Part 1 here. Read Part 2 here. Read Part 3 here. Last time, I wrote the backend service (JobListener) which gets triggered by the Dapr pubsub whenever an image is uploaded into the designated blob container in the storage account. It then uses Computer Vision APIs to do the image recognition. Today we will… Continue reading Demystifying Azure Container Apps & Dapr – Part 4
Key Vault as backing store of Azure Functions
If you have used Azure function, you probably are aware that Azure Functions leverages a Storage Account underneath to support the file storage (where the function app code resides as Azure File share) and also as a backing store to keep Functions Keys (the secrets that are used in Function invocations). Figure: Storage Account containers… Continue reading Key Vault as backing store of Azure Functions
Zero-Secret application development with Azure Managed Service Identity
Committing the secrets along with application codes to a repository is one of the most commonly made mistakes by many developers. This can get nasty when an application is developed for Cloud deployment. You probably have read the story of checking in AWS S3 secrets to GitHub. The developer corrected the mistake in 5 mins,… Continue reading Zero-Secret application development with Azure Managed Service Identity
Reverse Engineering 