DAPR Azure Integration

This skill helps configure Azure services as DAPR components with production-ready configurations and managed identity support.

When to Use

Claude automatically uses this skill when:

User mentions Azure services (Cosmos DB, Service Bus, etc.)
Deploying DAPR apps to Azure Container Apps or AKS
Setting up managed identity authentication
Configuring Azure-specific DAPR components

Azure Component Configurations

Azure Cosmos DB (State Store)

Best for: Global distribution, strong consistency, document storage

# components/statestore-cosmosdb.yaml
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: statestore
spec:
  type: state.azure.cosmosdb
  version: v1
  metadata:
  # Connection
  - name: url
    value: https://{account}.documents.azure.com:443/
  - name: database
    value: daprdb
  - name: collection
    value: state

  # Authentication (Managed Identity - Recommended)
  - name: azureClientId
    value: "{managed-identity-client-id}"

  # OR Connection String (Development only)
  # - name: masterKey
  #   secretKeyRef:
  #     name: cosmos-secrets
  #     key: masterKey

  # Performance settings
  - name: actorStateStore
    value: "true"
  - name: partitionKey
    value: "/partitionKey"

  # Consistency
  - name: consistencyLevel
    value: "Strong"  # or Session, Eventual

Prerequisites:

# Create Cosmos DB account
az cosmosdb create \
  --name mycosmosaccount \
  --resource-group myapp-rg \
  --kind GlobalDocumentDB

# Create database and container
az cosmosdb sql database create \
  --account-name mycosmosaccount \
  --resource-group myapp-rg \
  --name daprdb

az cosmosdb sql container create \
  --account-name mycosmosaccount \
  --resource-group myapp-rg \
  --database-name daprdb \
  --name state \
  --partition-key-path /partitionKey

Azure Service Bus (Pub/Sub)

Best for: Enterprise messaging, ordered delivery, dead-letter support

# components/pubsub-servicebus.yaml
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: pubsub
spec:
  type: pubsub.azure.servicebus.topics
  version: v1
  metadata:
  # Authentication (Managed Identity - Recommended)
  - name: namespaceName
    value: "{namespace}.servicebus.windows.net"
  - name: azureClientId
    value: "{managed-identity-client-id}"

  # OR Connection String
  # - name: connectionString
  #   secretKeyRef:
  #     name: servicebus-secrets
  #     key: connectionString

  # Consumer settings
  - name: consumerID
    value: "{app-id}"
  - name: maxActiveMessages
    value: "100"
  - name: maxConcurrentHandlers
    value: "10"
  - name: lockRenewalInSec
    value: "60"

  # Retry settings
  - name: maxRetriableErrorsPerSec
    value: "10"
  - name: maxDeliveryCount
    value: "10"

Prerequisites:

# Create Service Bus namespace
az servicebus namespace create \
  --name myservicebus \
  --resource-group myapp-rg \
  --sku Standard

# Create topic
az servicebus topic create \
  --namespace-name myservicebus \
  --resource-group myapp-rg \
  --name orders

Azure Key Vault (Secret Store)

Best for: Centralized secret management, rotation, HSM support

# components/secretstore-keyvault.yaml
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: secretstore
spec:
  type: secretstores.azure.keyvault
  version: v1
  metadata:
  - name: vaultName
    value: "{vault-name}"

  # Authentication (Managed Identity - Recommended)
  - name: azureClientId
    value: "{managed-identity-client-id}"

  # OR Service Principal
  # - name: azureTenantId
  #   value: "{tenant-id}"
  # - name: azureClientId
  #   value: "{client-id}"
  # - name: azureClientSecret
  #   secretKeyRef:
  #     name: azure-sp
  #     key: client-secret

Prerequisites:

# Create Key Vault
az keyvault create \
  --name myvault \
  --resource-group myapp-rg \
  --location eastus

# Grant managed identity access
az keyvault set-policy \
  --name myvault \
  --object-id {managed-identity-object-id} \
  --secret-permissions get list

Azure Blob Storage (Binding)

Best for: File storage, large objects, cold storage

# components/binding-blobstorage.yaml
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: blobstore
spec:
  type: bindings.azure.blobstorage
  version: v1
  metadata:
  - name: accountName
    value: "{storage-account}"
  - name: containerName
    value: "{container-name}"

  # Authentication (Managed Identity - Recommended)
  - name: azureClientId
    value: "{managed-identity-client-id}"

  # OR Access Key
  # - name: accountKey
  #   secretKeyRef:
  #     name: storage-secrets
  #     key: accountKey

  # Settings
  - name: decodeBase64
    value: "false"
  - name: getBlobRetryCount
    value: "3"

Azure Event Grid (Binding)

Best for: Event routing, serverless triggers, multi-subscriber

# components/binding-eventgrid.yaml
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: eventgrid
spec:
  type: bindings.azure.eventgrid
  version: v1
  metadata:
  - name: tenantId
    value: "{tenant-id}"
  - name: subscriptionId
    value: "{subscription-id}"
  - name: resourceGroupName
    value: "{resource-group}"
  - name: subscriberEndpoint
    value: "https://{app-url}/eventgrid"
  - name: handshakePort
    value: "8080"
  - name: scope
    value: "/subscriptions/{sub}/resourceGroups/{rg}"

  # Authentication
  - name: azureClientId
    value: "{managed-identity-client-id}"

Managed Identity Setup

For Azure Container Apps

# 1. Create user-assigned managed identity
az identity create \
  --name dapr-identity \
  --resource-group myapp-rg

# 2. Get identity details
IDENTITY_ID=$(az identity show -n dapr-identity -g myapp-rg --query id -o tsv)
CLIENT_ID=$(az identity show -n dapr-identity -g myapp-rg --query clientId -o tsv)

# 3. Assign to Container App
az containerapp identity assign \
  --name myapp \
  --resource-group myapp-rg \
  --user-assigned $IDENTITY_ID

# 4. Grant permissions to Azure resources
# Cosmos DB
az cosmosdb sql role assignment create \
  --account-name mycosmosaccount \
  --resource-group myapp-rg \
  --principal-id $(az identity show -n dapr-identity -g myapp-rg --query principalId -o tsv) \
  --role-definition-id "00000000-0000-0000-0000-000000000002"

# Service Bus
az role assignment create \
  --assignee $CLIENT_ID \
  --role "Azure Service Bus Data Sender" \
  --scope /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.ServiceBus/namespaces/{ns}

az role assignment create \
  --assignee $CLIENT_ID \
  --role "Azure Service Bus Data Receiver" \
  --scope /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.ServiceBus/namespaces/{ns}

# Key Vault
az keyvault set-policy \
  --name myvault \
  --object-id $(az identity show -n dapr-identity -g myapp-rg --query principalId -o tsv) \
  --secret-permissions get list

# Storage
az role assignment create \
  --assignee $CLIENT_ID \
  --role "Storage Blob Data Contributor" \
  --scope /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Storage/storageAccounts/{sa}

For AKS with Workload Identity

# 1. Enable OIDC and Workload Identity on AKS
az aks update \
  --resource-group myapp-rg \
  --name myaks \
  --enable-oidc-issuer \
  --enable-workload-identity

# 2. Get OIDC issuer
AKS_OIDC_ISSUER=$(az aks show -n myaks -g myapp-rg --query oidcIssuerProfile.issuerUrl -o tsv)

# 3. Create federated credential
az identity federated-credential create \
  --name myapp-federated \
  --identity-name dapr-identity \
  --resource-group myapp-rg \
  --issuer $AKS_OIDC_ISSUER \
  --subject system:serviceaccount:default:myapp-sa

Container Apps DAPR Configuration

# Deploy with DAPR enabled
az containerapp create \
  --name order-service \
  --resource-group myapp-rg \
  --environment myenv \
  --image myregistry.azurecr.io/order-service:latest \
  --target-port 8000 \
  --ingress external \
  --dapr-enabled \
  --dapr-app-id order-service \
  --dapr-app-port 8000 \
  --user-assigned $IDENTITY_ID \
  --env-vars "AZURE_CLIENT_ID=$CLIENT_ID"

# Add DAPR component
az containerapp env dapr-component set \
  --name myenv \
  --resource-group myapp-rg \
  --dapr-component-name statestore \
  --yaml ./components/statestore-cosmosdb.yaml

Best Practices

Always use Managed Identity in production - never connection strings
Scope components to specific apps when they contain sensitive data
Use private endpoints for Azure services in production
Enable diagnostic logging on all Azure resources
Set appropriate consistency levels based on requirements
Configure auto-scaling based on KEDA scalers
Enable zone redundancy for high availability

Troubleshooting

Common Issues

"Unauthorized" errors:

Check managed identity has correct RBAC roles
Verify identity is assigned to the container app
Ensure AZURE_CLIENT_ID env var is set

"Resource not found":

Verify Azure resource exists
Check resource names in component YAML
Ensure correct subscription/resource group

Connection timeouts:

Check VNet/firewall rules
Verify private endpoint configuration
Check DNS resolution

dapr-azure-integration

DAPR Azure Integration

When to Use

Azure Component Configurations

Azure Cosmos DB (State Store)

Azure Service Bus (Pub/Sub)

Azure Key Vault (Secret Store)

Azure Blob Storage (Binding)

Azure Event Grid (Binding)

Managed Identity Setup

For Azure Container Apps

For AKS with Workload Identity

Container Apps DAPR Configuration

Best Practices

Troubleshooting

Common Issues

Related Skills