Application Security Groups, Deployments and YAML, Exams of Microsoft AZ-304, Microsoft AZ-304 Certifications, What to watch out for

Using managed identities – Building Application Security

by Katie Campbell

In the previous section, we looked at working with security principals that can provide programmatic access to key vaults from our applications. There are a couple of problems with them – you must generate and provide a client ID and secret, and you must manage the rotation of those secrets yourself.
Managed identities provides a similar access option but is fully managed by Azure – there is no need to generate IDs or passwords; you set the appropriate access through role-based access controls. The managed identity mechanism can also be used to provide access to the following:
• Azure Data Lake
• Azure SQL
• Azure Storage (Blobs and Queues)
• Azure Analysis Services
• Azure Event Hubs
• Azure Service Bus

We have the option of using either a system-assigned or user-assigned identity. System-assigned is the easiest route – and is ideal for simple scenarios – but they are tied to the resource in question – that is, a virtual machine or web app. User-assigned identities are discrete objects and can be assigned to multiple resources – this can be useful if your application uses numerous components to give them all the same managed identity.

As well as Web Apps and Virtual Machines, the following services can also be set to use managed identities:
• Azure Functions
• Azure Logic Apps
• Azure Kubernetes Service
• Azure Data Explorer
• Azure Data Factory

As with security principals, working through using a managed identity is the easiest way to understand it.

Assigning a managed identity

In the next example, we will modify the web app we created in the Working with security principals section to use a managed identity instead:

  1. Navigate to the Azure portal at https://portal.azure.com.
  2. In the top search bar, search for and select App Services.
  3. Select your web app – for example, packtpub-secureapp.
  4. On the left-hand menu, click Identity.
  5. System assigned is the default identity type; set the status to On as in the following example:

Figure 6.18 – Setting the app identity

  1. Click Save.
  2. In the top search bar, search for and select Key vaults.
  3. Click on your key vault.
  4. On the left-hand menu, click Access policies.
  5. Click Add Access Policy.
  6. Click the drop-down list next to Configure from template and choose Secret Management.
  7. Under Select Principal, click None selected. Search for the name of the web app you created earlier in Deploying a web app – in our example, packtpub-secureapp.
  8. Click Add.
  9. Click Save.

With the managed identity set up on our web app, and the necessary policy linked in our key vault, we can update our code to use the identity instead of the security principal.