Using managed identities in web apps – Building Application Security
We will replace the key vault that used a client ID and secret in the following walk-through. This time, we will use an AzureServiceTokenProvider, which will use the assigned managed identity instead:
- Open your web app in Visual Studio Code.
- Open a Terminal window within Visual Studio Code and enter the following to install an additional NuGet package:
dotnet add package Microsoft.Azure.Services.AppAuthentication - Open the Program.cs file and add the following using statements to the top of the page:
using Microsoft.Azure.KeyVault;
using Microsoft.Azure.Services.AppAuthentication;
using Microsoft.Extensions.Configuration.AzureKeyVault; - Modify the CreateHostBuilder method as follows:
public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args)
.ConfigureAppConfiguration((ctx, builder) =>
{
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(
new KeyVaultClient .AuthenticationCallback(
azureService TokenProvider.KeyVaultTokenCallback));
builder.AddAzureKeyVault (“https://packtpubkeyvault01.vault.azure.net/”, new DefaultKeyVaultSecretManager());
})
.ConfigureWebHostDefaults(webBuilder =>
{
webBuilder.UseStartup();
}); - Open a Terminal window in Visual Studio Code to rebuild and republish the application by entering the following:
dotnet build
dotnet publish -c Release -o ./publish - Next, right-click the publish folder and select Deploy Web App.
- Select your subscription and web app to deploy, too, when prompted.
- Once deployed, browse to your website.
Your website is accessing the secret from the key vault as before; only this time, it is using the managed identity.
In this section, we have replaced a service principal with a managed identity. The use of managed identities offers a more secure way of connecting services as login details are never exposed.
Summary
This chapter covered three tools in Azure that can help secure our applications, particularly around managing data encryption keys and authentication between systems.
We looked at how to use key vaults for creating and managing secrets and keys and how we can then secure access to them using Access policies. We also looked at how we can use security principals and managed identities to secure our applications.
This chapter also concluded the Identity and Security requirement of the AZ-304 exam, looking at authentication, authorization, system governance, and application-level security.
Next, we will look at how we architect solutions around specific Azure infrastructure and storage components.
Exam Scenario
The solutions to the exam scenarios can be found at the end of the book.
Mega Corp plans a new internal web solution consisting of a frontend web app, multiple middle-tier API apps, and a SQL database.
The database’s data is highly sensitive, and the leadership team is concerned that providing database connection strings to the developers would compromise data protection laws and industry compliance regulations.
Part of the application includes the storage of documents in a Blob Storage account; however, the leadership team is not comfortable with Microsoft managing the encryption keys.
As this is an internal application, authentication needs to be integrated into the existing Active Directory. Also, each of the middle-tier services needs to know who the logged-in user is at all times – in other words, any authentication mechanism needs to pass through all layers of the system.
Design a solution that will alleviate the company’s security concerns but still provides a robust application.