Azure Managed Identity is a game-changer for simplifying access to Azure resources. It eliminates the need for hardcoding credentials, reducing the risk of exposure.
By leveraging Azure Active Directory (AAD), Managed Identity provides a secure way to authenticate and authorize access to Azure resources. This eliminates the need for shared credentials or service principals.
With Managed Identity, you can easily grant access to your Azure resources without worrying about managing credentials. This is especially useful for DevOps and CI/CD pipelines.
Creating Azure Resources
Bicep is Microsoft's newest infrastructure as code (Iac) solution, allowing you to create Azure resources in a declarative way.
To create an Azure Automation account, you can enable a managed identity. This is done by using the identity block with a type of SystemAssigned to enable the managed identity.
Azure Automation accounts can also be created using Bicep templates, which provide a simple and efficient way to deploy resources.
Creating Cosmos Db Account
Creating a Cosmos DB account is a straightforward process that can be completed in a few steps. We can create an Azure Cosmos DB account with a system-assigned identity by navigating to the Identity section in the sidebar.
To do this, we should see that a System-Assigned Identity for our account has been created, which includes an Object Id or Principal Id that has been generated for our Cosmos DB account.
This Object Id is a unique value for an application object that uniquely identifies the object in Azure AD, and it will be a randomly generated GUID.
By creating a Cosmos DB account with a system-assigned identity, we can easily manage our account's permissions and access in Azure AD.
Creating Our Function
To create our Azure Function, we'll need to give it a System-Assigned Managed Identity, which will allow it to perform operations against our Cosmos DB account without needing the connection string. We can do this by using the identity block in our Bicep code and setting the type to SystemAssigned.
We can find the Object Id of our Azure Function by navigating to Identity in the sidebar, similar to how we did for our Cosmos DB account. This will give us the Object Id we need for our role assignments.
Adding a System-Assigned type tells Azure to create and manage the identity for our application, which is essential for our Azure Function to work with our Cosmos DB account. We can use the Update-AzFunctionApp -IdentityType command to create a system-assigned identity for our function app.
The tenantId property identifies what Microsoft Entra tenant the identity belongs to, while the principalId is a unique identifier for the application's new identity. These properties are automatically generated when we create our Azure Function with a System-Assigned Managed Identity.
To reference these properties in a later stage, we can use the reference() template function with the 'Full' flag, as in the example provided. This will allow us to use the properties in our Bicep template.
Managed Identity Types
There are two types of managed identities: system-assigned and user-assigned.
A system-assigned identity is created and managed by Azure, and it's automatically assigned to a resource.
You can also create a user-assigned identity, which is a separate entity that you create and manage.
To add a user-assigned identity to an app, you need to create the identity first and then add its resource identifier to your app config.
Here are the steps to create a user-assigned identity:
- Create a user-assigned managed identity resource.
- Run the az identity create command to create the identity.
- Run the az webapp identity assign command to assign the identity to the app.
- Create a user-assigned identity using the New-AzUserAssignedIdentity cmdlet.
- Update the Azure Function App to use the user-assigned identity.
In addition, you can specify both system-assigned and user-assigned identities for an application.
This is done by setting the type property to SystemAssigned,UserAssigned.
Configuring Managed Identity
Configuring Managed Identity is a crucial step in using Azure Managed Identity. You can assign a managed identity to your Azure resources, such as App Service or Azure Functions, to authenticate and authorize them without storing credentials in your code or configuration files.
To assign a managed identity, you can use the Azure portal or Azure CLI. In the Azure portal, go to your app's settings and select Identity. Then, switch the Status to On and click Save. Alternatively, you can use the az webapp identity assign command to create a system-assigned identity.
There are two types of managed identities: System Assigned and User Assigned. System Assigned identities are created and deleted with the application and can only be used by that application. User Assigned identities are separate resources that can be assigned to multiple applications and have their own lifecycle.
Here's a summary of the steps to assign a managed identity:
Remember to use the Azure Identity library for your preferred programming language to acquire access tokens and interact with Azure resources. The library makes it simple to connect to target resources without storing credentials in your code.
Permissions and Access
To grant a Managed Identity access to Azure SQL Database, you need to create a contained user within the database and assign them the required SQL permissions. This is different from other Azure services, where you can use built-in Azure RBAC roles to grant permissions.
You can use the Query editor pane in the SQL Database to create the contained user by running a SQL script that includes the Managed Identity name and the desired permissions. For example, you can assign CREATE SCHEMA and CREATE TABLE permissions.
Once you've configured your App Service to use a user-assigned Managed Identity, you need to grant the necessary permissions to the identity using the Azure Role Based Access Control (RBAC) system. You'll need a role such as "User Access Administrator" or "Owner" for the target resource.
Any resources you want to access require that you grant the identity permissions. For example, if you request a token to access Key Vault, you must also add an access policy that includes the Managed Identity of your app or function.
You can use any role-based access control (RBAC) to assign permissions on the resource to the Managed Identity. This includes assigning permissions to storage accounts, Azure SQL Database, and Azure Cosmos DB.
Here are the steps to assign permissions to a storage account for a Managed Identity:
- Navigate to the storage account, then Access Control (IAM)
- Click the + Add button, then select Add role assignment
- Select the RBAC role from the list, such as Storage Blob Data Contributor
- On the Members tab, select the Managed Identity radio button, then click + Select members
- Select the Managed Identity resource type, then search or select the resource containing the Managed Identity
- Finish the selection by clicking the Select button
- Review and assign the role to the Managed Identity
Working with Managed Identity
Managed identities are a feature of Azure Active Directory (now Entra) that allows you to authenticate and authorize your applications and Azure services without storing credentials in your code or configuration files.
There are two types of Managed Identities: System Assigned and User Assigned. System Assigned is created and deleted with the application and can only be used by that application, while User Assigned is a separate resource that can be assigned to multiple applications and has its own lifecycle.
To use a managed identity, you need to grant it access to the Azure resource you want to interact with. For example, to grant a managed identity access to an Azure SQL Database, you need to create a contained user within the database and assign them the required SQL permissions.
You can use the Azure Identity library to acquire access tokens for your managed identity, making it simple to connect to target resources. The library is available for various programming languages, including .NET, Java, JavaScript, Python, Go, and C++.
To connect to an Azure SQL Database using a managed identity, you can use the Microsoft.Azure.Services.AppAuthentication and Microsoft.Data.SqlClient packages. You can also store the credentials as a secret in Azure Key Vault and retrieve the secret using a managed identity.
Here are the benefits of using managed identities:
- You don't have to manage any secrets or keys for your applications
- You can use role-based access control (RBAC) to grant permissions to your managed identities
- You can rotate or revoke the identities at any time without affecting your applications
Managing Tokens
Cache tokens in local memory to improve performance and reliability. This is especially true for Managed identity tokens, which are valid for 24 hours.
Don't request new tokens regularly, as a cached one will be returned from the token issuing endpoint. If you exceed the request limits, you'll be rate limited and receive an HTTP 429 error.
Set your token cache to expire 5 minutes before the expires_on property that will be returned when the token is generated.
Tokens should be treated like credentials and not exposed to users or other services. They shouldn't be moved from the source resource that's using them, other than to authenticate against the target resource.
Portal
You can enable a managed identity when creating a new Automation account on the Azure portal.
To do this, select either System assigned or User assigned managed identity on the Advanced tab.
Navigate to Account Settings > Identity if you have an existing Automation account to enable the system or user-assigned identity.
Note that Azure generates an object or principal ID for the managed identity, which is exactly like the ID for a regular user account.
Removing and Updating
Removing a system-assigned identity is a straightforward process. You can delete it from Microsoft Entra ID, and it will also be automatically removed when you delete the app resource itself.
To remove a system-assigned identity, you can use the Set-AzWebApp command with the -AssignIdentity option. You can also specify [system] in --identities to achieve the same result.
Removing user-assigned identities is also possible, and you can do it one by one or in bulk.
Run Account Migration
Microsoft is deprecating Run As accounts on September 30, 2023, so it's essential to update your runbooks before this date.
You must update any runbooks using a Run As account to a managed identity in an Azure Automation account.
To migrate from an existing Run As account to a managed identity, follow these steps:
- Enable a system-assigned or user-assigned managed identity (or both).
- Assign the same privileges to the Azure resources for the managed identity matching the permissions for the Run As account.
- Update runbooks to authenticate using the managed identity.
The deadline for this migration is September 30, 2023, so don't wait to get started on updating your runbooks.
Remove an
Removing an identity from your system is a straightforward process. You can remove a system-assigned identity by deleting it from Microsoft Entra ID.
System-assigned identities are automatically removed from Microsoft Entra ID when you delete the app resource itself. This is a convenient feature that saves you time and effort.
To remove a system-assigned identity, run the Set-AzWebApp -AssignIdentity command. Simply specifying [system] in --identities will also do the trick.
Removing user-assigned identities is also possible by running the same command. You can remove one or more user-assigned identities using this method.
Sources
- https://dev.to/willvelida/using-managed-identities-to-authenticate-with-azure-cosmos-db-23ga
- https://www.carbonlogiq.io/post/enabling-managed-identity-access-to-azure-sql-db
- https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview-for-developers
- https://jeffbrown.tech/azure-automation-managed-identity/
- https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity
Featured Images: pexels.com