Keeping credentials safe and secure has always been a priority, even more so when in the cloud – quite a potential challenge within your application, virtual machine or requirements to authenticate to additional cloud services.
Within Microsoft Azure, using managed identities is one of the security precautions that can assist you with the above!
Does your application need access to an additional Azure resource or KeyVault secret? Sure you can just allow this, but you want to restrict the process and prominence as much as possible and preferably not having them stored on a local device temporarily while you deploy your code.
Creating a Managed identity theoretically gives your device an identity from Azure AD to complete the required task and give your application the access or secret it requires.
There are two types of managed identities – system-assigned managed identity & user-assigned managed identity.
System-assigned managed identity – This identity is enabled on the Azure service, giving the actual service an identity within Azure AD.
Note:- This service identity within Azure AD is only active until the instance has been deleted or disabled. Once this happens, Azure will automatically clean up the service identity within Azure AD.
User-assigned managed identity – A standalone resource, it creates an identity within Azure AD that can be assigned to one or more Azure service instances.
Note:- Cleaning up this identity is not completed automatically and requires user input to cleanup
Managed Identity with a Windows VM
Managed Identity with a Linux VM:
Additional services than can use Managed Identity:
Select Virtual Machine
Select Settings -> Identity -> System assigned, then enable
This will create a Managed Identity within Azure AD for the virtual machine
az vm identity assign -g tamops -n tamops-vm
Select Virtual Machine
Select Settings -> Identity -> User assigned, then click Add
Select User to assign Managed Identities to and select Add
az vm identity assign -g tamops -n tamops-vm --identities tamops-MI
A lengthy blog post in relation to Azure Identity Management, specifically around Virtual Machine Identity Management – I will look at at follow up blog that will detail the process of implementing a KeyVault with this virtual machine and how Identity Management can be used to retrieve secrets.