top of page

WELCOME TO CLOUD MATTER

Search
  • Writer's pictureRoman Guoussev-Donskoi

The best way to protect application credentials is not to have them - meet Azure Managed Identity

The most sure way to protect any credentials is not to have them. And this is exactly what Azure Managed Identity (aka Managed Service Identity - MSI) allows to accomplish.





Managed Identity in combination with other Azure security features presents very useful options for hardening access to your Azure resources. For example if you use Managed Identity to access your Azure SQL from applications, use Azure AD Authentication for human access to Azure SQL and configured your human Azure AD authentication to require multi-factor authentication you have put a great defense against brute force password attacks against your databases.



Concepts - Service Principal

If you need to work with applications that require access to Azure resources it is important to understand the concept of Service Principal and relationship to Application Id.


The most clear and concise description I found in in Microsoft documentation


"Consider the application object as the global representation of your application for use across all tenants, and the service principal as the local representation for use in a specific tenant."

"An application object therefore has a 1:1 relationship with the software application, and a 1:many relationships with its corresponding service principal object(s)."

"A service principal must be created in each tenant where the application is used, enabling it to establish an identity for sign-in and/or access to resources being secured by the tenant."

Application Identity - Overview

When you enable MSI for an Azure service, such as Azure Virtual Machines, Azure App Service, or Azure Functions, Azure creates a service principal. MSI does this for the instance of the service in Azure Active Directory (Azure AD) and injects the service principal credentials into that instance.

https://docs.microsoft.com/en-ca/azure/key-vault/tutorial-net-create-vault-azure-web-app#about-managed-service-identity



Application Identity - Accessing Resources

Following Microsoft documentation is very helpful and is very easy to follow


Also found following notes may be helpful when developers start using managed service identity.


Take the connection string from Azure portal. Copy only highlighted part. Do not take username and password.



Then in your code just create your connection as follows


SqlConnection con = new SqlConnection(YourConnectionStringGoesHere)

conn.AccessToken = (new AzureServiceTokenProvider()).GetAccessTokenAsync("https://database.windows.net/").Resultcon.Open();

When getting access token for Azure SQL the trailing "/" in "https://database.windows.net/" is critical. It is an easy mistake to omit it and can be frustrating experience trying to understand why your code does not work.


Result

Now we no longer need to store username password or any other credentials for our applications accessing Azure resources.


References

43 views0 comments

Recent Posts

See All

Query SQL using OpenAI and Langchain

LLMs (such as OpenAI) are good for reasoning but they lack capability interface with outside world. This is where Langchain agents step in: agents provide LLMs with tools to perform actions (for examp

Comments


Home: Blog2

Subscribe

Home: GetSubscribers_Widget

CONTACT

Your details were sent successfully!

Computers
Home: Contact
bottom of page