WELCOME TO CLOUD MATTER

Search
  • Roman Guoussev-Donskoi

The best way to protect application credentials is not to have them - meet Azure Managed Identity

The most sure way to protect any credentials is not to have them. And this is exactly what Azure Managed Identity (aka Managed Service Identity - MSI) allows to accomplish.





Managed Identity in combination with other Azure security features presents very useful options for hardening access to your Azure resources. For example if you use Managed Identity to access your Azure SQL from applications, use Azure AD Authentication for human access to Azure SQL and configured your human Azure AD authentication to require multi-factor authentication you have put a great defense against brute force password attacks against your databases.



Concepts - Service Principal

If you need to work with applications that require access to Azure resources it is important to understand the concept of Service Principal and relationship to Application Id.


The most clear and concise description I found in in Microsoft documentation

Application and service principal objects in Azure Active Directory:

Application and service principal relationship


"Consider the application object as the global representation of your application for use across all tenants, and the service principal as the local representation for use in a specific tenant."

"An application object therefore has a 1:1 relationship with the software application, and a 1:many relationships with its corresponding service principal object(s)."

"A service principal must be created in each tenant where the application is used, enabling it to establish an identity for sign-in and/or access to resources being secured by the tenant."

Application Identity - Overview

When you enable MSI for an Azure service, such as Azure Virtual Machines, Azure App Service, or Azure Functions, Azure creates a service principal. MSI does this for the instance of the service in Azure Active Directory (Azure AD) and injects the service principal credentials into that instance.

https://docs.microsoft.com/en-ca/azure/key-vault/tutorial-net-create-vault-azure-web-app#about-managed-service-identity



Application Identity - Accessing Resources

Following Microsoft documentation is very helpful and is very easy to follow

Tutorial: Secure Azure SQL Database connection from App Service using a managed identity

Tutorial: Use Azure Key Vault with an Azure web app in .NET


Also found following notes may be helpful when developers start using managed service identity.


Take the connection string from Azure portal. Copy only highlighted part. Do not take username and password.



Then in your code just create your connection as follows


SqlConnection con = new SqlConnection(YourConnectionStringGoesHere)

conn.AccessToken = (new AzureServiceTokenProvider()).GetAccessTokenAsync("https://database.windows.net/").Resultcon.Open();

When getting access token for Azure SQL the trailing "/" in "https://database.windows.net/" is critical. It is an easy mistake to omit it and can be frustrating experience trying to understand why your code does not work.


Result

Now we no longer need to store username password or any other credentials for our applications accessing Azure resources.


References

Services that support managed identities for Azure resources

How can I use managed identities for Azure resources?

38 views0 comments

Recent Posts

See All

Databricks is an amazing platform for data engineering, data science and machine learning. One of the critical requirements of secure data processing is data audit - the ability to identity what data

SAS access to storage account is very convenient and easy and while Microsoft recommends that you use Azure AD credentials when possible as security best practice still SAS sometimes hard to avoid. Le

 

Subscribe

 

CONTACT

Your details were sent successfully!

Computers