The most sure way to protect any credentials is not to have them. And this is exactly what Azure Managed Identity (aka Managed Service Identity - MSI) allows to accomplish.
Managed Identity in combination with other Azure security features presents very useful options for hardening access to your Azure resources. For example if you use Managed Identity to access your Azure SQL from applications, use Azure AD Authentication for human access to Azure SQL and configured your human Azure AD authentication to require multi-factor authentication you have put a great defense against brute force password attacks against your databases.
Concepts - Service Principal
If you need to work with applications that require access to Azure resources it is important to understand the concept of Service Principal and relationship to Application Id.
The most clear and concise description I found in in Microsoft documentation
"Consider the application object as the global representation of your application for use across all tenants, and the service principal as the local representation for use in a specific tenant."
"An application object therefore has a 1:1 relationship with the software application, and a 1:many relationships with its corresponding service principal object(s)."
"A service principal must be created in each tenant where the application is used, enabling it to establish an identity for sign-in and/or access to resources being secured by the tenant."
Application Identity - Overview
When you enable MSI for an Azure service, such as Azure Virtual Machines, Azure App Service, or Azure Functions, Azure creates a service principal. MSI does this for the instance of the service in Azure Active Directory (Azure AD) and injects the service principal credentials into that instance.
https://docs.microsoft.com/en-ca/azure/key-vault/tutorial-net-create-vault-azure-web-app#about-managed-service-identity
Application Identity - Accessing Resources
Following Microsoft documentation is very helpful and is very easy to follow
Also found following notes may be helpful when developers start using managed service identity.
Take the connection string from Azure portal. Copy only highlighted part. Do not take username and password.
Then in your code just create your connection as follows
SqlConnection con = new SqlConnection(YourConnectionStringGoesHere)
conn.AccessToken = (new AzureServiceTokenProvider()).GetAccessTokenAsync("https://database.windows.net/").Resultcon.Open();
When getting access token for Azure SQL the trailing "/" in "https://database.windows.net/" is critical. It is an easy mistake to omit it and can be frustrating experience trying to understand why your code does not work.
Result
Now we no longer need to store username password or any other credentials for our applications accessing Azure resources.
Comentarios