Managed Identity is an Azure feature, which allows Identity managed access to Azure resources. This improves security, by reducing the need for applications, to have credentials in code, configurations. It creates an identity, which is linked to an Azure resource. The identity can then be granted access to Azure resources.
A common challenge for developers is the management of secrets and credentials used to secure communication between different components making up a solution. Managed identities eliminate the need for developers to manage credentials. Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. Applications may use the managed identity to obtain Azure AD tokens. For example, an application may use a managed identity to access resources like Azure Key Vault where developers can store credentials in a secure manner or to access storage accounts.
In above diagram we are getting secret from key vault in Logic App with help of managed identity. I will explain all in detail.
We will do below things in this blog
1. Create new secret inside key vault
2. Create new Logic App and enable system assigned managed identity
3. Add logic app inside key vault Access policies
4. Make Http GET call from Logic App and get secret
Create new secret inside key vault
First, need to create new secret
key inside key vault. In this example I am using my old key vault service djsecrets
If you want to learn more about key vault. Please read my previous blog about key
AzureKey Vault
Need follow below steps to add new secret key inside key vault
1. Go to key vault
2. Create new secret key with “Name” with value “DJ Blogs”
3. Click on create then secret added in key vault. If we open the secret it will look like as below
Secret URL look like https://djsecrets.vault.azure.net/secrets/Name/version-number
If you want to get latest value every time, then we don’t need to add version number in URL then it will be https://djsecrets.vault.azure.net/secrets/Name
This URL we will be used in our logic app to get the latest
value of secret
Logic App and enable system assigned managed
identity
Now we will create logic app
which will get secret with help of HTTP Get request and managed identity authentication.
If you want to learn more about logic app. Please read my previous blog Logic App.
Follow below steps to create logic app
1. Go to your resource group where you want to create logic app and click on add button
2.
Creating
logic app with name “djmanagedidentity” in Center US data center.
3. Once Logic App created then enable system assigned managed identity in Logic App
4. As above follow steps it will create Object ID now our resource ready for assign managed identity.
Add logic app inside key vault Access policies
Once in any resource system assigned managed identity enabled in azure then we can add that resource in Access policies of other resource to access it. Follow below steps to get key from key vault to logic app
1. Go to your key vault and select access policies
2. Click on Add Access Policy will add logic app object for access the secret
3.
Once logic app
added in access policy. Now we will get the secret key value with help of HTTP
GET request.
Http GET call from Logic App and get secret
Now managed identity setup between 2 resource (Key Vault and Logic App) within azure. To get secret in logic app need to add 2 steps inside logic app.
We need to add key vault secret URL and authentication details inside HTTP step like below
Method: GET
URL: https://djsecrets.vault.azure.net/secrets/Name?api-version=7.2
Audience: https://vault.azure.net
Once all this information filled as above now, we will
run the logic app. It will show the input and output as below
Input
Output
Microsoft: What can a managed identity be used for?
Hope it will help you to understand managed identity in Azure
and how you can use it.
No comments:
Post a Comment