Saturday, June 5, 2021

Managed Identity

Managed Identity is an Azure feature, which allows Identity managed access to Azure resources. This improves security, by reducing the need for applications, to have credentials in code, configurations. It creates an identity, which is linked to an Azure resource. The identity can then be granted access to Azure resources.

A common challenge for developers is the management of secrets and credentials used to secure communication between different components making up a solution. Managed identities eliminate the need for developers to manage credentials. Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. Applications may use the managed identity to obtain Azure AD tokens. For example, an application may use a managed identity to access resources like Azure Key Vault where developers can store credentials in a secure manner or to access storage accounts.


In above diagram we are getting secret from key vault in Logic App with help of managed identity. I will explain all in detail.

We will do below things in this blog

1.       Create new secret inside key vault

2.       Create new Logic App and enable system assigned managed identity

3.       Add logic app inside key vault Access policies

4.       Make Http GET call from Logic App and get secret

Create new secret inside key vault

First, need to create new secret key inside key vault. In this example I am using my old key vault service djsecrets If you want to learn more about key vault. Please read my previous blog about key AzureKey Vault

Need follow below steps to add new secret key inside key vault

1.       Go to key vault 


2.       Create new secret key with “Name” with value “DJ Blogs

 


3.       Click on create then secret added in key vault. If we open the secret it will look like as below

Secret URL look like https://djsecrets.vault.azure.net/secrets/Name/version-number

If you want to get latest value every time, then we don’t need to add version number in URL then it will be  https://djsecrets.vault.azure.net/secrets/Name

This URL we will be used in our logic app to get the latest value of secret

Logic App and enable system assigned managed identity

Now we will create logic app which will get secret with help of HTTP Get request and managed identity authentication. If you want to learn more about logic app. Please read my previous blog Logic App.

Follow below steps to create logic app

1.       Go to your resource group where you want to create logic app and click on add button

 


2.       Creating logic app with name “djmanagedidentity” in Center US data center.

 

3.       Once Logic App created then enable system assigned managed identity in Logic App


4.       As above follow steps it will create Object ID now our resource ready for assign managed identity.

Add logic app inside key vault Access policies

Once in any resource system assigned managed identity enabled in azure then we can add that resource in Access policies of other resource to access it. Follow below steps to get key from key vault to logic app

1.       Go to your key vault and select access policies

 


2.       Click on Add Access Policy will add logic app object for access the secret


3.       Once logic app added in access policy. Now we will get the secret key value with help of HTTP GET request.

 

Http GET call from Logic App and get secret

Now managed identity setup between 2 resource (Key Vault and Logic App) within azure. To get secret in logic app need to add 2 steps inside logic app.

 


We need to add key vault secret URL and authentication details inside HTTP step like below

Method: GET

URL: https://djsecrets.vault.azure.net/secrets/Name?api-version=7.2

Audience: https://vault.azure.net

Once all this information filled as above now, we will run the logic app. It will show the input and output as below

Input

Output

 

Microsoft: What can a managed identity be used for?

Hope it will help you to understand managed identity in Azure and how you can use it.

Keep sharing keep learning 

No comments:

Post a Comment