Keeping credentials safe and secure has always been a priority, even more so when in the cloud – quite a potential challenge within your application, virtual machine or requirements to authenticate to additional cloud services.

Within Microsoft Azure, using managed identities is one of the security precautions that can assist you with the above!

Overview

Does your application need access to an additional Azure resource or KeyVault secret? Sure you can just allow this, but you want to restrict the process and prominence as much as possible and preferably not having them stored on a local device temporarily while you deploy your code.

Creating a Managed identity theoretically gives your device an identity from Azure AD to complete the required task and give your application the access or secret it requires.

How do Managed Identities work?

There are two types of managed identities – system-assigned managed identity & user-assigned managed identity.

System-assigned managed identity – This identity is enabled on the Azure service, giving the actual service an identity within Azure AD. 
Note:- This service identity within Azure AD is only active until the instance has been deleted or disabled. Once this happens, Azure will automatically clean up the service identity within Azure AD.

User-assigned managed identity – A standalone resource, it creates an identity within Azure AD that can be assigned to one or more Azure service instances. 
Note:- Cleaning up this identity is not completed automatically and requires user input to cleanup

What Azure resources can use Managed Identities?

Managed Identity with a Windows VM

  • Azure Data Lake Store access
  • Azure Resource Manager access
  • Azure SQL access
  • Azure Storage using either access key or shared access signatures
  • Access a non-Azure AD resource with Azure Key Vault

Managed Identity with a Linux VM:

  • Azure Data Lake Store access
  • Azure Resource Manager access
  • Azure Storage using either access key or shared access signatures
  • Access a non-Azure AD resource with Azure Key Vault

Additional services than can use Managed Identity:

Enabling Managed Identity on a Virtual Machine (System-assigned managed identity)

Azure Portal

Select Virtual Machine

Select Settings -> Identity -> System assigned, then enable

This will create a Managed Identity within Azure AD for the virtual machine

CLI

az vm identity assign -g tamops -n tamops-vm

Enabling Managed Identity on a Virtual Machine (User-assigned managed identity)

Select Virtual Machine

Select Settings -> Identity -> User assigned, then click Add

Select User to assign Managed Identities to and select Add

CLI

az vm identity assign -g tamops -n tamops-vm --identities tamops-MI

A lengthy blog post in relation to Azure Identity Management, specifically around Virtual Machine Identity Management – I will look at at follow up blog that will detail the process of implementing a KeyVault with this virtual machine and how Identity Management can be used to retrieve secrets.