What is Managed Identity?

• A system assigned managed identity enables Azure resources to authenticate to cloud services (e.g. Azure Key Vault) without storing credentials in code
• Once enabled, all necessary permissions can be granted via Azure role-based-access-control. The lifecycle of this type of managed identity is tied to the lifecycle of this resource
• Azure Active Directory managed identities simplify secrets management for your cloud application
• Details: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

Managed identity types

• System-assigned:
  • Some Azure services allow you to enable a managed identity directly on a service instance
  • Tied to your application and is deleted if your app is deleted
  • An app can only have one system-assigned identity.
• User-assigned:
  • You may also create a managed identity as a standalone Azure resource
  • A standalone Azure resource that can be assigned to your app
  • An app can have multiple user-assigned identities.

Using managed identity to access KeyVault secret

Scenario: A WebApp will access KeyVault and get database connection string from KeyVault secret using managed identity

Prerequisites:

• Create Azure KeyVault and put Secret
• Create App Service plan and App Service

Steps:

• Activate system assigned managed identity in App service
  • Go to resource gorup: https://portal.azure.com/#blade/HubsExtension/BrowseResourceGroups
  • Select resource group > Select App Service
  • Settings > Identity > System assigned
  • Status: On
  • Once system assigned managed identity is enabled:
    • App service will be registered to Azure AD
    • Unique Object ID will assigned to app service by Azure AD
    • Other Azure resources (i.e. Azure KeyVault) can set policy to allow App service (using that Object ID)
• Add policy to KeyVault to allow App Service to access secrets
  • Go to resource gorup: https://portal.azure.com/#blade/HubsExtension/BrowseResourceGroups
  • Select resource group > Select KeyVault
  • Settings > Access policy > ‘+ Add access policy’
  • Secret permissions
    • Get
    • List
  • Select principal > Search > select
  • Add > Save
• Go to KeyVault and Copy Secret URI
• Added an entry in Application settings of App service for DB connection string
  • App settings key: DBConnectionString
  • App settings value: @Microsoft.KeyVault({referenceString})
    • Example: @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931)
    • referenceString syntax : https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references#reference-syntax

Links

• https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet
• https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references