Zero credential development with managed identities
•Download as PPTX, PDF•
0 likes•242 views
Introduction to Managed Identities in Azure, what they are and how they work. Also goes through what services they can be used with in Azure, how you can use services without any keys or secrets.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Zero credential development with managed identities
Similar to Zero credential development with managed identities (20)
Recently uploaded
Recently uploaded (20)
Zero credential development with managed identities
- 1. Zero Credential Development with Managed Identities for Azure Resources Virtual Azure Community Day
- 2. Speaker Intro • Joonas Westlin • Developer / Architect @ Zure • Global #1 on Stack Overflow for Azure AD answers, #9 for Azure overall @JoonasWestlin joonasw.net
- 6. Hold on, Key Vault didn’t help anything!
- 7. Keys need to be managed Keys need to be rotated Keys need to be revoked Key issues
- 8. How could we do this better?
- 9. Managed Identities for Azure Resources Managed by Azure Automatically rotated Easily revoked Zero Credentials
- 11. Oh yeah this service is free
- 13. Where can I use it? https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support- managed-identities Virtual Machines VM Scale SetsFunctions Data Factory API Management Blueprints Container Registry Tasks Logic Apps Container Instances Preview App Services Preview Service Fabric Stream Analytics Preview
- 14. What can I access with it? https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support- managed-identities Azure SQL Database Key Vault Data Lake Blob Storage Queue Storage Event Hubs Analysis Services ARM API MS Graph API Any API supporting AAD auth* Service Bus
- 18. Local development • Services like SQL and Storage can be run locally • Must get access tokens differently • No Managed Identity • Can use user identity • Or use client credentials
- 19. https://www.nuget.org/packages/Azure.Identity/ • .NET / Java / JavaScript / Python • Managed Identity • Shared Token Cache (used by e.g. Visual Studio) • AZ CLI • Client id + secret • Client id + certificate • Username + password • Interactive user authentication
- 20. Suggestions for local development • Use DefaultAzureCredential for user authentication • Specify SharedTokenCacheTenantId to be your AAD tenant • Or AZURE_TENANT_ID env var • Specify SharedTokenCacheUsername if necessary • Or AZURE_USERNAME env var • Local AAD accounts seem to work best with shared token cache • Supposed to support MSA/Guest accounts too, but found it varies • Use ClientSecretCredential or CertificateCredential for service authentication • Or specify them as environment variables https://github.com/Azure/azure-sdk-for- net/tree/74f0ae1d265eb6ea2e5b537bcc4a0c5243cd7fd7/sdk/identity/Azure.Identity
- 21. Advanced: Usage against custom APIs • Register at least 1 application permission • Assign the permission(s) to managed identity • Use e.g. api://some-guid-here/.default as the scope • If app ID URI specified for API • You can also use your-api-client-id/.default
- 22. Advanced: Usage against custom APIs
- 23. Advanced: Usage against custom APIs
- 24. PowerShell to the rescue!
- 25. Takeaways • Using Managed Identity is seriously recommended if your app runs on Azure • Access any service that supports Azure AD authentication in a secure way • Free service that can remove all secrets from your code • Use the Azure Identity library • Local development requires some effort