Keys are always needed to access services in Azure and beyond. Storing and managing keys presents many problems, for example rotating and disabling them. Keys often also allow blanket access to the service with no way to limit it. Sometimes there is only one key that needs to be shared by services, so you won't have any way to disable access from one individually.
In this talk we will go through Managed Identities for Azure Resources, how they work, and how you can use them to use Azure services in a secure way without having to manage any keys yourself.
We will go through a demo application which uses various Azure services through a managed identity, removing the need to use keys entirely. The source code will be available to the audience so they have samples that they can use to implement managed identities in their own applications.
12. System-assigned? User-assigned?
• System-assigned
identities tied to a
resource like App Service
or a VM
• Deleted when the
resource is deleted
• User-assigned identities
can be assigned to
multiple resources
• A resource can have more
than one
• Independent lifecycle
15. Where can I use it? (2019)
Virtual
Machines
VM Scale Sets
Functions
Data Factory API Management Blueprints Container
Registry Tasks
Logic Apps
Preview
Container
Instances
Preview
App Services
16. Where can I use it? (2022)
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/managed-
identities-status
17. What can I access with it? (2019)
Azure SQL
Database
Key Vault Data Lake Blob Storage Queue Storage
Event Hubs Analysis Services ARM API AAD & MS Graph
API
Any API supporting
AAD auth*
Service Bus
18. What can I access with it? (2022)
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-azure-
active-directory-support
Any API supporting AAD auth*
26. My suggestions
• DefaultAzureCredential = good starting point
• Covers most local scenarios + Azure
• Define tenant ID through options for the methods that support
it if needed
• ManagedIdentityCredential when running in Azure
• ChainedTokenCredential can be a good alternative for
DefaultAzureCredential (customize options and order)
• Use ClientCertificateCredential or
ClientSecretCredential locally with custom APIs
27. Summary
• Using Managed Identity is seriously recommended if
your app runs on Azure
• Access any service that supports Azure AD authentication
in a secure way
• Free service that can remove all secrets from your code
• Use the Azure Identity library
• Local development can require some effort
On App Service the endpoint is on localhost.
Tokens are temporary but with 24 hour expiry.
The endpoint has caching but do not rely on it, always cache in-memory.
The library exists for at least .NET, Javascript, Python, Java and Go