0

I was reading https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview and midway through realized my brain was boiling.

Is there a more intuitive explanation to what it is and why it eliminates the need to store credentials in the source code?

mark
  • 59,016
  • 79
  • 296
  • 580

1 Answers1

1

Try https://azure.microsoft.com/en-us/blog/keep-credentials-out-of-code-introducing-azure-ad-managed-service-identity/.

You can think of it as if your Azure Resource (ie. a VM) is the identity. Say you want to access a blob in Azure Storage from your Azure virtual machine. One option is to create an AAD application and put the client id and client secret (password) into your code or configuration file. This is the problem that managed identities try to solve.

With a managed identity assigned to the VM, Azure knows that the VM has an identity, so your code just calls storage directly, using the token obtained from the managed identity. You don't need to store a client secret to get that managed identity token, because Azure already knows 'who' the VM is and allows it to use the managed identity implicitly.

kwill
  • 10,867
  • 1
  • 28
  • 26
  • Sounds fantastic, is there any catch? By the looks of it, why would I ever use anything but the managed identity when authenticating within Azure? – mark Jan 27 '20 at 03:17
  • The only downside I am aware of there are certain resources where the access may need to be deleted and recreated if the resource behind the managed identity is deleted. This is due to a different thumbprint being issued (SQL Database access is one such resource). As a whole though it is the recommended approach. – DreadedFrost Jan 27 '20 at 03:25
  • It is pretty fantastic :). If you are in Azure then managed identity is the way to go. It also ties nicely into your local dev environment because you don't have to change any code to switch between local dev and Azure managed identity. See https://learn.microsoft.com/en-us/azure/key-vault/service-to-service-authentication – kwill Jan 27 '20 at 04:15
  • Absolutely prefer managed Identities for everything. The main thing to be aware of is that *any app* on the VM can use the managed identity. It's better on App Service where you can't really run other apps side by side and would need a remote code execution vulnerability to be affected. – juunas Jan 27 '20 at 06:18
  • you could use user-assigned managed identity to be able to delete\recreate resource without any issues (well, without having to reassign permissions). with system managed identity - right. you'd have to reassign permissions. although, it shouldn't really be an issue. can be done in an arm template – 4c74356b41 Jan 27 '20 at 07:48