1. What is the difference between a system-assigned and user-assigned managed identity?
According to my research, A system-assigned managed identity is enabled directly on an Azure service instance. The lifecycle of a system-assigned identity is directly tied to the Azure service instance that it's enabled on. If the instance is deleted, Azure automatically cleans up the credentials and the identity in Azure AD.
But, a user-assigned managed identity is created as a standalone Azure resource. After the identity is created, the identity can be assigned to one or more Azure service instances. The lifecycle of a user-assigned identity is managed separately from the lifecycle of the Azure service instances to which it's assigned.
For more details, please refer to the document.
2. How to provision a MSI, Azure Key vault and grant the access
Provision a user-assigned managed identity
According to my research, if we want to provision a user-assigned managed identity, we can use the Azure REST API, Azure Powershell and Azure CLI
For example
Azure CLI
az login
az identity create -g <RESOURCE GROUP> -n <USER ASSIGNED IDENTITY NAME>
Azure REST API
a. Get access token with Azure CLI
az login
az account get-access-token
b. Call the rest api
curl 'https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroup
s/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY NAME>?api-version=2015-08-31-preview' -X PUT -d '{"loc
ation": "<LOCATION>"}' -H "Content-Type: application/json" -H "Authorization: Bearer <ACCESS TOKEN>"
Provision Azure Key vault and grant the access
According to my research, if we want to implement it, we can if we want to provision a user-assigned managed identity, we can use the Azure REST API, Azure Powershell, Azure CLI and sdk (such as .net). For more details, please refer to the document
For example
Azure Rest API
a. Get access token with Azure CLI
az login
az account get-access-token
b. Call the rest api
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}?api-version=2018-02-14
Header :
Content-Type: application/json
Authorization: Bearer <ACCESS TOKEN>
Body
{
"location": "westus",
"properties": {
"tenantId": "<your tenant id>",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": [
{
"tenantId": "<your tenant id>",
"objectId": "<the object id of the MSI>",
"permissions": {
"keys": [
"encrypt",
"decrypt",
"wrapKey",
"unwrapKey",
"sign",
"verify",
"get",
"list",
"create",
"update",
"import",
"delete",
"backup",
"restore",
"recover",
"purge"
],
"secrets": [
"get",
"list",
"set",
"delete",
"backup",
"restore",
"recover",
"purge"
],
"certificates": [
"get",
"list",
"delete",
"create",
"import",
"update",
"managecontacts",
"getissuers",
"listissuers",
"setissuers",
"deleteissuers",
"manageissuers",
"recover",
"purge"
]
}
}
],
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true
}
}
.Net SDK
a. create a service principal with Azure CLI
az login
az ad sp create-for-rbac -n "MyApp" --role contributor --sdk-auth
b. Code. For more details, please refer to the sample
// please install package Microsoft.Azure.Management.Fluent
var credentials = SdkContext.AzureCredentialsFactory
.FromServicePrincipal(<the sp app id>,
<the sp password>,
tenantId,
AzureEnvironment.AzureGlobalCloud);
var azure = Microsoft.Azure.Management.Fluent.Azure
.Configure()
.Authenticate(credentials)
.WithSubscription ("<your subscription id>");
var vault =await azure.Vaults.Define("")
.WithRegion(Region.AsiaSouthEast)
.WithExistingResourceGroup("groupname")
.DefineAccessPolicy()
.ForObjectId("the object id of msi")
.AllowCertificateAllPermissions()
.AllowKeyAllPermissions()
.AllowSecretAllPermissions()
.Attach()
.WithDeploymentEnabled()
.WithDiskEncryptionEnabled()
.WithTemplateDeploymentEnabled()
.WithSku(Microsoft.Azure.Management.KeyVault.Fluent.Models.SkuName.Standard)
.CreateAsync()
