Azure VMSS Managed Identity for internal custom C# library

Question

We are using custom c# library to connect to Azure Key vault & to do some custom processing on the secrets available on the library. In turn this c# library is been consumed by .net core web API application which is deployed on Azure service Fabric.

Till this time, our c# library (used to connect to Azure Key vault) using secure certificate and AAD application to connect to key vault but want to upgrade the library to use Azure VMSS's(where VMSS is managed by Azure Service Fabric) system assigned managed identity to access the key vault. Will this work?

Will the VMSS's system assigned managed identity be available for class library which is in turn consumed by the web api hosted on Azure VMSS? the reason to ask this question is, the VMSS's managed identity is not used by web api hosted on VMSS but the VMSS's managed identity should be consumed by the c# class library which is used in my web api project. Please confirm.

Answer 1

It should work, the MSI can be available anywhere within the VMSS. As long as your code is running in the VMSS, it can use the MSI.

To confirm this, you can also try to make an http request to the Azure Instance Metadata Service (IMDS) endpoint in your custom code as the comment mentioned, if you can get the token successfully, it means you can access the MSI.

Answer 2

I am not sure what library you use, but if the library encapsulates the authentication against AAD then it depends on the functionallity exposed by it.

Anyway, there's a library published by Microsoft to authenticate against AAD and acquire tokens to KeyVault (among other resources) using system assigned identity / managed identity / any kind of authentication method.

See here https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/identity/Azure.Identity