0

I have asp.net core web api app which is hosted in Azure Kubernetes Service and the web api endpoints is secured with Azure Active Directory (AAD). Following the below article,

https://dotnetplaybook.com/secure-a-net-core-api-using-bearer-authentication/

Now I have another asp.net core web api application (Gateway) which is hosted as Azure App Service and this is a client application for above microservice which is hosted in AKS.

I have registered the client app (Gateway) also in AAD and using secret and using this gateway and microservices authenticated and works.

Since AKS hosted microservices talks with Azure App service, can I use Managed Identity so that I don't need to do secret management?

user584018
  • 10,186
  • 15
  • 74
  • 160

1 Answers1

1

So just to clarify, your service deployed in Azure App Service is calling your application deployed in AKS.

If your Azure App Service is acting on its own behalf (ie: it is a daemon app, and users dont interact with that app), then yes, you can simply use a Managed Identity for that App Service and give that identity the API permissions for the app in AKS.

--an update to the above

I wrote some additional details that walks through all steps to achieve this, take a look at this post: https://blog.identitydigest.com/single-tenant-daemon-managed-identity/ . It also has a pointer to a very rudimentary code sample.

udayxhegde
  • 311
  • 1
  • 6
  • Yes. my Azure App Service is acting on its own behalf (ie: it is a daemon app, and users dont interact with that app). how to set the permission? any article or demo code appreciated. Thanks – user584018 Jul 18 '21 at 05:00
  • 1
    The quick answer is: follow the directions in this document: https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-assign-app-role-managed-identity-powershell. But if more details are useful, I have written something up that I will link to my original answer – udayxhegde Jul 21 '21 at 01:24
  • Hi @udayxhegde, how to cache the token and refresh it automatically? Is there anything built-in available with `azure.identity`? I asked a new question here, https://stackoverflow.com/questions/68547953/how-to-cache-and-refresh-managed-identity-token – user584018 Jul 27 '21 at 15:44