0

I am trying to set up access control on Azure so everything works off of the Managed Identity. I want to make sure I have this right because security is one of those things you never want to get wrong. So...

I first created a Managed Identity. In that Managed Identity, under Access control (IAM) | Role assignments it lists the users that are in this identity, with each having either a contributor or owner role. The managed identity is basically an indirect pointer to the collection of users/roles it has and those user/roles are then given rights via where the managed identity is set - correct?

I next went to my app service to Identity | User assigned and in there clicked Add and added my managed identity to the identity list for my app service. And because I am using the managed identity to let the app service access the database & key vault via the managed service, I do not want a system assigned identity - correct?

I next went to my SQL Server to Identity and in there clicked Add and added my managed identity to the identity list for my app service. I had to also set this as the Primary identity. And again, I don't want a system assigned identity here - correct?

Question: With the app service and SQL Database both having the same managed identity assigned, do I need to follow all these steps? Or is there a simple connection string that says use the shared managed identity?

In the key vault I went to Access control (IAM) and there it already had me listed individually. There is no Identity menu item. It has Add Role Assignment but there's no way to assign a managed identity in that - that I could see. And there's a ton of rights.

Question: How do I tell the Key Vault that my app service, with my managed identity, can read it?

And then, to use all this in my Blazor server app, I add the following code to Program.cs - correct?

Question: Just this and then anything in the key vault will override what's in the app service configuration and appsettings.json - correct?

public static IHostBuilder CreateHostBuilder(string[] args) =>
    Host.CreateDefaultBuilder(args)
        .ConfigureAppConfiguration((context, config) =>
        {
            if (context.HostingEnvironment.IsProduction())
            {
                var builtConfig = config.Build();
                var secretClient = new SecretClient(
                    new Uri($"https://{builtConfig["KeyVaultName"]}.vault.azure.net/"),
                    new DefaultAzureCredential());
                config.AddAzureKeyVault(secretClient, new KeyVaultSecretManager());
            }
        })
        .ConfigureWebHostDefaults(webBuilder => webBuilder.UseStartup<Startup>());
David Thielen
  • 28,723
  • 34
  • 119
  • 193

2 Answers2

0

In the key vault I went to Access control (IAM) and there it already had me listed individually.

While creating the Azure KeyVault, when we select Permission model as Vault access policy, by default access Policies will be created with the name of the User with KeyVault Reader role , read-only permissions to access the Keys/Secrets/Certificates from the Key Vault.

enter image description here

There is no Identity menu item. It has Add Role Assignment but there's no way to assign a managed identity in that

  • Identity menu will be available when you create a new Access Policy.

enter image description here

  • You can create your own access policy and set the Managed Identity.
  • Based on the selected template the permissions will be set.

enter image description here

  • I have created a new Managed Identity with name HarshuMI,

enter image description here

You can see that is available under the Principal tab, while creating the new access policy.

enter image description here

anything in the key vault will override what's in the app service configuration and appsettings.json - correct?

Yes, the values which you have set in the appsettings.json will be overridden with the values from the Key Vaultwith your code.

How do I tell the Key Vault that my app service, with my managed identity, can read it?

As we have already set the Managed Identity in the above steps, we can now read the Key Vault Secrets without any issues.

Refer this SO Thread for more details.

Harshitha
  • 3,784
  • 2
  • 4
  • 9
  • This is a giant help, so thank you. One follow up - the links you gave were to how a Blazor/WASM app reads the key vault. Is it the same for Blazor server? And is there not a way to make the key vault part of reading the Configuration? Because if there's specific calls required to get the key, that's a problem for third party libraries that read keys from the configuration. TIA – David Thielen Jul 25 '23 at 15:19
  • Right now, I don't have sample code for Blazor Server. Need to check it. – Harshitha Jul 25 '23 at 15:20
  • AFAIK,the same code works for Blazor Server App as well. – Harshitha Jul 25 '23 at 18:02
  • Unfortunately it won't even compile. What's weird about this is I've found 5 different sets of code that implement this - none compile. So I put a help ticket in the Microsoft and got code that... yep... doesn't compile (3 properties/methods that don't exist). Once I get a workable answer from Microsoft I'll post it here. thanks. – David Thielen Jul 26 '23 at 15:35
  • Could you please share the code which u have tried.Once I get time will check in blazor server. – Harshitha Jul 26 '23 at 16:08
  • Can you share yhe ticket Link here? – Harshitha Jul 26 '23 at 16:09
  • Happy to do so but I think access is private - [How do I set my Blazor server app to read the Key Vault for configuration key=value pairs?](https://portal.azure.com/#view/Microsoft_Azure_Support/SupportRequestDetails.ReactView/id/%2Fsubscriptions%2F81adcd51-7ba0-4436-92c7-a5750332dfe1%2Fproviders%2Fmicrosoft.support%2Fsupporttickets%2F2307250040008537/portalJourney~/true) – David Thielen Jul 26 '23 at 16:38
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/254679/discussion-between-harshitha-and-david-thielen). – Harshitha Jul 26 '23 at 16:52
0

I'm adding this as an answer so it's more obvious.

You need to install the NuGet package Azure.Extensions.AspNetCore.Configuration.Secrets (which is not documented anywhere). With that it works.

My code (it's working) is:

builder.Configuration.AddAzureKeyVault(
    new Uri("https://[your_host_name].vault.azure.net/"),
    new DefaultAzureCredential());
David Thielen
  • 28,723
  • 34
  • 119
  • 193