Azure - Managed Identities - Complete Tutorial

Introduction

In cloud computing, managing credentials securely is a critical aspect of application development. Azure Managed Identities provide a seamless way to authenticate services within Azure without needing to manage credentials explicitly. This tutorial aims to equip intermediate developers with a deep understanding of Azure Managed Identities, how to implement them, and their practical use cases.

Prerequisites

• An active Azure subscription
• Basic understanding of Azure services
• Familiarity with Azure CLI or Azure PowerShell

Step-by-Step

Step 1: Understanding Managed Identities

Managed Identities simplify the security management of Azure services by automatically handling credentials. There are two types: System-Assigned and User-Assigned. System-Assigned identities are tied to a specific resource and are deleted when the resource is deleted. User-Assigned identities are standalone Azure resources that can be assigned to multiple services.

Step 2: Creating a System-Assigned Managed Identity

az vm create --resource-group MyResourceGroup --name MyVM --image UbuntuLTS --assign-identity

This command creates a virtual machine with a system-assigned managed identity.

Step 3: Granting Access to a Resource

az role assignment create --assignee <principalId> --role "Reader" --scope /subscriptions/<subscriptionId>/resourceGroups/MyResourceGroup

Replace <principalId> with the managed identity's principal ID and <subscriptionId> with your subscription ID.

Step 4: Accessing Azure Resources using Managed Identity

$response = Invoke-RestMethod -Method Get -Headers @{
    "Authorization" = "Bearer $(az vm identity show --resource-group MyResourceGroup --name MyVM --query accessToken --output tsv)"
} -Uri https://management.azure.com/subscriptions/<subscriptionId>/resourceGroups/MyResourceGroup/providers/Microsoft.Web/sites/MyWebApp?api-version=2019-08-01

This PowerShell script demonstrates how a VM can access other Azure resources using its managed identity.

Code Examples

The above steps are key to implementing managed identities. Here are additional examples:

• Assigning a User-Assigned Managed Identity to a VM:

az vm assign-identity --resource-group MyResourceGroup --name MyVM --identities <identityId>

• Fetching a token inside a VM:

curl 'http://localhost:50342/oauth2/token?resource=https://management.azure.com/' -H Metadata:true

• Using Managed Identity to access Azure Key Vault:

az keyvault secret show --vault-name MyKeyVault --name MySecret --query value

Best Practices

• Regularly review and limit the roles and permissions granted to managed identities.
• When possible, opt for System-Assigned identities for simplicity and security.
• Use User-Assigned identities for complex scenarios involving multiple resources.

Conclusion

Azure Managed Identities offer a secure and efficient way to manage credentials for accessing Azure services. By following this tutorial, developers can implement managed identities in their projects, improving security and simplifying credential management.