Before: VM1 code, config, user cred/connection to SQL1
New: Azure keyvault for storing, but VM1 needs access to key vault, hm…better way? No keys?
Kan we have zero secrets in the code?
Azure Managed Identity
- System assigned management identity
- User assigned management identity
System assigned management identity (1 to 1)
- VM1(source)->Identity->System assigned->enable
- SQL1 (target)-> IAM->Add role assignment-> grant permission (i.e contributor)->Assign access to->VM1
- Each identity is tightly coupled to the Azure resource
This is a special type of service principal witch provide the following extra features:
- Automatic credential rotation,
- Better identity lifecycle management, when done with VM1 and rm it all associated identitys is also rm’ed.
- And we dont need to store any keys in the code autentication automatically.
User assigned management identity (many to 1)
- VM1,2, 3, 4, 5-> SQL1
- User assigned management identity are created independent of the source.
- Managed Identites->Add->MyUserIdentity
- VM1->Identity->User assigned->Add->MyUserIdentity
- SQL1->IAM-> add role assigment-> Contributor-> assign access to-> User assigned management identity->MyUserIdentity
|System assigned||User assigned|
|Create with Azure resource|
Automatic identity lifecycle management
Cannot be shared with multiple resources
Manual identity lifecycle management
Can be shared with multiple resources
For and with Azure AD
Azure services that can use managed identities to access other services:
But with if onprem?
- on-prem, keyvault and Azure AD to secure keys, config and so on
Azure services that can use managed identities to access other services