Skip to content
Menu
e-lo [IT Engineer life]
  • Home
    • Note
  • Database
    • T-SQL
    • SQL Server quick
    • SQL server docs
    • MySql quick sheet
    • Postgre
    • InfluxDB
  • Programming
    • MS Azure Powershell
    • MS Azure Command-Line Interface (CLI) doc
    • Python Docs
    • Python Logging
    • Python-cheat-sheet
    • Git-guide
  • Azure
    • MS Windows virtual machines in Azure
    • MS ARM Docs
    • MS ARM Template Docs
    • MS ARM Functions
    • MS Bicep+ARM
    • MS ARM Tutorial
    • MS Deployment scripts (intern/extern)
    • MS Virtual Network
  • Az-nutshell
    • ms-technology-choices-compute-decision-tree
    • ms-data-store-decision-tree
    • ms-data-explorer
    • ms-storage-explorer
    • ms-azure-sql
    • ms-common-data-services
    • ms-azure-mysql-daas
    • ms-sla
    • az paas
    • az glossary-quicksheet
    • az-test-vm-script-quickguide
  • Linux
    • Top CMD’s
    • Useful CMD Linux
    • ss64 Linux
    • Ubuntu
    • 30 things Ubuntu 18.04
    • Bootable Ubuntu USB
    • LinuxFilesystemTreeOverview
  • Sys Admin
    • System Administrator
    • Sys News
  • Zen
    • Not thinking about anything is Zen
e-lo [IT Engineer life]

5 min Security Management Identity Azure

Posted on January 20, 2022January 20, 2022 by espenk

Scenario:
Before: VM1 code, config, user cred/connection to SQL1
New: Azure keyvault for storing, but VM1 needs access to key vault, hm…better way? No keys?

Kan we have zero secrets in the code?
Azure Managed Identity

  • System assigned management identity
  • User assigned management identity

System assigned management identity (1 to 1)

  • VM1(source)->Identity->System assigned->enable
  • SQL1 (target)-> IAM->Add role assignment-> grant permission (i.e contributor)->Assign access to->VM1
  • Each identity is tightly coupled to the Azure resource

This is a special type of service principal witch provide the following extra features:

  • Automatic credential rotation,
  • Better identity lifecycle management, when done with VM1 and rm it all associated identitys is also rm’ed.
  • And we dont need to store any keys in the code autentication automatically.

User assigned management identity (many to 1)

  • VM1,2, 3, 4, 5-> SQL1
  • User assigned management identity are created independent of the source.
  • Managed Identites->Add->MyUserIdentity
  • VM1->Identity->User assigned->Add->MyUserIdentity
  • SQL1->IAM-> add role assigment-> Contributor-> assign access to-> User assigned management identity->MyUserIdentity
System assignedUser assigned
Create with Azure resource
Automatic identity lifecycle management
Cannot be shared with multiple resources
Create independently
Manual identity lifecycle management
Can be shared with multiple resources

For and with Azure AD

Azure services that can use managed identities to access other services:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/managed-identities-status

But with if onprem?

  • on-prem, keyvault and Azure AD to secure keys, config and so on

Azure services that can use managed identities to access other services

https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/managed-identities-status

Azure Managed Identities – explained in plain English in 5 mins with a step by step demo – YouTube

RSS Azure

  • Scale your cloud-native apps and accelerate app modernization with Azure, the best cloud for your apps May 24, 2022

RSS RabbitMQ

  • RabbitMQ 3.8.15 release

RSS Python

  • PEP 691: JSON-based Simple API for Python Package Indexes May 4, 2022

Tags

5 min (26) Ansible (1) ARM (10) azure (40) cmd (3) Django (4) Docker (1) e-lo (2) Flask (2) Github (9) Grafana (2) Information (7) Information Retrieval (13) JAVA (1) kivy (2) Kotlin (6) linux (15) mobile (2) Natural Language Prossesing (NLP) (2) Net.Core (1) Networking and Security (6) OPC (2) PEP8 (1) Philosophy (3) Python (47) Python Networking and Security (5) Reason (2) RMQ (3) Solr (11) Sql (10) Uncategorized (2) VSC (1) Warframe (2) WMVARE (4) Zabbix (7)

Recent Posts

  • 5 min Logic App Storage Table
  • 5 min Logic App PSQL
  • 5 min Logic App
  • 5 MIN Azure Data Explorer
  • TODO Build a Hash Table in Python With TDD Real Python

Archives

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Photo by Markus Spiske from Pexels "Matrix"

©2022 e-lo [IT Engineer life] | Powered by WordPress & Superb Themes