Managed Identities are quickly gaining popularity in application development, by removing the need for saving credentials and application secrets within the application. This blog shares an overview on Managed Identities.
Handling keys, secrets, credentials for inter service communication in azure are always a difficult and tedious task to application developers and cloud administrators. Saving, managing and rotating the credentials are crucial for every application running in cloud. If not handled properly this can cause huge damage to the organisation and potentially cause vulnerability issues. The cloud administrators find is difficult to control the use of the secure credentials within the team. What can be a possible solution to it.
Yes, “MANAGED IDENTITIES”
How Managed Identities Help
Managed identities are almost like service principles in azure, but better. In service principle we need to store some secrets and storing secrets from a security perspective is an issue. Microsoft developed a better way to handle authentication between services in azure, Where the platform manages the authentication. We completely get rid of secrets or credentials. This is much secure and easier compared to the legacy authentication.
Behind the scenes the resource is going to talk to the azure AD and handle the authentication for you. The resource request for a token from AD and receives a token for identifying itself and talk to other resource.
Types of Managed identity
There are two types of managed identity
1. System assigned identity
2. User assigned identity
System assigned managed identity is an identity that is tied to the resource lifecycle. For all the resource which support managed identity there will be a identity module associated with it and we can use it to create an identity. In the target resource we can assign a role with the resource attached to the identity. If we delete the resource the identity will also be deleted.
User assigned managed identity is more independent where in you can assign a managed identity to multiple resources, it is not tied with the lifecycle of the resource.
An application deployed in VM want to automatically create storage account when needed.
Solution with managed identity
A managed identity can be created in the VM resource and that VM can be added as a contributor in the resource group role assignments in the azure subscription. Then application deployed in the VM can request for an azure token using Managed identity SDK to retrieve a token and perform action on the azure resources (storage account)
An application deployed in AKS want to access Key vault to get the application level credentials.
Solution with managed identity
A user managed identity can be created, and we can associate the user managed identity with the AKS cluster and add the role assignments in the key vault.
Once setup is completed the AKS cluster will be able to connect to the key vault and retrieve application-level secrets without storing any secrets in the code.