I am trying to invoke Attest APIs (https://learn.microsoft.com/en-us/rest/api/attestation/attestation/attest-tpm?tabs=HTTP) on a Azure VM with vTPM enabled.
I followed this article and have created the following:
Azure Attestation Service in my subscription
A new policy for TPM attestation
Client with Attestation Reader role
A Ubuntu 20.04.5 instance with vTPM enabled (secure-boot disabled)
With all the pre-requisites setup, I am wondering if its possible for me to call Attestation APIs and perform attestation on-demand using the Attestation client libraries ?
OR, if the attestation is performed only by Azure automatically (the article does not indicate this), is it possible to read and verify the attestation results auto-triggered by Azure ? My objective is to see if I can create a client driven way to attest / verify attestation.
Related
I am using Azure ML, I made my models and now I want to connect them to Data Factory to run some process.
I implement an endpoint, but I can't find the API key for the endpoints. Right now, I have the REST endpoint, but not in key-based authentication enabled, it's false. Do you know how to generate the API key?
Currently the only way to retrieve the token is by using the Azure Machine Learning SDK or the Azure CLI machine learning extension.
Key-based auth is supported for Azure Container Instance and Azure Kubernetes Service deployed web-services, and token-based auth is only available for Azure Kubernetes Service deployments.
You can find more information here
I am hoping to use a windows service installed on client machines to talk to an azure service bus. Please note that the service is not installed on the cloud it is on premises.
During my testing I can
Add items to the queue using the default identity (taking my VS settings)
Add items to the queue using SAS - i want a bit more security, using and endpoint connection string
Add items to a queue using client, tenant and secret using ClientSecretCredentials
but I cannot find anywhere if I can use a certificate to authenticate a service principal.
It a certificate a good way to go? Are there any better alternatives?
We are using custom c# library to connect to Azure Key vault & to do some custom processing on the secrets available on the library. In turn this c# library is been consumed by .net core web API application which is deployed on Azure service Fabric.
Till this time, our c# library (used to connect to Azure Key vault) using secure certificate and AAD application to connect to key vault but want to upgrade the library to use Azure VMSS's(where VMSS is managed by Azure Service Fabric) system assigned managed identity to access the key vault. Will this work?
Will the VMSS's system assigned managed identity be available for class library which is in turn consumed by the web api hosted on Azure VMSS? the reason to ask this question is, the VMSS's managed identity is not used by web api hosted on VMSS but the VMSS's managed identity should be consumed by the c# class library which is used in my web api project. Please confirm.
It should work, the MSI can be available anywhere within the VMSS. As long as your code is running in the VMSS, it can use the MSI.
To confirm this, you can also try to make an http request to the Azure Instance Metadata Service (IMDS) endpoint in your custom code as the comment mentioned, if you can get the token successfully, it means you can access the MSI.
I am not sure what library you use, but if the library encapsulates the authentication against AAD then it depends on the functionallity exposed by it.
Anyway, there's a library published by Microsoft to authenticate against AAD and acquire tokens to KeyVault (among other resources) using system assigned identity / managed identity / any kind of authentication method.
See here https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/identity/Azure.Identity
I have an Azure API Management service communicating with Azure functions runtime v1. Currently when i deploy a new version of the Function App (using CI/CD pipeline in Azure Devops, and using built-in microsoft tasks), the function keys (including master key) change. Consequently, the key that the API Management's api is injecting in the requests to the function is not longer valid, and i get a 401 - Unauthorized. So, i have at the moment a task in the pipeline to update these keys anytime i deploy the Function App. The API Management provides a feature to enable Managed Identity, but when i try to create a role assignment in the Function App to the API Management, under the System assigned managed identity, i don't have the option for API Management service. So i presume it is not possible to setup this role assignment between the two services, right? If not, then is there any suggestion for a workaround to avoid manage keys for the communication between API Management service and Azure Functions?
Thanks
UPDATE
Managed Identity can now be used by leveraging the authentication-managed-identity policy.
Yes. Managed Identity cannot be used here.
One alternative would be to protect your function app with an IP restriction using the APIM Instances IP which guaranteed to be static as long as it isn't recreated and setting the function to be an anonymous function.
Note that you might have problems accessing the function from the portal too for which you would have to allow the public IP of the computer you are using to access if required.
Another option would be to
Setup authentication for your function app
Have APIM get an access token with the Client Credentials Flow using the send-request policy
Set this access token in the header to call the anonymous function
You could probably try caching this access token using the cache policies.
An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html
A mechanism very similar to AWS instance profiles is Managed Service Identity (MSI) for Azure, which was announced in September 2017, though at the time of this writing, it is still in preview. I didn't try it out yet, but it does work the same way as instance profiles on AWS do, by automatically authenticating the VM to a meta-data service and allowing you to query for additional credentials without having to hardcode it into your code or image.
Azure also supports IAM.
Microsoft Azure identity and access management solutions help IT protect access to applications and
resources across the corporate data center and into the cloud. This enables additional levels of validation,
such as multifactor authentication and conditional access policies. Monitoring suspicious activity through
advanced security reporting, auditing and alerting helps mitigate potential security issues.
More detailed information please refer to this link.
Update:
You do have the ability to create Signed Access Signatures for all three Windows Azure Storage services (BLOBs, Queues and Tables) as well as for Windows Azure Service Bus Brokered Messages (Queues, Topics & Subscriptions). I have a similar question with you, maybe you could check.
I found Azure is not support instance profile like aws.
If bind a role to instance on aws, aws system will generate a temporary api access token and write to metadata server.
Aws sdk will auto fetch access token from metadata server, so a service that uses aws sdk does not need to configure sdk's access token.
But Azure's IAM and SAS(shared access signature) and metadata server, is not support mechanism like above.