Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 1 year ago.
Improve this question
Net core application and my application communicates to various azure resources such as Storage Account V2. My app is deployed into azure app service. I have various ways for my web app to connect to storage account. Out of them first way is using connection string like below
CloudStorageAccount storageAccount = CloudStorageAccount.Parse(_azureStorageClient.AzureStorageAccount03ConnectionString);
In the above code I am passing connection string. I can get connection string from azure key vault and I can avoid hard coding of connection string in appsettings.json. This is secured I can understand but If someone changes or regenerates access key in storage account accidentally then my app will not work.
I found one more way using app registred in azure portal and give RBAC in storage account.
TokenCredential credential = new ClientSecretCredential(
_authenticationConfig.TenantId, clientId, _authenticationConfig.ClientSecret, new TokenCredentialOptions());
In this way also I can avoid using connection strings and based on roles I can access storage account. But in this case also I will end up with managing client secrete and client id in code/key vault.
I found last option which is using managed identities. I feel this is more reliable way so far.No secretes in code nor in keyvault. This is all my understanding and I am in conclusion that third way is more reliable and I am trying to implement through out the application. So I want to know all my understanding is correct and I can get rid of first two ways and go with third approach and it does not have any problems? Can someone help me weather I am in correct understanding or If I have understood the things in wrong way then someone can help me to design best practices? Any help would be appreciated greatly. Thanks a lot
Where possible do use managed identities as they allow you to access azure resource withouth having to expose secrets. An early blog post by microsoft states:
Your code needs credentials to authenticate to cloud services, but you want to limit the visibility of those credentials as much as possible. Ideally, they never appear on a developer’s workstation or get checked-in to source control. Azure Key Vault can store credentials securely so they aren’t in your code, but to retrieve them you need to authenticate to Azure Key Vault. To authenticate to Key Vault, you need a credential! A classic bootstrap problem. Through the magic of Azure and Azure AD, MSI provides a “bootstrap identity” that makes it much simpler to get things started.
Here is an overview of the supported services. As you can see most services do support managed identities.
Here is a step-by-step tutorial that shows you how to connect to azure storage using managed identities.
Related
In the docs they give an example of how to connect to a hub by using a connection string that contains a Shared Access Signature. So far in my app, I've been able to avoid storing secrets myself by just using managed identities. Is there a way to connect to a Notification Hub with a managed identity instead of a secret? I'd rather not do my own secret management.
Referring to list of supported Azure services that support managed identities for Azure resources it seems not available for it.
You may share your feedback by creating a Feedback item and upvote it. The product group monitors this site for feedback. This is the best way to ensure you are heard and you may receive a response depending on how much they information they can currently share.
Authorization Rules (a.k.a. Access Policies) are associated with a hub and can be accessed using Azure Resource Manager calls, which I believe supports managed identity. I've thought about this but haven't tried it myself. So please report back if it works for you.
I created a Private Link connection between an Azure VM and a CosmosDB MongoDB Account.
In order to clear out the need for token authentication and taking into account the best practices, I assigned a custom role to the Virtual Machine which has permissions to read and write to CosmosDB.
Now I am trying to connect the VM to CosmosDB using Python (pymongo) without any type of authentication on the uri string. Nevertheless, I am having auth errors and I cannot seem to find any relevant example or information regarding this matter.
Is there any way to achieve this? If not, what are my alternatives? Must I use tokens even with a private link?
#Anupam Chand Thank you for your response in the comment section.
Yes, We Can avoid tokens by creating a service principal for your VM and then assign the appropriate RBAC to the service principal. At present .NET , Java and JavaScript SDKs are currently supported. Python SDK not yet available.
Does the Key Vault offer any benefit (security or otherwise) now that an app service can use Managed Identity to authenticate with other Azure resources? (E.g. azure storage and sql)
Is there any reason to use Managed Identity to access Key Vault and get a key for Storage, for example, now that an app service can directly use Managed Identity to talk to Storage?
You should always use Managed Service Identity where available, however they are not ubiquitous across all Azure. The list of supported services is maintained here. Keep in mind that the calling service needs to support authenticating with it's Managed Service Identity and the called service needs to be able to authenticate and authorise using Azure Active Directory.
When you have a service that does not directly support AD authentication (e.g. CosmosDB), then you still need to store and manage keys and KeyVault is still the right place to do this. This also applies to some 3rd party services like Salesforce, AWS, GCP, etc where "federation" may not be in place. You may also have additional sensitive config that you do not want to store in plain text.
Keep in mind that function appsettings can now directly reference KeyVault, saving the overhead of writing code and config to manage this yourself. See this link.
I would also say, that usage of managed identity should be preferred whenever possible. The major benefit I see is getting rid of credentials you have to manage. You outsource the authentication challenge to Microsoft here, and I would say it works very well.
One less credentials you need to protect, refresh, revoke etc.
I also believe that this goes well in the spirit of Infrastructure as a code, where you define you concern yourself with authorisation and leave secure authentication on the provider.
I had gone through this URL which says how to Encrypt the Linux VM, but it does not seem to suit my requirement..
I have a Azure Linux VM(CentOS) that runs Elastic Search and I need to encrypt the data stored in the attached hard disks. And I do not make use of AD.
Are there proper steps that say how to do this, and also using Key Vault ?
I am struggling with the same task currently. You need an AD to create an Application inside, this application needs access to the KeyVault. Azure uses the Application for authorization.
A KeyVault can be created without AD, but it seems to be useless without AD.
I'm looking to manage certain settings of Azure via Azure Powershell from C#. I need to manage subscriptions for many many customers programmatically.
I want to ensure that anytime I open a PowerShell session to deal with particular customer's subscription, nothing of that session is left over in registry, certificate store, etc.
I have management certificates available to me as encrypted byte arrays. I can save them on the hard drive if needed.
I am also happy to call Powershell cmdlets not thru Powershell session but directly thru referencing objects in the .DLL
I would prefre to avoid the use of Management API directly in certain scenarios which is why I'd like to do so via Powershell
Is this possible? If so, how do I avoid using the certificate store? Ideally, I would prefer to just have a way to call into the cmdlet from C# without going thru Powershell session
You should start using Azure Active Directory credentials instead of X.509 certificates. Both the Azure Service Management (ASM) and Azure Resource Manager (ARM) mode of Azure PowerShell supports AAD while certificate authentication can only be used for ASM. Using AAD credentials means you NEVER need to use certificates of X.509 certificates, and be subject to the management difficulties they impose. You would need to be added as a co-admin to your clients subscriptions for ASM support (and the production portal) and provided an appropriate role for ARM support (and the preview portal). However, your customers could restrict your ARM and preview portal access with RBAC.
PowerShell has one cmdlet called clear-azureprofile ... And it clears all connections ... If you really want to be sure you better also clear the IE cookies and start a new PoSh session after both actions (so best to do it at the end of each session)... I agree with Neil btw: Stay clear from the certs... Aim for AAD
BUT ... Why don't you take a look at the management libraries(MAML? It's the basis for all you don't need to call REST and you can avoid PowerShell (that also uses MAML.) it's downloadable as nuget package
Find it here http://www.nuget.org/packages/Microsoft.WindowsAzure.Management.Libraries
And find info on it here http://azure.microsoft.com/en-us/updates/management-libraries-for-net-release-announcement/ and here http://www.bradygaster.com/post/getting-started-with-the-windows-azure-management-libraries
Hope this helps!
Only automated way is with a AAD account for the subscription. Be aware, the token expires in 12 hours. See June's fantastic blog post.
http://www.sapien.com/blog/2014/10/23/saving-passwords-for-add-azureaccount/