Azure VMSS Managed Identity for internal custom C# library - azure

We are using custom c# library to connect to Azure Key vault & to do some custom processing on the secrets available on the library. In turn this c# library is been consumed by .net core web API application which is deployed on Azure service Fabric.
Till this time, our c# library (used to connect to Azure Key vault) using secure certificate and AAD application to connect to key vault but want to upgrade the library to use Azure VMSS's(where VMSS is managed by Azure Service Fabric) system assigned managed identity to access the key vault. Will this work?
Will the VMSS's system assigned managed identity be available for class library which is in turn consumed by the web api hosted on Azure VMSS? the reason to ask this question is, the VMSS's managed identity is not used by web api hosted on VMSS but the VMSS's managed identity should be consumed by the c# class library which is used in my web api project. Please confirm.

It should work, the MSI can be available anywhere within the VMSS. As long as your code is running in the VMSS, it can use the MSI.
To confirm this, you can also try to make an http request to the Azure Instance Metadata Service (IMDS) endpoint in your custom code as the comment mentioned, if you can get the token successfully, it means you can access the MSI.

I am not sure what library you use, but if the library encapsulates the authentication against AAD then it depends on the functionallity exposed by it.
Anyway, there's a library published by Microsoft to authenticate against AAD and acquire tokens to KeyVault (among other resources) using system assigned identity / managed identity / any kind of authentication method.
See here https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/identity/Azure.Identity

Related

Is Azure Managed Identity enabled for Windows desktop app?

I followed the instructions in this tutorial (option #1 auto-configure): https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-windows-desktop
The generated WPF desktop app works fine and I am able to get it to authenticate to my Azure AD account.
Does this mean that the desktop app is using Azure Managed Identity?
If not, what else do I have to do to accomplish this?
My ultimate goal is to be able to modify the desktop application and access secrets in Azure Key Vault, without having to hardcode credentials or use environment variables.
Does this mean that the desktop app is using Azure Managed Identity?
No, it does not mean that, the desktop app from this doc just uses an AAD App for you to login, nothing related to the managed identity(MSI).
If not, what else do I have to do to accomplish this?
If you want to use MSI to access secrets in azure keyvault, you need to run your code in azure services that supported MSI e.g. azure app service, azure VM, etc, MSI is not available anywhere else.
For the code, just use the Azure Key Vault secret client library for .NET, it uses DefaultAzureCredential to auth, it will try several auth ways automatically, one of them is ManagedIdentityCredential i.e. MSI.
var client = new SecretClient(vaultUri: new Uri(keyVaultUrl), credential: new DefaultAzureCredential());
Also you should note, when you use MSI to access azure keyvault secret, it is a non-interactive way and no user will be asked to login(i.e. no user involved), because MSI is essentially a service principal in AAD, when using it to auth, it just makes an API call to the azure instance metadata endpoint to get the token, then use the token to auth.

Secure Azure App Service using Managed Identity (Asp.net Framework 4.7.2)

i'm trying to secure communication between two azure app services. i tried to use Managed Identity for that but the only thing i can find is: securing Database access using Managed identity.
So i'm kinda lost here, is Managed Identity can secure communication between two app services or its just responsible to secure resources like Azure Storage, Sql Server?
The MSI(Managed Identity) is used to secure Azure resources, essentially, it is a service principal in your Azure AD tenant, when granted corresponding permission, the MSI will be able to access corresponding resources.
To secure communication between two azure app services, MSI is not for such usage, you need to use Azure AD Apps to do this, register two AD Apps in Azure AD, one for client-app, and one for backend-app. If you enable the MSI of your App Service, it will just create a service principal i.e. enterprise application for you automatically without AD App(App registration).
Please refer to the steps I mentioned in this post.

Azure Key Vault with Managed Service Identity on self Hosted Web App

Could anyone provide some instruction on how you would go about assigning a Managed Service Identity to a Remotely-hosted Web app?
My application is registered in AAD to enable the use of authentication. I want to remove the appSecret from appsettings and store that in the KeyVault and access the KeyVault using the MSI.
I have looked at the MS docs and followed a few guides, but have not, as of yet, managed to successfully retrieve my secret.
In the first instance, I just wanted to store a secret and get that back, and once that was working, get the client secret using the same approach.
Managed identity only works when you host your app in Azure.
This is because it works as a local endpoint inside the Azure instances.

Is managed identity available for communication between API Management service and Azure functions?

I have an Azure API Management service communicating with Azure functions runtime v1. Currently when i deploy a new version of the Function App (using CI/CD pipeline in Azure Devops, and using built-in microsoft tasks), the function keys (including master key) change. Consequently, the key that the API Management's api is injecting in the requests to the function is not longer valid, and i get a 401 - Unauthorized. So, i have at the moment a task in the pipeline to update these keys anytime i deploy the Function App. The API Management provides a feature to enable Managed Identity, but when i try to create a role assignment in the Function App to the API Management, under the System assigned managed identity, i don't have the option for API Management service. So i presume it is not possible to setup this role assignment between the two services, right? If not, then is there any suggestion for a workaround to avoid manage keys for the communication between API Management service and Azure Functions?
Thanks
UPDATE
Managed Identity can now be used by leveraging the authentication-managed-identity policy.
Yes. Managed Identity cannot be used here.
One alternative would be to protect your function app with an IP restriction using the APIM Instances IP which guaranteed to be static as long as it isn't recreated and setting the function to be an anonymous function.
Note that you might have problems accessing the function from the portal too for which you would have to allow the public IP of the computer you are using to access if required.
Another option would be to
Setup authentication for your function app
Have APIM get an access token with the Client Credentials Flow using the send-request policy
Set this access token in the header to call the anonymous function
You could probably try caching this access token using the cache policies.

Azure website not able to communicate to the third party API

Team,
I have recently migrated my azure classic portal resources to CSP subscription. I have successfully converted my azure cloud service to azure app website in the CSP subscription. But there is one thing i am not able connect. Its the third party API When we had the cloud service we had a .pfx uploaded to azure and in the code we use to create a uri which consists of the certifcate key + certificate secret key.
The certificate key is got directly from web.config. But the certificate secret key is got from EncryptedSettings.Appsettings("SecretKeyName").
This is basically got from the encrypted app setting done earlier by
https://eren.ws/2014/02/04/encrypting-the-web-config-file-of-an-azure-cloud-service/
But i am not sure what way should we implement on Azure website.
I have tried implementing the same but unfortunately it seems the secret key retrieval technique for cloud service is not the same as in the azure web app service.
When i debug the azure web site i can see that it gives the error as.
Failed to decrypt using provider ‘CustomProvider’. Error message from the provider: Value cannot be null.
Parameter name: keyObject
Can anyone please guide me ?
Rather than storing secrets in your config, you may wish instead to store them Azure KeyVault (which also gives you secret management capabilities etc) and then load the secrets at runtime.
KeyVault documentation:
https://learn.microsoft.com/en-us/azure/key-vault/
Specifically how to use keyvault with azure websites:
https://learn.microsoft.com/en-us/azure/key-vault/key-vault-use-from-web-application
And these days, don't bother with manual authentication to use keyvault, instead use "Managed Service Identity", here's a tutorial:
https://azure.microsoft.com/en-gb/resources/samples/app-service-msi-keyvault-dotnet/
Interestingly the second tutorial does mention specifically using certificates for the purposes of authentication (against keyvault), you may wish to use this technique for yourself as a simplified way to get direct access to your certificate.

Resources