I am trying to use a managed identity from Azure in a non-Azure VM to access my Azure resources. Is this possible?
You can use managed identities with App Service too
In the below link you can see all azure resources supported managed identities.
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities
Related
So here is the scenario.
I have 1 vm linux machine which is inside in a vNet. I want to copy file into azure blob storage container.
I have already put that file into /tmp folder. I have already installed the azure cli and azcopy.
I need your help.
What should I need to do now? I think I need access first either system-assigned or user-assigned.
What is the best practice in that regard? System-assigned or user-assigned.
Keep in mind that I have to create a cron job that will copy that file on daily basis from the vm and put into azure blob storage.
If your question is which type of Managed Identity you should use the answer is the same it always is in our industry: it depends.
Have a look at What are managed identities for Azure resources? - Managed identity types for a detailed description about the two types of Managed Identities.
System-assigned. Some Azure resources, such as virtual machines allow you to enable a managed identity directly on the resource.
User-assigned. You may also create a managed identity as a standalone Azure resource. You can create a user-assigned managed identity and assign it to one or more Azure Resources.
Based on the information you provided at this time, I would expect a System-Assigned managed identity to be the best fit for now.
I'm about to create a new Azure AKS cluster and I want to integrate AKS with Azure Key Vault.
A few months ago, during the study phase, I saw that it was necessary to use Azure AD pod-managed identities to do this, but now I found that this will be replaced by Azure AD workload identity
At this point, I'm a bit confused because the first one will be replaced, but the second one is not ready for production.
Any suggestions?
ATM Azure AD pod identities is the way to go. Azure workload identity will replace AAD Pod identity as you already mentioned bcs they will solve some limitations as you can read here. I think there will be a documentation how to migrate from AAD pod identity to Azure Workload identityas soon when they want GA.
You could also use the Azure Key Vault Provider for Secrets Store CSI Driver to integrate Azure Key Vault with your AKS.
I have an existing Azure Kubernetes Cluster and I'm having a look at Azure Container Apps to see if it could be a good move for me.
With AKS, I'm heavily using Managed Identity for management tasks and also using pod-identity to allow applications to connect to other azure resources without storing credentials.
I tried to find some related documentation for Azure Conter Apps but didn't find anything ? Is it something that is not documented, not supported at the moment ?
Since Container Apps went GA, it is now available: Managed identities in Azure Container Apps.
both system-assigned and user-assigned are available.
i'm trying to secure communication between two azure app services. i tried to use Managed Identity for that but the only thing i can find is: securing Database access using Managed identity.
So i'm kinda lost here, is Managed Identity can secure communication between two app services or its just responsible to secure resources like Azure Storage, Sql Server?
The MSI(Managed Identity) is used to secure Azure resources, essentially, it is a service principal in your Azure AD tenant, when granted corresponding permission, the MSI will be able to access corresponding resources.
To secure communication between two azure app services, MSI is not for such usage, you need to use Azure AD Apps to do this, register two AD Apps in Azure AD, one for client-app, and one for backend-app. If you enable the MSI of your App Service, it will just create a service principal i.e. enterprise application for you automatically without AD App(App registration).
Please refer to the steps I mentioned in this post.
is it possible to connect to Azure SQL Database by using Managed Service Identity? I'd like to rip out SQL credentials.
Thank you for your advises!
Best
Yes, it is possible. See this article for reference.
If you want to use a Managed Service Identity in Azure function you can have a look at this article:
How to use Azure Managed Service Identity (public preview) in App Service and Azure Functions
To authenticate to SQL with a Managed Service Identity you can have look at this article:
Azure SQL authentication with a Managed Service Identity
It should be enough to achieve what you need.