I recently setup my .net core application to use MSI (Managed Identity) to communicate with Azure Blob.
Does MSI work with Azure Table Storage? Can't seem to find any documentation on it.
I am trying to use MSI so I don't have to manage my keys anymore (keyless).
Azure Table Storage does not support MSI. Table Storage does support Active Directory access. You can find the services that support MSI at the below link...
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-msi
Managed identity provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
This is now supported using the latest version of
https://www.nuget.org/packages/Azure.Data.Tables/ (12.2.1)
You can now create an client using something like
var tableServiceClient = new TableServiceClient(uri, new DefaultAzureCredential());
Make sure you've assigned the correct permissions in Azure for the user to read from the resource
Related
I followed the instructions in this tutorial (option #1 auto-configure): https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-windows-desktop
The generated WPF desktop app works fine and I am able to get it to authenticate to my Azure AD account.
Does this mean that the desktop app is using Azure Managed Identity?
If not, what else do I have to do to accomplish this?
My ultimate goal is to be able to modify the desktop application and access secrets in Azure Key Vault, without having to hardcode credentials or use environment variables.
Does this mean that the desktop app is using Azure Managed Identity?
No, it does not mean that, the desktop app from this doc just uses an AAD App for you to login, nothing related to the managed identity(MSI).
If not, what else do I have to do to accomplish this?
If you want to use MSI to access secrets in azure keyvault, you need to run your code in azure services that supported MSI e.g. azure app service, azure VM, etc, MSI is not available anywhere else.
For the code, just use the Azure Key Vault secret client library for .NET, it uses DefaultAzureCredential to auth, it will try several auth ways automatically, one of them is ManagedIdentityCredential i.e. MSI.
var client = new SecretClient(vaultUri: new Uri(keyVaultUrl), credential: new DefaultAzureCredential());
Also you should note, when you use MSI to access azure keyvault secret, it is a non-interactive way and no user will be asked to login(i.e. no user involved), because MSI is essentially a service principal in AAD, when using it to auth, it just makes an API call to the azure instance metadata endpoint to get the token, then use the token to auth.
We are using custom c# library to connect to Azure Key vault & to do some custom processing on the secrets available on the library. In turn this c# library is been consumed by .net core web API application which is deployed on Azure service Fabric.
Till this time, our c# library (used to connect to Azure Key vault) using secure certificate and AAD application to connect to key vault but want to upgrade the library to use Azure VMSS's(where VMSS is managed by Azure Service Fabric) system assigned managed identity to access the key vault. Will this work?
Will the VMSS's system assigned managed identity be available for class library which is in turn consumed by the web api hosted on Azure VMSS? the reason to ask this question is, the VMSS's managed identity is not used by web api hosted on VMSS but the VMSS's managed identity should be consumed by the c# class library which is used in my web api project. Please confirm.
It should work, the MSI can be available anywhere within the VMSS. As long as your code is running in the VMSS, it can use the MSI.
To confirm this, you can also try to make an http request to the Azure Instance Metadata Service (IMDS) endpoint in your custom code as the comment mentioned, if you can get the token successfully, it means you can access the MSI.
I am not sure what library you use, but if the library encapsulates the authentication against AAD then it depends on the functionallity exposed by it.
Anyway, there's a library published by Microsoft to authenticate against AAD and acquire tokens to KeyVault (among other resources) using system assigned identity / managed identity / any kind of authentication method.
See here https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/identity/Azure.Identity
i'm trying to secure communication between two azure app services. i tried to use Managed Identity for that but the only thing i can find is: securing Database access using Managed identity.
So i'm kinda lost here, is Managed Identity can secure communication between two app services or its just responsible to secure resources like Azure Storage, Sql Server?
The MSI(Managed Identity) is used to secure Azure resources, essentially, it is a service principal in your Azure AD tenant, when granted corresponding permission, the MSI will be able to access corresponding resources.
To secure communication between two azure app services, MSI is not for such usage, you need to use Azure AD Apps to do this, register two AD Apps in Azure AD, one for client-app, and one for backend-app. If you enable the MSI of your App Service, it will just create a service principal i.e. enterprise application for you automatically without AD App(App registration).
Please refer to the steps I mentioned in this post.
is it possible to connect to Azure SQL Database by using Managed Service Identity? I'd like to rip out SQL credentials.
Thank you for your advises!
Best
Yes, it is possible. See this article for reference.
If you want to use a Managed Service Identity in Azure function you can have a look at this article:
How to use Azure Managed Service Identity (public preview) in App Service and Azure Functions
To authenticate to SQL with a Managed Service Identity you can have look at this article:
Azure SQL authentication with a Managed Service Identity
It should be enough to achieve what you need.
Creating linked service(Azure Data Factory V2) for Azure Sql supports SQL Authentication. I want to know if it also supports Azure Active Directory Integrated Authentication.
As of today (Feb '18),
ADFV2 can connect to some sources using Managed Service Identity (MSI). In short, the ADFV2 instance is given an identity in the Active Directory as an Active Directory Application. See the docs here. Then the ADFV2 can connect to data sources as that identity.
Although Azure SQL supports Managed Service Identity, accessing Azure SQL Server through MSI is not available for ADFV2 yet. From the docs:
ConnectionString: Specify information needed to connect to the Azure
SQL Database instance for the connectionString property. Only basic
authentication is supported. Mark this field as a SecureString to
store it securely in Data Factory, or reference a secret stored in
Azure Key Vault.
As the docs state, you can use the ADFV2 Managed Service Identity to connect to KeyVault and use keys and secrets stored there, which is probably your best best for limiting security information in configuration.
Keep in mind that the UI for ADFV2 is still quite far behind the API, so you may need to use PowerShell or Azure command line to set it up properly.