Azure – Connect to Key Vault from .Net Core application using Managed Identity – Part 4 – Exploring Managed Identity and Demo

Hi All,

LIFE IS BEAUTIFUL 🙂 I hope we all are safe:) STAY SAFE, STAY HEALTHY 🙂 STAY HOME 🙂

Use Case: We have application where we need to use azure app client secret key / certificate for accessing Microsoft Graph APIs. So we decided to use the Azure Key Vault service to store azure app client secret key and certificate for security reasons. But then again to fetch the client secret key and certificate from Key Vault service we need to authenticate and here Managed Identity service come to picture 🙂

Since this article going to be big lets divide this articles into series. This is fourth and last article in this series: Lets discuss managed identity and access secret from KeyVault in our .NET Core console application

If you didn’t got a chance to go through last two articles, kindly please have a look once –

So lets begin the fun 🙂

Take Away from this article: At the end of this article, we will got to know

  • What is Managed Identity
  • Benefits of Managed Identity / WHY Managed Identity
  • Managed Identity Types
  • How to use Managed Identity for Azure Resource (Azure App Service)
  • How to access secrets from Key Vault service from .NET Core console application without specifying credentials
  • Azure Services that support managed identities for Azure Resources
  • Azure services that support Azure AD authentication

Prerequisites:

  • Azure Key Vault service
  • Azure App Service
  • .NET Core application
  • .NET Core application should be deployed / published as WebJob

What is Managed Identity :

  • Managed identities for Azure resources is a feature of Azure Active Directory​. [Azure Resource : Azure services like Azure Virtual machines or Azure App Services]
  • Managed Identity = Azure AD authentication + Azure RBAC (Role Based Access Management)​
  • These managed identities nothing but Enterprise App (Service Principal), which are only be used for Azure resources​
  • There are two types of Managed Identities are created​
    • User-Assigned ​
    • System-Assigned​
  • When a User-Assigned or System-Assigned Identity is created, the Managed Identity Resource Provider (MSRP) issues a certificate internally to that identity.​

Benefits of Managed Identity / WHY Managed Identity:

  • No need to maintain the credentials in code or in config files. ​
  • No environment variables need to manage in code​
  • There is no headache associated with Identity ​
  • No credentials requires to manages the Identity ​
  • These managed identities are completely managed by Azure AD​
  • Enterprise App or Service-Principal created behind the scene. This happens automatically. Developers / Admins / Architects – nothing to do anything​
  • Using managed identity, we can authenticate to any service that supports Azure AD authentication without requiring credentials​

Managed identity types : There are two types of managed identity

  • System-assigned managed identities​
    • Is enabled directly on the Azure service instance (like Azure VMs, Azure App Services)​
    • When the identity is enabled Azure creates an identity (Enterprise App) for an instance in the Azure AD tenant​
    • After the identity is created, the credentials are provisioned onto the instance 
    • If the instance is deleted, Azure clean ups the credential and delete the identify (App)​
    • This identity cannot be shared. Can be used only with one Azure Resource​
    • These kind of identities are good when we have have workload only run on a single instance. For example, we have background job running on one VM​
  • User-assigned managed identities​ –
    • This identity is created as separate Azure Resource​
    • While creating user-assigned managed identity, Azure creates an identity (Enterprise App) ​
    • This identity can be used for one or more Azure service instances. Can be shared. ​
    • Life cycle of identity is managed separately. We explicitly need to clean up the identity. Since these identities are not directly tied with any particular Azure SErvice Instance

How to use Managed Identity for Azure Resource (Azure App Service) :

  • Find respective resource from Azure portal – https://portal.azure.com/.
  • Here we will do for Azure App Service – go to your Azure App Service as
Azure - App Service - Identity option from left side pane
Fig : Azure – App Service – Identity option from left side pane
  • Once we click on “Identity” option from left side, we will be redirected to “Identity” blade as
Azure - App Service - Identity blade for App Service
Fig : Azure – App Service – Identity blade for App Service
  • On “App Service | Identity” blade we could see two types of Identities – “System assigned” and “User assigned” as shown in above Fig
  • We could also see the “Status” option as shown in above Fig, from where we could enable / disable (on / off) the Identity
  • Lets enable “System assigned” identity for our App-Service – change the “Status” to “On” and click on “Save” command. We will get one warning dialog as
Azure - App Service -  Enabling the Identity for App Service
Fig : Azure – App Service – Enabling the Identity for App Service
  • Click on “Yes” button. In this way we have enabled the Identity for Azure resource – Azure App Service. Similarly we can enable the Identity for any Azure service which support managed identities.

Calling Azure Key vault service from .Net Core console application :

Azure - App Service - Key Vault services
Fig : Azure – App Service – Key Vault services
  • Next step is to assign permission to our App Service to access Key Vault service which we created
  • This we need to do by adding “Access Policy” to Key Vault service as
Azure - App Service - Key Vault services - Adding new policy
Fig : Azure – App Service – Key Vault services – Adding new policy
  • Click on “+ Add Access Policy” as shown in above Fig
  • We will be redirecting to “Add access policy” page as shown in below Fig
  • Please select following values: please have look at below below fig
    • Configure from template (optional) – Secret management
    • Secret permissions – Permissions which we need to apply. For time being I selected all permissions
    • Select principal – Azure resource for which we enable Identity and which need to access the Key Vault secret. Here in our case our App Service – Knowledge-Junction
Azure - App Service - Key Vault services - Adding new policy - Selecting Principal
Fig : Azure – App Service – Key Vault services – Adding new policy – Selecting Principal – App Service which we created – Knowledge-Junction
Azure - App Service - Key Vault services - Adding new policy
Fig : Azure – App Service – Key Vault services – Adding new policy
  • Now, final step – lets have a look at code in our .NET Core console application
  • We need following packages, add them using NuGet manager as shown in below figures
    • Azure.Identity
    • Azure.Security.KeyVault.Secrets
Azure - .Net Core console application - installing NuGet package - Azure.Identity
Fig : Azure – .Net Core console application – installing NuGet package – Azure.Identity
Azure - .Net Core console application - installing NuGet package - Azure.Security.KeyVault.Secrets
Fig : Azure – .Net Core console application – installing NuGet package – Azure.Security.KeyVault.Secrets
  • Once we have packages in place, we are ready to code :). Following is the code –
  • From the above code see the number of line code require to get the value of from KeyVault 🙂
  • We can read certificate as well using the key used to store the certificate.
  • These either secret or certificate can be used for using Microsoft Graph APIs
  • Also no credentials requires in code and its very secured.
  • Deploy / publish the solution as WebJob to our Azure App Service again and execute the WebJob 🙂

Azure Services that support managed identities for Azure Resources : NOTE : Here I am listing only services and few details. For more details kindly please have a look once – https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-managed-i

  • Azure App Service​
  • Azure Arc enabled Kubernates => Currently only supports System-assigned identity​
  • Azure BluePrints​
  • Azure Cognitive Search => Currently only supports System-assigned identity​
  • Azure Container Instances​
  • Azure Container Registry Tasks => Currently User-assigned identity is in preview​
  • Azure Data Explorer => Currently only supports System-assigned identity​
  • Azure Data Factory V2 => Currently only supports System-assigned identity​
  • Azure Event Grid => Currently only supports System-assigned identity in preview​
  • Azure Functions ​
  • Azure IoT Hub => Currently only supports System-assigned identity​
  • Azure Import/Export => Currently only supports System-assigned identity, available only in the region where Azure Import / Export service is available​
  • Azure Kubernetes Service​
  • Azure Logic Apps​
  • Azure Policy => Currently only supports System-assigned identity​
  • Azure Service Fabric​
  • Azure Spring Cloud => Currently only supports System-assigned identity​
  • Azure Virtual Machine Scale Sets​
  • Azure Virtual Machines​
  • Azure VM Image Builder => Currently only User-assigned identity available in supported region​
  • Azure SignalR Service => Both types are available in preview

Azure services that support Azure AD authentication :

  • Azure Resource Manager​
  • Azure Key Vault​
  • Azure Data Lake​
  • Azure SQL​
  • Azure Event Hubs​
  • Azure Service Bus​
  • Azure Storage blobs and queues​
  • Azure Analysis Services

We have very good series on Azure, lots of discussion on Azure, please visit – https://knowledge-junction.com/?s=azure

Thanks for reading 🙂 If its worth at least reading once, kindly please like and share. SHARING IS CARING 🙂

Share in Teams:

Enjoy the beautiful life 🙂 Have a FUN 🙂 HAVE A SAFE LIFE 🙂 TAKE CARE 🙂

One thought on “Azure – Connect to Key Vault from .Net Core application using Managed Identity – Part 4 – Exploring Managed Identity and Demo

This site uses Akismet to reduce spam. Learn how your comment data is processed.