Azure Managed Identity for Containers

This document provides a comprehensive guide to using Azure Managed Identity with containerized applications deployed on Azure Kubernetes Service (AKS) and other Azure container services.

What is Managed Identity?

Azure Managed Identity is a feature of Azure Active Directory (Azure AD) that provides an Azure service with an automatically managed identity in Azure AD. This identity can then be used to authenticate to any service that supports Azure AD authentication, without needing to store credentials (like connection strings or secrets) in your code or configuration.

For containerized applications, this means your pods can securely access other Azure resources like Azure Key Vault, Azure Storage, Azure SQL Database, and more, without managing service principal credentials.

How it Works

When you enable Managed Identity for your container service, Azure assigns an identity to it. This identity can be accessed by your applications running within the containers. The access is facilitated through an Azure instance metadata service endpoint that is exposed within the container environment. Your application can query this endpoint to obtain an OAuth 2.0 access token for a specific Azure resource. This token can then be used to authenticate to that resource.

Key Components:

Azure AD: Manages the identities and access control.
Managed Identity: The identity assigned to the Azure resource (your container deployment).
Token Service: Provides access tokens to authenticated applications.
Azure Resource: The target service (e.g., Key Vault) that your application needs to access.

Enabling Managed Identity

Managed Identity can be enabled in two ways:

User-Assigned Managed Identity

A User-Assigned Managed Identity is an independent Azure resource that can be created and assigned to one or more Azure services. This provides greater flexibility and control.

Create a User-Assigned Managed Identity: Use the Azure portal, Azure CLI, or Azure PowerShell to create a new User-Assigned Managed Identity.
Assign to Container Service: When deploying your container service (e.g., AKS cluster, Azure Container Instance), specify the User-Assigned Managed Identity to be used.

Azure CLI Example:


# Create a user-assigned managed identity
az identity create --name myManagedIdentity --resource-group myResourceGroup

# Get the principal ID of the created identity
PRINCIPAL_ID=$(az identity show --name myManagedIdentity --resource-group myResourceGroup --query principalId -o tsv)

# For AKS, you would associate this identity with the cluster identity
# This often involves configuring the service principal used by AKS
# For other services, the exact configuration may vary.

System-Assigned Managed Identity

A System-Assigned Managed Identity is tied to the lifecycle of the Azure resource itself. It's created and deleted along with the resource.

Enable during Resource Creation: When creating your container service, enable the system-assigned managed identity option.
Azure Manages Lifecycle: Azure automatically creates, manages, and deletes this identity.

Azure CLI Example for AKS:


az aks create \
    --resource-group myResourceGroup \
    --name myAKSCluster \
    --enable-managed-identity

Tip: User-Assigned Managed Identities are recommended for production environments due to their lifecycle management independence from individual resources.

Using Managed Identity in AKS

Once Managed Identity is enabled for your AKS cluster (either system-assigned or user-assigned), you can grant the cluster's identity permissions to access other Azure resources. Pods running within the cluster can then leverage this identity.

To allow pods to authenticate using the cluster's Managed Identity, you typically deploy the Azure AD Pod Identity add-on for AKS. This add-on manages the injection of identity information into your pods.

Steps:

Enable Managed Identity on AKS: As shown above.

Deploy Azure AD Pod Identity:


kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-happy.yaml

Create an AzureIdentity resource: This Kubernetes resource maps to your Azure AD Managed Identity.
Create an AzureIdentityBinding resource: This resource binds an AzureIdentity to a specific Kubernetes namespace or pod selector.
Access Azure Resources from your Pod: Use Azure SDKs that support Managed Identity authentication.

Example: Accessing Azure Key Vault from a pod:

Your application code within the pod would use the Azure SDK, and when it needs to authenticate to Key Vault, it would automatically detect and utilize the Managed Identity provided by the Azure AD Pod Identity add-on.


// Example using Azure SDK for .NET
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;

// The DefaultAzureCredential automatically tries Managed Identity first
TokenCredential credential = new DefaultAzureCredential();
SecretClient client = new SecretClient(new Uri("https://your-key-vault-name.vault.azure.net/"), credential);

// Now you can use the client to interact with Key Vault
KeyVaultSecret secret = await client.GetSecretAsync("mySecret");
Console.WriteLine($"Secret value: {secret.Value}");

Best Practices

Least Privilege: Grant only the necessary permissions to your Managed Identity for the resources it needs to access.
User-Assigned over System-Assigned: For better control and manageability, prefer User-Assigned Managed Identities.
Regular Audits: Periodically review the permissions assigned to your Managed Identities.
Secure Your AKS Cluster: Ensure your AKS cluster itself is secured, as its Managed Identity is a critical component.
Use Latest SDKs: Leverage the latest versions of Azure SDKs that have robust support for Managed Identity.

Security Note: Never hardcode credentials. Managed Identity eliminates the need for this, significantly improving your application's security posture.