This article explains managed identities for Azure resources. Managed identities allow Azure services to authenticate to other Azure services that support Azure Active Directory (Azure AD) authentication, without needing to store credentials in code or configuration.
What are Managed Identities?
When you use managed identities, Azure manages this identity for you. You don't need to provision, configure, or manage any secrets or credentials, such as certificates or connection strings. You can use managed identities to authenticate to any resource that supports Azure AD authentication, including Azure Key Vault, Azure Storage, and Azure SQL Database.
There are two types of managed identities:
- System-assigned managed identities: Enabled directly on an Azure resource. When you enable a system-assigned identity, an identity is created in Azure AD that is tied to the lifecycle of that Azure resource. When the resource is deleted, the identity is automatically deleted by Azure.
- User-assigned managed identities: Created as a standalone Azure resource. A user-assigned managed identity can be provided to one or more Azure resources. The identity is managed separately from the Azure resources that use it.
When to use Managed Identities
Managed identities are ideal for scenarios where an Azure service needs to access another Azure service. For example:
- A virtual machine needs to access Azure Key Vault to retrieve secrets.
- An Azure Function needs to write data to Azure Blob Storage.
- A web app needs to connect to an Azure SQL Database.
System-assigned vs. User-assigned
Choosing between system-assigned and user-assigned managed identities depends on your scenario:
- System-assigned: Use when the identity is specific to a single Azure resource and its lifecycle should be tied to that resource.
- User-assigned: Use when you need to share an identity across multiple Azure resources, or when you want to manage the identity's lifecycle independently.
How to use Managed Identities
Enabling System-assigned Managed Identities
You can enable system-assigned managed identities for many Azure resources, such as Virtual Machines, App Services, and Azure Functions. The process typically involves selecting the identity option within the resource's configuration in the Azure portal, Azure CLI, or PowerShell.
Example using Azure CLI:
az vm identity assign --resource-group myResourceGroup --name myVM
Creating User-assigned Managed Identities
User-assigned managed identities are created as separate resources. Once created, they can be assigned to one or more Azure resources.
Example using Azure CLI:
az identity create --resource-group myResourceGroup --name myManagedIdentity
Then, assign it to a resource:
az vm identity assign --resource-group myResourceGroup --name myVM --identities myManagedIdentity
Granting Permissions
Once a managed identity is created and assigned to an Azure resource, you need to grant that identity the necessary permissions to access other Azure resources. This is typically done using Azure role-based access control (RBAC).
Example: Granting access to Azure Key Vault
To grant a managed identity permission to read secrets from a Key Vault, you would assign a role like "Key Vault Secrets Officer" to the managed identity on the Key Vault resource.
Code Examples
Most Azure SDKs provide support for authenticating using managed identities. You can typically use the default credential provider, which will automatically attempt to use a managed identity if running in Azure.
Example using .NET SDK:
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
// ...
var credential = new DefaultAzureCredential();
var client = new SecretClient(new Uri("https://your-key-vault-name.vault.azure.net/"), credential);
// Now you can use the client to interact with Key Vault