Managed Identity on Azure
Imagine a world in which you do not have to deal with access tokens and the pities of managing them. Well, why imagine — this is exactly what Managed Identity on Azure offers!
“Managed Identities are created exactly for this purpose: help Azure resources securely connect to other Azure resources. A Managed Identity is associated with one or more Azure resources and effectively gives an Azure resource an identity in Azure Active Directory. The identity and the resource are so tightly coupled that for all intents and purposes can be considered one, thus allowing the resource to authenticate “as itself” to another resource.”
Learning By Sample Scenario
Equipped with this, you could eg tackle challenges like this one:
So, for the sake of working with a real-life scenario, let us stick with this one and solve it over the course of this article, shall we?
So we would use this PUT request towards the Azure REST API:
https://myaccount.blob.core.windows.net/mycontainer/myblob?comp=properties
Yet there are some things to take into consideration.
For example, for managed identity and patching properties you HAVE to have the roles assigned as described here:
It turns out the answer is that “Storage Blob Data Contributor” and “Storage Queue Data Contributor” roles BOTH have to be assigned to resolve the issue.
Second, the HTTP authentication does not only consists of a single token for the Azure API but instead the signature.
Let’s do that call using a Logic App work step, like this:
And that signature includes some properties you HAVE to set for your HTTP call. As it says here:
- x-ms-date : formatDateTime(utcNow(),’r’)
- x-ms-version : 2021–04–10
- Accept : application/json;odata=fullmetadata
And in Managed Identity the settings include
(For other endpoints the audience settings needs to be adapted for the final auth with managed identity to work.)
And there you go, this blob here goes from content-type image/jpeg…
… to text/json, which makes no sense but whatever:
Goes to show this works. Do note however that every property not specified with the PUT call will be cleared out, as the doc says as well.
Is this useful? Let me know how you use managed identities. I love to use them for things like
- running Containers on Azure
- running Azure Functions on Azure that depend on other services
- using it to overcome service limitations and run ETL at scale
Cheers!