Attain zero secrets or keys in your code using Microsoft Entra Managed Identities for Azure resources — Part2
Ever wanted to know how to avoid secrets or keys in your code? Get your code ready with zero secrets or keys in minutes with Microsoft Entra and Azure!!
👋 Hey, Venki here! Welcome to another 🔓medium story 🔓. Each day I focus on 1 story that are making a difference to me when am working in the financial services technology space. Coupled with things worth learning & most important !! Get shit done. it’s the only publication (Urban DevOps) you need for all things when DevOps meets Cloud.
If you’re not a follower, Don’t miss out and join the community here pls👇🏼
In the previous article 👉 Part 1, we explored the type of Microsoft Entra Managed Identities for Azure resources and learnt the way to create system assigned managed identity and user assigned managed identity.
Without further ado, let us dive into this part where we learn to use the managed identity in our code . Let’s connect the dots.
Article demonstrates how to configure as Azure app service so it can connect to Azure storage. The same principles can be applied for any Azure resources that supports managed identities and that will connect to resources that support Microsoft Entra authentication.
Code samples use the Azure identity client library, recommended method to auto handle many of the steps for you.
Create a user-assigned managed identity
💡You will need a role “Managed identity contributor” added to your account in Azure to start creating Managed Identities
- Search for Managed Identities in Azure portal
2. Click on Create button
3. Select subscription, resource group, region and a name for the user assigned managed identity
4. Select Review+Create to run the validation and click Create button.
5. Once the identity has been created, below scrren appears.
We now have an user assigned managed identity 😎
Configuring our source resource to use our newly created user-assigned managed identity
- Locate the resource like so in Azure portal.
2. Choose the identity link on the left blade.
3. Select the user assigned and click Add
4. Select the user-assigned that we created and click Add.
5. Identity should be associated now..
Adding permissions to the identity
💡You will need a role “User Access Administrator” for the target resource to add role assignments.
Now that we have our App service a managed identity, we need to give the identity the correct permissions to interact with Azure storage.
- Locate the storage account that you want to provide identity permissions.
- Select the Access Control on left blade
3. Select the Add button near the top screen.
4. List of roles will appear, we are interested in granting the below role.
5. You will be prompted to select who the role should be granted. Select the Managed Identity.
6. Select User-Assigned managed identity and select our newly created one.
7. Review and Assign
8. You should now see the role that we added so far using steps 1 to 7.
Now that we have granted permissions to Azure resource for the managed identity, let’s explore how we can utilize this in our code..🤔
Using the managed identity in your code
Using the Azure identity library, recommended method in our develop environment.
- Grab the client id of the new created managed identity
below .net code sample will allow accessing a blob in Azure storage
using Azure.Identity;
using Azure.Storage.Blobs;
// code omitted for brevity
// Specify the Client ID if using user-assigned managed identities
var clientID = Environment.GetEnvironmentVariable("Managed_Identity_Client_ID");
var credentialOptions = new DefaultAzureCredentialOptions
{
ManagedIdentityClientId = clientID
};
var credential = new DefaultAzureCredential(credentialOptions);
var blobServiceClient1 = new BlobServiceClient(new Uri("<URI of Storage account>"), credential);
BlobContainerClient containerClient1 = blobServiceClient1.GetBlobContainerClient("<name of blob>");
BlobClient blobClient1 = containerClient1.GetBlobClient("<name of file>");
if (blobClient1.Exists())
{
var downloadedBlob = blobClient1.Download();
string blobContents = downloadedBlob.Value.Content.ToString();
}You get the idea.!! 💭💡
To summarize, you could use managed identities to authenticate against your various azure resources right from the code..
We shall look at how we can have the User assigned managed identity integrate outside the code base via Kubernetes workload identity, where we containerize our code and use ArgoCD for deploying to kubernetes in the upcoming Part 3…..
Until then Peace! ✌️✌️
Continue reading by following to Urban DevOps Publication stories. You will receive fresh contents about DevOps with hot takeaways every day.
***
About: I am DevOps enthusiast . My adventure in the tech world began over a decade ago. With a background in computer science, I started my career as a systems engineer. The thrill of building applications and solving complex problems captivated me, but I quickly realized that coding was just one piece of the puzzle. The real challenge — and reward — lay in ensuring that the software worked seamlessly in production, scaled effectively, and was robust against failures.
This realization led me to the world of DevOps. I immersed myself in the principles of continuous integration, continuous deployment, and infrastructure as code. The more I learned, the more I appreciated the profound impact DevOps practices could have on both development speed and operational reliability.
If you’ve enjoyed this piece, don’t hesitate to press clapping hands 👏, comment on what you think, and share the story with others 😀. Let’s spread the knowledge together!
For more, hit the follow button🔥🚀
