Attain zero secrets or keys in your code using Microsoft Entra Managed Identities for Azure resources — Part1
Ever wanted to know how to avoid secrets or keys in your code? Get your code ready with zero secrets or keys in minutes with Microsoft Entra and Azure!!
👋 Hey, Venki here! Welcome to another 🔓medium story 🔓. Each day I focus on 1 story that are making a difference to me when am working in the financial services technology space. Coupled with things worth learning & most important !! Get shit done. it’s the only publication (Urban DevOps) you need for all things when DevOps meets Cloud.
If you’re not a follower, Don’t miss out and join the community here pls👇🏼
Last week was undoubtedly the most interesting week for me so far this month, Jun 2024. We had a bunch of code sniffer tools unleashed from security team to scan for secret leaks in the code base. Guess what!, We had a big ⚠️ on our codebase as we were using connection strings alongside keyvault uri for accessing keys and secrets from Azure key vaults.
Not that the Azure keyvault and Azure app configuration resources are bad, we come across a point where the security team sets a complaint policy to completely evade the use of the secrets or keys from codebase. Which leaves us, developers to wonder How the heck can we achieve zero secrets or keys in our codebase 🤯
Without further ado, let us dive into what Microsoft Entra Managed Identity is about and how this could help developers attain a zero secret ot keys in their codebase. Let’s connect the dots.
Microsoft Entra and Managed Identities🤖
Use Microsoft Entra ID to manage user identities and control access to your apps, data, and resources. That’s literally the tagline for Microsoft Entra ID for you.😏. Am sure if you are developer coming from the Microsoft ecosystem, you would have heard of it!, if not here’s a link to deep dive on it 👉 Entra
Managed Identities for Azure resources is one of the features of Microsoft Entra, which eliminates the need for developers to manage these credentials ( like..secrets, keys, credentials and certificates )
Now, like every other developer we too get confused and wonder how this feature if different from Azure key vault, which holds the secrets, keys and certificates, why in the world would i look for Managed Identities.
While developers can securely store the secrets in Azure Key Vault, services need a way to access Azure Key Vault. This is where , Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication. Applications can use managed identities to obtain Microsoft Entra tokens without having to manage any credentials.
Microsoft Entra doesn’t just limit to Microsoft Azure, it can be used across various cloud providers and other independent services. To know more on that click here Integrate Apps with Entra
Microsoft Entra Managed Identities for Azure resources comes in two flavors:
System Assigned
User Assigned
Let’s look at the System Assigned managed identity and where in it can be used and what are it’s advantages as such…
it provides a mechanism for Azure service like Azure VM’s, Azure App service, Azure function app..( most of the PaaS offerings from Microsoft Azure ) to have an identity instead of the end user credentials in Azure active directory. Once you have the identity created ( simply toggle the on / off switch to have them created ) from the Azure resource blade under Identity tab as shown below 👇
you could now use this System assigned managed identity to grant access to the target azure resources like Azure Sql database or Azure key vault or Azure App Configuration, which support Azure Active directory authentication. You could then authorize this identity and grant permissions based on the level of access you want to grant.
Whatttttttttttt the heck!!! this sounds like service principals in Azure🤔
Yes it is, but a special type with the below benefits :
Automatic Credential Rotation
Identity Lifecycle Management
Useful for workloads that require independent identities
Now, this might become cumbersome where in , say we have 100 Azure VM’s that are connecting to the same Azure SQL database. we would end up having 100 system assigned managed identities in Entra.
That’s where the User Assigned Managed Identity comes into play.
we could now create an Identity independent of the azure resources and assign them to which ever azure resources that supports Azure active directory authentication on need basis and provide permissions to this user assigned managed identity based on the level of access that one would require on azure resources to allow the VM’s to access it.
so to summarize, the difference between the two is shown below
Now that you understood how managed identities on azure resources can be useful, not just for Azure but for any other applications that are outside the Microsoft ecosystem as well.
We shall look at how we can have the User assigned managed identity integrate into our codebase and as well as outside the code base via Kubernetes, where we containerize our code and more in the upcoming Part 2…..
Until then Peace! ✌️✌️
Continue reading by following to Urban DevOps Publication stories. You will receive fresh contents about DevOps with hot takeaways every day.
***
About: I am DevOps enthusiast . My adventure in the tech world began over a decade ago. With a background in computer science, I started my career as a systems engineer. The thrill of building applications and solving complex problems captivated me, but I quickly realized that coding was just one piece of the puzzle. The real challenge — and reward — lay in ensuring that the software worked seamlessly in production, scaled effectively, and was robust against failures.
This realization led me to the world of DevOps. I immersed myself in the principles of continuous integration, continuous deployment, and infrastructure as code. The more I learned, the more I appreciated the profound impact DevOps practices could have on both development speed and operational reliability.
If you’ve enjoyed this piece, don’t hesitate to press clapping hands 👏, comment on what you think, and share the story with others 😀. Let’s spread the knowledge together!
For more, hit the follow button🔥🚀
