Azure Managed Identity

Posted in cloud on September 1, 2024 by Adrian Wyssmann ‐ 2 min read

Managing secrets and credentials manually is cumbersome and error prone so what if you can make that easier? At least in azure you can do so using managed identities.

What is managed identities?

Resources usually need secrets (secrets7credentials/certificates/keys) to communicate with other resources. While (in Azure) you can securely store these in an Azure Key Vault, as a developer you still have to configure your applications accordingly - means you probably copy around these secrets. With Managed identities this is not necessary anymore, as it will provide an automatically managed identity in Microsoft Entra ID for applications. An application can use this to connect to resources, by obtaining Microsoft Entra tokens without having to manage any credentials.

Managed identity types

There are two types of managed identities: System-assigned and User-assigned. Here the overview from What are managed identities for Azure resources?:

PropertySystem-assigned managed identityUser-assigned managed identity
CreationCreated as part of an Azure resource (for example, Azure Virtual Machines or Azure App Service).Created as a stand-alone Azure resource.
Life cycleShared life cycle with the Azure resource that the managed identity is created with.When the parent resource is deleted, the managed identity is deleted as well.Independent life cycleMust be explicitly deleted.
Sharing across Azure resourcesCan’t be shared.It can only be associated with a single Azure resource.Can be shared.The same user-assigned managed identity can be associated with more than one Azure resource.
Common use casesWorkloads contained within a single Azure resource.Workloads needing independent identities.For example, an application that runs on a single virtual machine.Workloads that run on multiple resources and can share a single identity.

What’s next

While working with Kubernetes and Azure AKS a very interesting use case is the use of managed identities for managing secret. Hence follow up on the following post External Secrets and Azure Identity Workload