How to Use Azure Managed Service Identity

In this blog post I will cover Azure Managed Service Identity covering the basics for what you should know regarding this feature in Azure.

Managed Service Identity allows you to securely access your Azure resources and avoid storing credentials in your code like to access these resources, think of things like adding access keys to storage accounts as an example, this is bad practice and you certainly don’t want to add them to your code bas to be checked into git for example.

You can create service identities for a number of Azure resources already and more are coming, examples of the resources you can create service identities include the following: –

  • Azure Virtual Machines
  • Azure Virtual Machine Scale Sets
  • Azure App Service
  • Azure Functions
  • Azure Logic Apps
  • Azure Service Bus
  • Azure Event Hubs
  • Azure API Management
  • Azure Container Instances
  • Azure Container Registry Tasks

If you have some code that needs to access a storage account and you have added the access key to the code in order to access the storage account (please never do this its very bad practice and someone might gain access to your storage account if you do this), perhaps you’ve even moved the access key into Key Vault which is another option,  well you could even go a step further and improve security even further.
To do this you can take advantage of managed service identities and instead of using an access key you use a temporary access token, which is generated at run-time. This can then be used to assign role based access control for other resources.

The managed identity for the resource is generated within Azure AD.

Managed Identities come in 2 forms: –

  • System-assigned managed identity (enabled on an Azure service instance)
  • User-assigned managed identity (Created for a stand alone Azure resource)

You can learn more from the docs.