Managed Identity
Managed Identity
A way for an application to authenticate to an Azure resource without relying on secrets
Definition: a managed service principal assigned to a specific resource like an Azure VM
Steps:
Create Managed Identity on an Azure Service like VM
Assign that identity read permissions on Azure Storage Account
Inside the VM, call the special URL to get back a token
Use the token to access storage account
Types of Managed Identity
System assigned: A one-to-one relationship between the identity and the resource and its lifecycle is dependent on the resource.
User assigned: A one-to-many relationship where you can assign that same identity to many resources
Creation
Created as part of an Azure resource (for example, Azure Virtual Machines or Azure App Service).
Created as a stand-alone Azure resource.
Life cycle
Shared life cycle with the Azure resource that the managed identity is created with.
When the parent resource is deleted, the managed identity is deleted as well.
Independent life cycle.
Must be explicitly deleted.
Sharing across Azure resources
Can’t be shared.
It can only be associated with a single Azure resource.
Can be shared.
The same user-assigned managed identity can be associated with more than one Azure resource.
Common use cases
Workloads contained within a single Azure resource.
Workloads needing independent identities.
For example, an application that runs on a single virtual machine.
Workloads that run on multiple resources and can share a single identity.
Workloads needing pre-authorization to a secure resource, as part of a provisioning flow.
Workloads where resources are recycled frequently, but permissions should stay consistent.
For example, a workload where multiple virtual machines need to access the same resource.
Reference
Last updated