Azure Managed Identities - explained in plain English in 5 mins with a step by step demo

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Thanks for the video! Simple and concise, well done.

👍︎︎ 1 👤︎︎ u/math_coprocessor 📅︎︎ Mar 31 2021 🗫︎ replies

Captions

hello and welcome to a show Montcalm this is a short managed identities explained in plain English bill car system assigned manage identities user assigned managed identities the difference between them and a step-by-step demo on how to configure it in less than five minutes let's assume we have a fictional company which hosted super-secretive customer data on Azure they were leveraging as should sequel database on Azure and the application code was running from an application server which was hosted on and I should be the database like we all know needed connection strings and other secrets to authenticate which were shared with the application developers who embedded the secrets either in the application config or the code itself both of which did not really go well with the security team this was top-secret data and they wanted a way to securely store the keys so the next option that was proposed was to move the secrets off from the code in the application server to the Azure keyword this was a significant step in the right direction and provided great security advantages the security team although was still not very convinced because the application still needed a way to authenticate to the Ashoka wall in order to retrieve the keys and this authentication meant that there was still some configuration information relating to the secret on the application server they wondered if there was a better way to do this as in there was zero secrets of credentials stored anywhere in the code well the answer is yes we can accomplish this using hash should manage two identities I shall manage two identities and comes in two flavors system assigned managed identities and a user assigned manager entities will first talk about system assigned I should manage identities system assigned I should manage identities provides a mechanism for the service in this case the I Shou VM to have an identity instead of the end user in Azure Active Directory once this identity is created in Azure Active Directory you can now use this to grant access to the target resources of its support as your ad authentication in this case as your sequel database you can now authorize this identity and grant permissions based on the level of access you want to grant it if this sounds a lot like service principles that's because it is a service principle but this is a special type of service principle which provides you with the following advantages number one you don't have to worry about the expiry of the service principles the credential rotation is automatically taken care of for you the second advantage is that it provides better identity lifecycle management what we mean by that is when you are done using a virtual machine with the system assign manage identity and delete the VM the identity associated automatically with it also gets deleted now if the code is run from the azure VM which has the system assigned manage identity enabled you don't need to store the credentials of secret anywhere on the code the authentication happens automatically via the virtual machine let's quickly jump to the azure portal and see how we can enable this step number one we click on the VM and then choose identity an enable system assigned manager entity but that's it now you have an identity for the VM or the Asha resource step number two is we go to the target resource that is Ash's sequel database in this case and grant the VM assigned identity access on this is equal to the base and then click on OK it's as simple as that the team is super happy and also the company started growing in business which means more virtual machines were provisioned to handle all the extra user load this also meant that there were number of manager entities created for each of the VMs ever spun up and this was getting slightly harder to manage we talked about the first time that a system assigned manage identity earlier where each identity is tightly coupled to the azure resource in this case the ash of via however if we scenario where we have multiple VMs all sharing the same target resource we would want to use the user assigned manager entity what this does is it creates an identity independent of the lifecycle of the actual resource and as invent new as your resources are spun up for the application we just assigned the identity to the new resource that gets created let's quickly jump with the portal to see how we get this configured unlike system assign manager entities user assign manage identities are created independent of the resource so we'll search for manager entities and then click on add we'll create a user identity called my user identity now the identity is created we'll go back to the new VM that was created we click on the identity and this time we will choose user design manager identity and we'll choose the user design manager entity that we just created remember we have only assigned identity to an actual resource we still need to grant access to the identity so let's jump back to the sash or sequel database we click on identity and access management and grant the newly created user assigned manager identity access on the Asha sequel database so to summarize the difference between system assigned and user assigned are you create a system assign manager entity as part of the actual resource whereas with user assigned manager entity you create this independently with system assign identity you don't need to worry about the identity lifecycle management whereas with user assign management you are responsible for the lifecycle management the system assign manager entities it cannot be shared across multiple resources because it's tightly coupled to the actual resource whereas with the user assigned Manager entity you can't share that this was great but like we saw earlier a should manage identities works with any target resource with support as your ad authentication but let's see if the target resource does not support as your ad authentication you could always place the keys or secret inside an ash or key vault and assign the manager identity for the VM or the actual resource on to the actual keyboard that way you can still authenticate and fetch a key which is which does not support actually the authentication leveraging Azure keyboard everyone's happy the possibilities are endless with managed identity it provides a safe and secure way to manage identities and secrets inside of your organization here is a list of services that support managed identities as of today including functions and app services and even kubernetes board identities the target resource where you can authorize I should manage identity remains any resource with support as your ad authentication thank you for watching I'll see you again in the next video [Music]

Info

Channel: azuremonk - cloud in plain english

Views: 26,536

Rating: undefined out of 5

Keywords: lessthan5min, #lessthan5min, explained, simplified, in less than 5 minutes, less than 5 minutes

Id: 1EoiGnQq14Y

Channel Id: undefined

Length: 7min 33sec (453 seconds)

Published: Tue May 26 2020