Important points, you should keep into consideration while configuring the MSI so that you can easily retrieve your values from Key Vault.
What is Microsoft Service Identities & Key-Vault?
Let’s take the example of a simple node.js application for our understanding.
Installing the packages from the private/Azure repository required authentication, for doing this we basically pass the credential information into “.npmrc/config” files.
It means that you need to hardcode the registry credentials on the server, which is not correct.
Any unauthorized person can have access to your private package and secrets. So, to overcome this problem Azure have introduced MSI and Key Vault.
Now when you will enable the Identity on any app you have created on Azure cloud platform by simply clicking on “identity”, It will enable the azure resource to authenticate to cloud service.
Now there are two types of Identities available for you :
- System assigned
- User assigned
- A system-assigned managed identity is enabled directly on an Azure service instance. When you will enable the identity, (Azure creates an identity for the instance in the Azure AD tenant that’s trusted by the subscription of the instance).The simple process is when you will enable the identification, It will create one secrets credential on your app server, this secret credential is later used by your app server to prove its identity while requesting any data from Key-Vault. The credential configured on your Instances has lifespan until the server is not terminated.
- A user-assigned managed identity is created as a standalone Azure resource. You need to create Managed Identities first by following the below procedure.
Once your manage identities created attach it to the App identity by going to the app server and clicking on “Identity -> User assigned -> + ” option over there.
Now the difference between user assigned and system assigned is, the lifespan of user-assigned identity is not dependent upon any server lifespan and it can be assigned to many resources on Azure cloud.
So, Identity is the door between your app and key-vault, if your identification will match then only you can fetch any secret from Key-Vault else keep 💃 .
It’s so simple, you need to search key-vault on the search box of azure, once you will locate to the service click on “+”.
Enter the details in the field according to proper naming convention you are following, then click on create.
it will look similar to the below snapshot.
Now the Important sections are,
- Access policies
- Access Control ( I AM)
Here you will configure the super-secret values you want to hide from the world.
You need to configure it properly while configuring this policy you need to keep in mind that to which resources on Azure you want to give the access, you can select that resources/managed identities/app in the form of principal.
Here you can also restrict the Access to Read/Write/Delete…
Access Control ( I AM):
Configure it properly by clicking on “+” too by creating the role and assigning the access behavior of the member of the account to Owner/Moderator/Reader…
Note*** In all the case, whenever you’re creating resources on Azure server make the note of saving it by clicking on the save option else you will encounter an error.