Managed Identities for Azure Resources

What Are Managed Identities?

Managed identities provide an automatically managed identity in Microsoft Azure for applications to use when connecting to resources that support Microsoft Azure authentication. They eliminate the need for developers to manage credentials directly. Here are some key points:

  • Credentials Management: Developers no longer need to handle secrets, credentials, certificates, or keys manually.
  • Azure Key Vault Integration: While secrets can be securely stored in Azure Key Vault, services still need a way to access Key Vault. Managed identities bridge this gap.
  • Authentication: Applications can use managed identities to obtain Microsoft Azure tokens without managing any credentials.

System-assigned Managed Identity

  1. Lifecycle Tied to Resource
    • System-assigned managed identities are directly tied to specific Azure resources (e.g., virtual machines).
    • When you enable a system-assigned managed identity:
      • A special type of service principal is created in Microsoft Azure AD for that resource.
      • The service principal’s lifecycle is linked to the Azure resource itself.
      • If the resource is deleted, Azure automatically removes the associated service principal.
    • Only the specific Azure resource can use this identity to request tokens from Azure AD.
    • The name of the system-assigned service principal matches the name of the Azure resource.
  2. Authorization
    • You authorize the system-assigned managed identity to access one or more services.
    • For deployment slots, the system-assigned identity’s name follows the pattern <app-name>/slots/<slot-name>.

User-assigned Managed Identity

  1. Standalone Azure Resource
    • User-assigned managed identities are created as standalone Azure resources.
    • You can explicitly create and assign them to one or more Azure resources (e.g., virtual machines, Azure Logic Apps, or Azure Web Apps).
    • Unlike system-assigned identities, user-assigned identities are decoupled from the lifecycle of any specific Azure resource.
    • They can be shared across multiple resources.
  2. Authorization
    • You authorize the user-assigned managed identity to access one or more services.
    • These identities can be used by multiple resources, making them more flexible.

When to Use Each Type?

System-assigned Managed Identity

  • Use when you want a managed identity tied directly to a specific Azure resource.
  • Ideal for scenarios where the identity’s lifecycle matches the resource’s lifecycle (e.g., VMs).
  • Simpler setup since it’s automatically created when enabling the resource.

User-assigned Managed Identity

  • Use when you need a standalone identity decoupled from any specific resource.
  • Great for scenarios where multiple resources share the same identity.
  • More efficient in a broader range of scenarios.

Remember, both types of managed identities provide secure authentication without exposing credentials. Choose the one that best fits your application architecture and requirements

Similar Articles