Secure Resources Using Azure Managed Identities

Introduction

In this article, we will discuss how to secure your application by removing naked keys, connection strings, or key vault references as well from the configuration of your function apps and making them secure without using any of the mentioned keys.

Problem

A vast majority of developers store their Connection Strings in configuration directly as plain text, or to make connection strings secure, we store them in a key vault and then use that key vault reference in our function configuration, which seems correct, but anyone with access can get the connection string and access your resources from anywhere. Which makes your resources vulnerable

1. A lot of security keys
2. A lot of key-vault references in the configuration
3. Managing those keys per environment
4. Monitoring who is accessing which app and when

Solution

All the problems mentioned above have only one solution. i.e., get rid of all keys.

“Get rid of all keys” How will we access resources at all?

Managed Identity

What is managed Identity?

“Managed identities provide an automatically managed identity in Azure Active Directory (Azure AD) for applications to use when connecting to resources that support Azure AD authentication. Applications can use managed identities to obtain Azure AD tokens without having to manage any credentials.”

Benefits of Managed Identities

1. No need to store credentials anywhere. Credentials are not even accessible to use anymore; they are internally managed by Azure AD.
2. Managed Identity can be used on any resource which supports Azure AD Authentication.
3. There is no extra cost

There are two types of managed Identity

1. System-assigned
2. User-assigned

In this article, we will be discussing about System-assigned managed Identity.

System-assigned Managed Identity

Some Azure resources allow enabling managed Identity directly at the resource level like ServiceBus Queue, Eventhub, Storage Accounts, CosmosDb, and FunctionApps.

 

If you click on Azure role assignments, you will be able to see all resources which allow this function app to access them.

 

Like these resources are accessible via this function app, in the first column, you can see the roles assigned to the function app for resources like Azure Service Bus Data Sender role is given to the function app for service bus queue resource, which allows the function to send messages to the services bus queue without having any connection string.

How to add your resource to this list?

There are two ways to do it

1. You can register your function app in the resource’s IAM menu
2. You can use Powershell to do it

We are going to add it via the Azure portal. Follow below steps

Step 1

Go to your function app and enable managed Identity

This will create a service principle for your function app and register it in Azure AD.

Step 2

Go to the resource you want your function app to access. In this case, it is a service bus queue.

Step 3

Click on Add button at the top and then Add role assignments

 

Step 4

From the given list, select the role you want to assign to your function app to access this queue.

Step 5

1. In the role assignment window, you can see your role in the Selected role label.
2. In Assigned access to, select Managed Identity
3. In Members, click on +Select Members.
4. In the pop window from the right side
5. Select your subscription
6. Select Managed Identity. In our cases, this is Function App
7. Then search for your function app by name

 

Click Review + assign

Code changes

After all these steps, we must modify our code to support managed Identity.

To instantiate ServiceBusClient, we will use the FullyQualifiedNamepsace of servicebus, and in place of the connection string, we can pass an object of DefaultAzureCredentials class.

new ServiceBusClient("FullyQualifiedNamespace", new DefaultAzureCredential()).CreateSender("QueueName");

What is FullyQualifiedNamepsace?

It is the complete URL of your service bus, i.e., <servicebusname>.servicebus.windows.net

Note: For managed Identity, we must use Microsoft NuGet packages that start with Azure.Messaging.ServiceBus, Azure.Messaging.EventHub and so on

Conclusion

After this, we are all set to use our function app without a connection string.

• Much more secure than storing keys in key-vault
• We do not have to manage any keys ourselves
• Only users and apps which have correct roles and permissions will be able to access the resource.

Cheers.