“Enhancing App Security with Azure Managed Identities” is the topic of this article. Within its contents, we will explore methods for bolstering app security by eliminating the use of exposed keys, connection strings, or direct references to Key Vaults within the configuration of your function apps. We will demonstrate how to fortify your applications’ security without relying on any of the aforementioned sensitive data.

Problem

Many developers commonly store Connection Strings in configuration files as plaintext. Alternatively, to enhance security, connection strings are often stored in Azure Key Vault, with references to the Key Vault utilized in function configurations. However, this seemingly secure approach can pose a risk, as anyone with access can potentially retrieve the connection string and gain unauthorized access to your valuable resources, thereby exposing them to potential vulnerabilities.

1. A lot of security keys
2. A lot of key-vault references in the configuration
3. Managing those keys per environment
4. Monitoring who is accessing which app and when

Solution

All the problems mentioned above have only one solution. i.e., get rid of all keys.

“Get rid of all keys” How will we access resources at all? Microsoft provides an out the box solution for this question.

Managed Identity

What exactly is Managed Identity?

Managed identities represent a seamless solution for identity management within Azure Active Directory (Azure AD). They cater to applications that require access to Azure AD-authenticated resources, facilitating the acquisition of Azure AD tokens without the need to manage explicit credentials.

Advantages of Managed Identities

The merits of Managed Identities are numerous:

1. Elimination of Credential Storage: With Managed Identities, there’s no longer a need to store credentials anywhere. Moreover, these credentials are inaccessible to users as they are internally managed by Azure AD.
2. Versatility: Managed Identities can be employed across a wide array of resources that support Azure AD Authentication.
3. Cost-Efficiency: Notably, there are no additional costs associated with utilizing Managed Identities.

Two Varieties of Managed Identity

Managed Identity comes in two flavors:

1. System-assigned: This type is inherent to the resource and cannot be separately allocated.
2. User-assigned: Unlike the system-assigned variety, user-assigned managed identities can be explicitly assigned to specific resources.

In this article, our focus will be on System-assigned managed identities.

System-assigned Managed Identity

Some Azure resources allow enabling managed Identity directly at the resource level like ServiceBus Queue, Eventhub, Storage Accounts, CosmosDb, and FunctionApps.

If you click on Azure role assignments, you will be able to see all resources which allow this function app to access them.

Like these resources are accessible via this function app, in the first column, you can see the roles assigned to the function app for resources like Azure Service Bus Data Sender role is given to the function app for service bus queue resource, which allows the function to send messages to the services bus queue without having any connection string.

How to add your resource to this list?

There are two ways to do it

1. You can register your function app in the resource’s IAM menu
2. You can use Powershell to do it

We are going to add it via the Azure portal. Follow below steps

Step 1

Go to your function app and enable managed Identity

This will create a service principle for your function app and register it in Azure AD.

Step 2

Go to the resource you want your function app to access. In this case, it is a service bus queue.

Step 3

Click on Add button at the top and then Add role assignments

Step 4

From the given list, select the role you want to assign to your function app to access this queue.

Step 5

1. In the role assignment window, you can see your role in the Selected role label.
2. In Assigned access to, select Managed Identity
3. In Members, click on +Select Members.
4. In the pop window from the right side
5. Select your subscription
6. Select Managed Identity. In our cases, this is Function App
7. Then search for your function app by name

Click Review + assign

Code changes

After all these steps, we must modify our code to support managed Identity.

To instantiate ServiceBusClient, we will use the FullyQualifiedNamepsace of servicebus, and in place of the connection string, we can pass an object of DefaultAzureCredentials class.

new ServiceBusClient("FullyQualifiedNamespace", new DefaultAzureCredential()).CreateSender("QueueName");

What is FullyQualifiedNamepsace?

It is the complete URL of your service bus, i.e., <servicebusname>.servicebus.windows.net

Note: For managed Identity, we must use Microsoft NuGet packages that start with Azure.Messaging.ServiceBus, Azure.Messaging.EventHub and so on

Conclusion

After this, we are all set to use our app without a connection string.

• Much more secure than storing keys in key-vault
• We do not have to manage any keys ourselves
• Only users and apps which have correct roles and permissions will be able to access the resource.

Cheers.

References

Azure resources that support managed identity