This Microsoft Azure and Entra ID access management blog post will explain why using managed identities is a good idea and how to create one.
Microsoft-managed identities are a new generation of service accounts that do not require the management of secrets, certificates and keys. There is also no need to use a secrets management solution like Key Vault.
Microsoft Entra ID fully manages a managed identity account and can obtain authentication tokens automatically.
Managed identities do not require a rotation of credentials; they can be assigned to any resource in Azure.
Creating and Assigning Managed Identities Permissions Azure
In our case, we will create a managed identity account on a storage account on a VM and allow it to access an Azure storage account.
Open the VM in the Azure portal to create a managed identity for an Azure Virtual machine.
Click on Identity under Security
Select which type of managed identity you would like to assign.
System assigned
System-assigned identity is limited to one identity per resource but gets deleted when the resource is removed from Azure.
User assigned
A user-assigned identity can manage multiple resources and doesn’t get deleted when the resource gets deleted.
Access Resources
Once the identity has been created, it is time to use it and give it access. In our case, we created a system-assigned identity on a virtual machine (resource).
We will give the reader access to an Azure Key vault, as shown in the diagram below.
Open the Azure Key Vault resource
Click on Access Control (IAM)
Click Add
Select Add Role assignment
From the menu, select
Click Next
Click on Assign access to:
Managed identity
From the Select Members menu, locate the new identity and click Add.
After assigning the permissions, the VM can read secrets stored inside the Azure Key Vault.