5.2 Managed Identities

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

18 hours 58 minutes
Video Transcription
Welcome back. In this episode, we're going to take a look at managed identities.
The objectives include understanding what managed identities are and then taking a look at a demo out in our azure portal.
So first, as always, what are managed identities? This is a feature of azure active directory that allows authenticating against any service that uses azure active directory for authentication.
The scenario here would be a developer building an application that requires accessing cloud resource is the application needs to authenticate against those. Resource is without storing credentials inside the application source code. A managed identity solves this problem by creating a service principle for the resource inside of azure A. D.
You can then use this identity to authenticate two. Other service is without putting credentials in your coat, for example, and we'll gonna see the center demo. We could provisions a managed identity for a virtual machine. We then provide this first machines managed identity permissions to query or access. Other resource is
the code running on the verge machine is automatically authenticated, and we don't have to worry about managing use names or passwords. Hence the manage portion of managed identities.
We do have two types of managed identities that we can work with. The first is a system assigned, and it's enabled directly on the service instance, meaning Azure creates the added indie for the instance, or the resource and the tenet, and it's trusted by the subscription. The credentials are then provisioned onto the instance for it to use
when the instance or resource is deleted. The managed identity credentials are also deleted automatically, and this is the type we're going to use inside of our demo when we're enabling a managed identity for a virtual machine. Our second type of managed identity is a user assigned,
and this is created as a standalone resource and is not tied to a specific service or other. Aditya Resource
Azure creates an identity that can be assigned to one or more service instances. This identity is managed separately from the service it is assigned to, meaning it will persist after the service it is assigned to is deleted.
Now let's jump out to the head or portals so we can take a look at how to create managed identities and see exactly how it is granted Access an authorization to other azure resource is
back in our azure portal for our demo. We're going to use a managed identity on a virtual machine
before we get started. I want to show both ways that we can enable this on a virtual machine. So first, let's go create a virtual machine.
Now we're pretty familiar with how to create a version machine, so I'm going to just bypassed some of these options initially. But let's go check out the management tab.
If we scroll down, we have the option to create a system assigned managed identity when we create the virtual machine. So here, just illustrating we can create a system assigned identity when we create the virtual machine.
In this case, we're not going to do that. So let me cancel out.
Let's go into a virtual machine already have created
and under settings. If we scroll down
and select identity
here, we have the option of turning on a system assigned managed identity.
We also have the option of taking an existing user assigned managed identity and associating it with this virtual machine.
But for right now, let's just go ahead and go back to system assigned
ends. Change the status to on,
we'll save our changes.
This is just showing the virtual machine is going to be registered with azure active directory. And when this is done, the virtual machine can be used to grant permissions to access. Different resource is just like we do with a user, identity or group.
Let's go ahead and enable.
Now that we have our resource, I'm gonna go back to overview
and I'm going to connect to our virtual machine over our DP.
So here I've logged into our V m 01 virtual machine and opened up in admin power show window.
And what we're gonna be doing is using the managed identity we've created for V M 01 and using it to make a call out to the azure resource manager.
Let's jump over to note pad. I've got all the commands documented that we're going to run.
This First command is just invoking Web request and we're gonna call it against this I p address here 169.254 that 169 to 54
This is just the azure instance metadata service
and what we're gonna be doing is making a request out to the managed identity for Azure resource is what we'll get back is an access token in order to access the Azure Resource Manager service,
let's go ahead and copy this.
Let's take a look at the response variable that we save this into
inside the content. We have an access token and a little bit more information.
Let's take our response and extract out the content portion of it converted to Jason
and save it to the content. Variable.
Let's take a look at the content variable.
So now we see we have an access token as well as our client I D. And some expiration information.
Let's take this one step further.
Let's take that access token and just save it to its own variable. If we take a look at its contents, we've got our access token safe to this variable, and this is gonna allow us to connect to the armed service.
Let's clear the screen real quick
and back in no pad. What we're going to do now is invoke another Web request out to management dot azure dot com.
Here. I'm making requests out to my subscription GW ID
and what we're gonna be doing is just acquiring a resource group in the name of that resource group that I have is just called identity Dash R G.
And we're including that access token inside the authorization header.
Let's go ahead and grab this command
and you're gonna see we're going to get an error saying we don't have authorization to perform this action.
That's what we're saying Here is our virtual machine. V M 01 does not have the authorization to access our identity Dash RG Resource Group to pull back information about it.
So let's jump back to the Ashram portal
here I have the identity desh RG Resource Group already open to our overview. Paige, let's go into access control.
Let's click on add
roll assignment.
I'm gonna select just the reader role,
and I'm gonna sign this permission to V. M. 01
And what comes up is the managed identity for R V M 01 virtual machine, meaning we can assign it permissions to other azure. Resource is
let's go ahead and save this.
If we go to roll assignments,
we see down here at the bottom the virtual machine, BMO one has reader access to this resource group, so you can see we've taken our managed identity and we can now give it access to other azure. Resource is if we need to query that or perform some kind of action against it, let's switch back to our virtual machine
and let's run our command again.
You see, this time we get a different response. We actually get an answer back showing the I. D of our resource group, the name of it, the location and also some properties saying the provisioning state is already succeeded.
So what we did here is we gave a managed identity to V M 01 We then granted V m 01 access to read our Identity Dash RG Resource Group. We created an access token out to the Azure Resource Manager service and then we use that access token to invoke a Web request against the resource group.
I hope this demo cements the concept of managed identities for you, where we create an identity for a virtual machine and then gave it authorization to access. Other resource is inside of azure, so anything running on this virtual machine could be an application or just simply power show commands like this.
We can then query our resource group.
Let's jump back to the slides and wrap this up.
Falling up from the demo, we tested out a managed identity on the Windows virtual machine, but they're also available for Lennox Virtual Machine, and you can create manage identities and associate them with other service is like ab service's function logic APS service bus, Evan hubs or container registry.
These are all service is we've looked at previously on this course
coming up. Next, we're gonna take a look at another security feature we can use called Azure Key Vote. See you in the next episode.
Up Next