Using Managed Service Identity (MSI) with an Azure App Service or an Azure Function
Instead of storing user id / passwords or database connection strings in source or configuration files, you should consider storing them in an Azure Key vault.
- Azure Function 400 Bad Request
- How to connect to a database from an Azure Function
- Create an Azure Key Vault secret
- How to connect to a database from an Azure Function using Azure Key Vault
*NOTE - not all Azure features can use and/or authenticate with MSI...yet. Here is a list of Azure features that support MSI and here is a list of Azure features that can use MSI for authentication.
Prior to MSI, to access the secret value would require the passing of and the ‘existence’ of credentials, which only made it harder to get the secret but the hole still existed. With MSI, you create create an identity for any supported Azure Resource then you grant that identity access to the Azure Key Vault secret.
By default, after you have created the Azure Key Vault, as I discussed here “Create an Azure Key Vault secret”, the account used during the creation has access to the Key Vault, see Figure 1.. However, if I wanted to use my identity from code, I would need to store my credentials (no way!) or I would need to be prompted for them each time the code needing access to the Key Vault ran, which is also not optimal.
Figure 1, Azure Key Vault Access policies, default
You next need to create an identity for the Azure resource to which you want to give access to the Azure Key Vault secret. In this example I want to create an MSI for an Azure Function App. In Figure 2, you see the the Managed service identity (Preview) link. Click on that.
Figure 2, Create a Managed service identity (MSI) for an Azure Function App or App Service
Once the next blade opens, click the On button and then Save. Baboom…once completed you have created the identity in AAD, see Figure 3.
Figure 3, Create a Managed service identity (MSI) for an Azure Function App or App Service in Azure Active Directory (AAD)
Then return back to the Azure Key Vault, click on Access policies –> Add new –> Select principal, search and select the newly created identity/principle, as seen in Figure 4.
Figure 4, add the principle to the Key vault for access
Also seen in Figure 4, you can grant read, write, delete, etc.… permissions.
Click OK and then Save to allow the Azure Function App to access the Key Vault secrets, as seen in Figure 5.
Figure 5, grant permission to the principle (Azure Function App) to the Key vault for access
Now you can code your application to use the database connection string stored in Azure Key Vault instead of configuring it in a configuration file. This is quit secure…
I show the code here “How to connect to a database from an Azure Function using Azure Key Vault”.