Suche

über alle News und Events

 

Alle News

 

Am 01. Oktober ab 12:30 Uhr treffen sich...

Weiterlesen

Die Nutzung des Postman Mock Servers ist einfach...

Weiterlesen

Ein Community-Held feiert seinen Erfolg: „WOW! Ich...

Weiterlesen

Einfach großartig! Die Stimmung war hervorragend....

Weiterlesen

Rules, Rules, RULES!! Dan Toomey, The evolution of...

Weiterlesen

Keynote von Slava Koltovich, Feature: E2E - AIS...

Weiterlesen

Inspirierende Messeerfahrungen auf der 'Zukunft...

Weiterlesen

In diesem Artikel wird beschrieben, wie ihr eure...

Weiterlesen

Messaging mit dem Service Bus ermöglicht die...

Weiterlesen

Sebastian Meyer, Microsoft & SAP...

Weiterlesen

How-to: FunctionApps to KeyVault authorization using ManagedIdentities

Centralizing storage of application secrets in Azure Key Vault allows to control their distribution. It reduces chances that secrets may be accidentally leaked because there is no longer needed to store security information in application and to make this information part of the code.

For example, an application may need to connect to a database. Instead of storing the connection string in the code, it is better to store it securely in Key Vault.

To authenticate to Azure Key Vault is possible to use shared secret or a certificate, but they should be stored in configuration files or code which make it not so secure. To make access to the Key Vault more secure is possible to use managed identity and AD authentication.

Configuration steps

  • To get access to Key Vault from function application and to read keys and secrets using user-assigned managed identity, first of all a user-assigned managed identity must be created.
  • Then it must be assigned to the function application at Identity settings to grant app rights to use this identity.
  •  At the next step by the Key Vault application at Access Policies, needed permissions for manipulating with the Key Vault data must be granted to user-assigned managed identity.
  • At the end, AzureServicesAuthConnectionString with user-assigned managed identity ClientId must be added into Application settings of function application [2].
     

Workflow

  1. Using AzureServicesAuthConnectionString, function requests authorization token from active directory.
  2. Active directory validates received in connection string user-assigned managed identity and if it was successfully validated, sends authorization token as a response.
  3. Function sends request with authentication token to KeyVault.
    1. KeyVault automatically sends request to active directory to validate token.
    2. Active directory validates token and send response.
  4. If token was successfully validated by active directory and managed identity has permission for requested action (for example to read secret), KeyVault executes this action (sends secret to the function).

-------------

  1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview
  2. https://docs.microsoft.com/en-us/azure/key-vault/service-to-service-authentication
  3. https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet
  4. https://www.c-sharpcorner.com/article/azure-key-vault/

 

 

Ihre Kontaktmöglichkeiten

Sie haben eine konkrete Frage an uns


 

Bleiben Sie immer auf dem Laufenden


 

Mit meinem "Ja" erkläre ich mich mit der Verarbeitung meiner Daten zur Zusendung von Informationen einverstanden. Ich weiß, dass ich diese Erklärung jederzeit durch einfache Mitteilung widerrufen kann. Bei einem Nein an dieser Stelle erhalte ich zukünftig keine Informationen mehr.

© QUIBIQ GmbH · Impressum · Datenschutz