CONNECTED Conference 2023 - Aufzeichnungen jetzt hier verfügbar +++                     

Suche

über alle News und Events

 

Alle News

 

Viele unserer Kunden überlegen derzeit, was sie in...

Weiterlesen

Lösungsansatz – was benötigt man dafür:

  • Einen...
Weiterlesen

Es gibt im Preview die Möglichkeit Azure Blob...

Weiterlesen

In diesem Blogeintrag werden wir drei sichere und...

Weiterlesen

Im vergangenen Jahr war bei uns in Hamburg viel in...

Weiterlesen

Heutzutage werden Token für die Authentifizierung...

Weiterlesen

Versionsverwaltungssoftware gehört zu den...

Weiterlesen

Das Azure API Management self-hosted Gateway von...

Weiterlesen

Alles Hybrid! QUIBIQ Talkmasters bietet gemeinsam...

Weiterlesen

Während man in Visual Studio für BizTalk basierend...

Weiterlesen

How-to: FunctionApps to KeyVault authorization using ManagedIdentities

Centralizing storage of application secrets in Azure Key Vault allows to control their distribution. It reduces chances that secrets may be accidentally leaked because there is no longer needed to store security information in application and to make this information part of the code.

For example, an application may need to connect to a database. Instead of storing the connection string in the code, it is better to store it securely in Key Vault.

To authenticate to Azure Key Vault is possible to use shared secret or a certificate, but they should be stored in configuration files or code which make it not so secure. To make access to the Key Vault more secure is possible to use managed identity and AD authentication.

Configuration steps

  • To get access to Key Vault from function application and to read keys and secrets using user-assigned managed identity, first of all a user-assigned managed identity must be created.
  • Then it must be assigned to the function application at Identity settings to grant app rights to use this identity.
  •  At the next step by the Key Vault application at Access Policies, needed permissions for manipulating with the Key Vault data must be granted to user-assigned managed identity.
  • At the end, AzureServicesAuthConnectionString with user-assigned managed identity ClientId must be added into Application settings of function application [2].
     

Workflow

  1. Using AzureServicesAuthConnectionString, function requests authorization token from active directory.
  2. Active directory validates received in connection string user-assigned managed identity and if it was successfully validated, sends authorization token as a response.
  3. Function sends request with authentication token to KeyVault.
    1. KeyVault automatically sends request to active directory to validate token.
    2. Active directory validates token and send response.
  4. If token was successfully validated by active directory and managed identity has permission for requested action (for example to read secret), KeyVault executes this action (sends secret to the function).

-------------

  1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview
  2. https://docs.microsoft.com/en-us/azure/key-vault/service-to-service-authentication
  3. https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet
  4. https://www.c-sharpcorner.com/article/azure-key-vault/

 

 

Ihre Kontaktmöglichkeiten

Sie haben eine konkrete Frage an uns


 

Bleiben Sie immer auf dem Laufenden


 

Mit meinem "Ja" erkläre ich mich mit der Verarbeitung meiner Daten zur Zusendung von Informationen einverstanden. Ich weiß, dass ich diese Erklärung jederzeit durch einfache Mitteilung widerrufen kann. Bei einem Nein an dieser Stelle erhalte ich zukünftig keine Informationen mehr.

© QUIBIQ GmbH · Impressum · Datenschutz