24 листопада відбувся вебінар від .NET Community – “Azure RBAC and Managed Identity”.
Спікер: Євген Павленко – Senior Software Engineer, GlobalLogic.
Розповіли, що таке Azure RBAC (Role Base Access Control) і як він працює, для чого нам Azure Managed Identity та як звільнитись від використання паролів-секретів при використанні Azure.
Деталі заходу: https://bit.ly/3GSBvRx
Відкриті .NET-позиції у GlobalLogic: https://bit.ly/3ilJYCq
Долучитись до .NET Community у Facebook: https://www.facebook.com/groups/communitydotnet
3. 3
Authentication is the process of proving that
you are who you say you are.
Authentication
Authorization is the act of granting an
authenticated party permission to do
something.
Authorization
4. 4
What is Azure Active Directory?
• Azure Active Directory (Azure AD) is a
cloud-based identity and
access-management solution. It helps you
secure internal, external, and customer
identities.
5. 5
What is Azure RBAC?
• Azure role-based access control (Azure
RBAC) is an authorization system built on
Azure Resource Manager that provides
fine-grained access management of
resources in Azure. With Azure RBAC, you
can grant the exact access that users need
to do their jobs.
10. 10
How to connect to Azure Resource
- Azure SQL
• Connection String with Credential
Server=tcp:abc.database.windows.net,1433;Initial Catalog=demo;Persist
Security Info=False;User ID={your_username};
Password={your_password};
- Azure storage
• Connection String with AccountKey
DefaultEndpointsProtocol=https;AccountName=sa;AccountKey={AccountKey};
EndpointSuffix=core.windows.net
- Service bus
• Connection String with SharedAccessKey
Endpoint=sb://abc.servicebus.windows.net/;SharedAccessKeyName=RootMan
ageSharedAccessKey;SharedAccessKey={SharedAccessKey}
11. 11
Secrets …
• Secrets can be
- Leaked/stolen
- Accidently checked into source control
- Expire
• Secret has complicated lifecycle
management
Account Keys
Username / Password
SAS Keys
Application secret
Secrets are like a “bomb”
12. 12
Managing workloads that authenticating to cloud services
Create
principal
Grand
permissions
Store
credentials
on resource
Rotate
secrets
Remove
principal
Create Azure
resource
Delete
resource
A better way: Managed identities for Azure resources
Create Azure
resource with
managed identity
Grand permissions Delete resource
13. 13
I can use managed identities when
Target
Azure Key Vault
Azure Data Lake
Azure SQL
Azure App Configuration
Azure Event Hubs
Azure IoT Hub
Azure Service Bus
Azure Storage blobs
Azure Analysis Services
…
Source
Azure VMs
Azure VMSS
Azure App Service
Azure Functions
Azure Logic Apps
Azure Data Factory V2
Azure Container Instances
Azure Kubernetes
Azure Service Fabric
…
that accesses
14. 14
Identity to resource
assignment
Identity Authentication &
Authorization
Azure Storage Account,
Service Bus, etc.
Azure Service
Managed identities types
Built-in garage door
remote
Hand-help garage door
remote
Azure resource
App Service, Function,
Logic App, etc.
Built-in garage door remote:
System-assigned
managed identity
Hand-help garage door remote:
User-assigned
managed identity
15. 15
Managed identities types
• Azure creates an identity in Azure AD
• Created as part of an Azure resource
• Credentials are provisioned on the
instance
• Life-cycle is directly tied to the Azure
Service Instance
System-assigned managed identity
• Azure creates an identity in Azure AD
• Created as a stand-alone Azure resource
• Identity can be assigned to one or more
instances
• Life-cycle is managed separately from
life-cycle of the Azure Service
User-assigned managed identity
16. 16
How does the managed identities for Azure resources
work?