Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

Use a Azure VM system assigned managed identity to access Azure Key Vault

While working one of the Azure project, I had a requirement to implement System Assigned Managed Identity to access Azure key vault secret programatically on Azure virtual machine inside the code without azure login. In my earlier written articles, to retrieve secret password from Azure Key Vault I was first logging in to Azure using username password, but I can bypass the Azure login to get Key vault secret with help of system assigned manage identity (It work as same as Service Account on the windows system). In below two parts I have created and configured Azure Key Vault and Virtual Machine ahead of the time with all default settings.

Part 1: Working With Azure Key Vault Using Azure PowerShell and AzureCLI
Part 2: Create a Virtual machine on Microsoft Azure
Part 3: Use a Azure VM system assigned managed identity to access Azure Key Vault

To configure system assigned managed identity navigate to Virtual Machine then go to Identity from left pane. A system assigned managed identity is restricted to one per resource and is tied to the lifecycle of the resource in my example it is tied to the Azure virtual machine name vm01 (If I delete VM this account principal will also be deleted). I can grant permissions to the managed idneity by using Azure role-based access control (Azure RBAC). It is authenticated with Azure AD, so I don't have to store any credential inside my codes.

Once the system assigned managed identity is enabled, this resource will be registered with Azure Active Directory. After being registered, you can control its access to other services like key vault and storage accounts. On the Status toggle to On (color changes from sky blue to purple) and click Save button.

There's a popup box appears while save - Enable system assigned managed identity. 'vm01' will be registered with Azure Active Directory. Once it is registered, 'vm01' can be granted permissions to access resources protected by Azure AD. Do you want to enable the system assigned managed identity for 'vm01'? press Yes.

Microsoft azure portal Virtual Machine Identity System assigned User assigned enable key vault status on configuration deployment granted permissions access resource group subscription.png

There is unique identifier id is assigned to this VM resource, when it’s registered with Azure Active Directory. Azure RBAC roles assigned to this managed identity that you have permissions to read.

Microsoft azure portal virtual machine identity system assigned managed identity azure rbac azure role-based access contorl azure AD object id Permissions Azure role assignments key vault secret.png

Be careful when making changes to the access settings for the managed identity because it can result in failures. Click + Azure role assignments to provide access on the Key Vault resources.

Microsoft Azure add Role assignments virtual machine subscription resource group permission to read key vault system managed identity service account principal.png

On the Add role assignment (Rbac: Role-Based Access Control) I will select Key Vault as resource Scope (Scope is a set of resources that the role assignment applies to. Scope has levels that are inherited at lower levels. For example, if you select a subscription scope, the role assignment applies to all resource groups and resources in the subscription), Provide Subscription, In the Resource select Key Vault Name from drop down list. In the last choose Role as Reader (A role is a collection of permissions. Select a role to assign to this managed identity.) and click Save. (Just to note if this identity has role assignments that you don't have permission to read, they won't be shown in the list)

Microsoft Azure Add role assignment preview scope key vault subscription sponsered resource group role Reader key vault rbac role based access control permissions user system assigned identity.png

This is just an example where to find System Assigned identity under, Azure Active Directory >> Enterprise applications >> Application type - Managed Identities >> Apply filter. 

Microsoft azure active directory azuread aad enterprise applications all applications visibility system managed identity virtual machine application proxy object id user assigned identity key vault application ID.png

Go to Key Vault service resource. In previous, I have provided RBAC role on the Key Vault. Next configure Add Access policies and select Add VM name in the Principal. Both Virtual Machine and Key Vault is configured.

Microsoft Azure key vault azure active directory aad azuread secret add access policies application permissions rbac secret permissions template configuration service principal selected users.png

Now to access Key Vault Secret on the Azure Virtual Machine, I will login on to the VM, Open powershell and fire below commands. Here the url start with 169.254.159.254 is a special url provided by Azure, it will provide access token to connect azure if you have correct permissions on the azure resource entities or subscriptions. 

This way I can use Azure Resources Key/Secret/Password (ie: Storage account/ database etc) and store them inside on the KeyVault. My apps can easily fetch/retrive the secret from Key Vault so no hardcore password value I need to write inside the my application code/script. This is all programatically done.

$env:COMPUTERNAME; $env:USERNAME
$response = Invoke-RestMethod -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net' -Method GET -Headers @{Metadata="true"}
$response.access_token
$result = Invoke-RestMethod -Uri https://vcloud02vault.vault.azure.net/secrets/RootSecret/03d6fd62056a4790a8982b1a75f320f8?api-version=7.1 -Headers @{"Authorization" = "Bearer $($response.access_token)"}
$result | select id, value, contentType

Microsoft Azure key vault system managed identity Virtual Machine Powershell ISE Invoke-RestMethod 169.254.169.264 https access_token header bearer token uri vault.azure.net secret managent identifier id.png

Download this script here or it is also available on github.com.

System-assiged managed identity is also called MSI in short. When you configure it on VM, If you MSI has access on Azure subscription or resources they can directly login on the Azure. Login to the Azure VM, Use below login connect command with Identity parameter to bypass password.

Connect-AzAccount -Identity

Get-Resources

Microsoft Azure Powershell Az module account and resources az.account az.resources Connect-azaccount -identity Get-AzResource resourcegrup MSI system assigned identity.png

Useful Articles
Create an Azure App registrations in Azure Active Directory using PowerShell & AzureCLI
Connect-AzureAD: One or more errors occurred. Could not load type 'System.Security.Cryptography.SHA256Cng'
Use Key Vault secret identifier url to get the secret value using Powershell
Working With Azure Key Vault Using Azure PowerShell and AzureCLI
Create key vault and secrets with access policies in Microsoft Azure
Creating a new user in Azure AD using oneliner PowerShell and Azure CLI
How to switch to other Azure AD tenant using PowerShell and Azure CLI

Go Back

Comment

Blog Search

Page Views

5571299

Follow me on Blogarama