Cloud Service authentication Azure SQL and Keyvault using Managed Identity

Glenn Moseley 0 Reputation points
2024-10-29T13:44:28.12+00:00

I'm re-architecting our application and I have selected a Cloud Service worker role to house a part of the application which runs background jobs.

We have been using managed service identities a lot when authenticating our application services against the resources they need (keyvaults, databases, storage etc). I wanted to use the managed identity feature to authenticate the Cloud Service deployments against the keyvaults and databases it needs to access.

However, it seems that Cloud Services don't presently support managed identities.

  • Is this something that is in the pipeline?
  • Are there any alternative methods to authenticate against these services without reverting to credentials?
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,076 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Glenn Moseley 0 Reputation points
    2024-10-29T15:56:41.4466667+00:00

    I have figured out an alternative which is a bit of a pain to manage but it achieves what I need.

    Here are the steps I followed if anyone needs a rough guide,

    1. Register your Cloud Service (Extended Support) as an application in Entra. e.g. CloudService1
    2. Create a self signed certificate on your local machine, export the .cer without the private key and upload it to the application you created in step 1
    3. Use the name of your application to assign permissions to the Azure services you require. For me this was database (CREATE USER [CloudService1] FROM EXTERNAL PROVIDER ), and the keyvault through RBAC
    4. Navigate to, or create a keyvault to store the certificate for your cloud service. Import the pfx using the private key.
    5. Next you need to link this to your Cloud Service, you do this through the ARM template adding a section to osProfiles/secrets
    { 
    
    					  "sourceVault": { 
    
    						"id": "/subscriptions/<SUB_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.KeyVault/vaults/<VAULT_NAME>" 
    
    					  }, 
    
    					  "vaultCertificates": [ 
    
    						{ 
    
    						  "certificateUrl": "<SECRET_IDENTIFIER_OBTAINED_BY_CLICKING_ON_THE_SECRET_IN_THE_KEYVAULT" 
    
    						} 
    
    					  ] 
    
    					} 
    
    
    1. After you have deployed with this arm template addition the certificate should show. If you have everything working your Cloud service should have access like any other Managed Identity application.

    Would still be interested to know if its in the pipeline though as it would be easier to manage rather than doing all this for each Cloud Service.

    0 comments No comments

  2. Sina Salam 12,001 Reputation points
    2024-10-29T16:13:19.9933333+00:00

    Hello Glenn Moseley,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you would like to know more on Cloud Service authentication with Azure SQL and Keyvault using Managed Identity.

    You're correct! Azure Cloud Services (classic) currently do not support managed identities. As for whether this feature is in the pipeline, there hasn't been any official announcement from Microsoft regarding future support for managed identities in Azure Cloud Services (classic) - https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq

    Meanwhile, there are some alternative methods to authenticate your Cloud Service deployments against Key Vaults and databases without using credentials:

    1. You can create a service principal in Azure Active Directory and use it to authenticate your Cloud Service, but it avoids embedding credentials directly in your code.
    2. Store your secrets (like database connection strings) in Azure Key Vault and access them securely from your Cloud Service. While this still requires some form of authentication (like a service principal), it centralizes and secures your secrets.
    3. If possible, consider using other Azure services that do support managed identities, such as Azure Functions, Azure App Services, or Azure Kubernetes Service (AKS). These services can run background jobs and support managed identities for secure authentication.
    4. You can also, integrate OpenID Connect (OIDC) to handle authentication and authorization with Azure Key Vault using managed identity, check out in this article - https://techcommunity.microsoft.com/t5/microsoft-developer-community/using-keycloak-with-azure-ad-to-integrate-aks-cluster/ba-p/4174238

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.


    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

    0 comments No comments

  3. Sina Salam 12,001 Reputation points
    2024-10-29T16:25:19.52+00:00

    Hello Glenn Moseley,

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

    Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer. Accepted answers show up at the top, resulting in improved discoverability for others.

    Issue: Cloud Service authentication Azure SQL and Keyvault using Managed Identity

    Error Message: none

    Solution: Customer have done the following:

    1. Register your Cloud Service (Extended Support) as an application in Entra. e.g. CloudService1
    2. Create a self signed certificate on your local machine, export the .cer without the private key and upload it to the application you created in step 1
    3. Use the name of your application to assign permissions to the Azure services you require. For me this was database (CREATE USER [CloudService1] FROM EXTERNAL PROVIDER ), and the keyvault through RBAC
    4. Navigate to, or create a keyvault to store the certificate for your cloud service. Import the pfx using the private key.
    5. Next you need to link this to your Cloud Service, you do this through the ARM template adding a section to osProfiles/secrets
    { 
    					  "sourceVault": { 
    						"id": "/subscriptions/<SUB_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.KeyVault/vaults/<VAULT_NAME>" 
    					  }, 
    					  "vaultCertificates": [ 
    						{ 
    						  "certificateUrl": "<SECRET_IDENTIFIER_OBTAINED_BY_CLICKING_ON_THE_SECRET_IN_THE_KEYVAULT" 
    						} 
    					  ] 
    					}
    

    NB: After you have deployed with this arm template addition the certificate should show. If you have everything working your Cloud service should have access like any other Managed Identity application.

    Interest: To know if it's in the pipeline though as it would be easier to manage rather than doing all this for each Cloud Service.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.