System managed Identity to Azure VM

Amar-Azure-Practice 661 Reputation points
2021-03-13T17:04:24.587+00:00

Hi

I have an Azure VM and we deployed rest based service in VM on IIS.

This rest service need to access the KeyVault in Azure, We enabled System assigned identity to Azure VM.

If we give permission to this SystemAssigned identity to read keys from KeyValut is that sufficient or for Web application running on IIS in VM also need to provide access?

My Understanding is if we give permission for the system assigned identity for VM level, All the services running in VM will have the same system assigned identity.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,550 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. shiva patpi 13,171 Reputation points Microsoft Employee
    2021-03-14T04:36:12.743+00:00

    Hello @Amar-Azure-Practice ,
    Thanks for your query ! If the VM is enabled with System Assigned Managed Identity all the services running should be able to authenticate by using the same identity token provided by Azure Instance Metadata. But if there is any piece of code/Application which is trying to retrieve secrets from Key Vault you will have to grant your code/application access to the specific secret or key in Key Vault by using the Access policies section of the Key Vault from Azure Portal.
    In the Key Vault -> Access Policies -> Add Policy -> Key Management

    How Managed Identity works:
    https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-managed-identities-work-vm
    More significantly check out :
    https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-managed-identities-work-vm#system-assigned-managed-identity

    If the above information helps out , please make sure to "Upvote and Accept the Answer"

    0 comments No comments