What is Azure Managed Identity? System-Assigned vs. User-Assigned

Service Principals (SP) on Azure used to be one of the most common ways to authenticate your code/app to Azure. The problem with SPs was that you need to use a client ID and secret to get authenticated. That was problematic because you would potentially expose your credentials in your code which is a security risk you may not want to take.

What is an Azure Managed Identity and how does it work?
Managed Identity was introduced on Azure to solve the problem explained above. Behind every Managed Identity there is a Service Principal which is automatically created with a client ID and an object ID.

The information about this Managed Identity and the associated SP is registered with a central backend service on Azure called Instance Metadata Service (IMDS). All you need to do is assign your Managed Identity to a service instance (i.e. Virtual Machine) which is going to use it. This action will also update the IMDS about this assignment.

Now in the scenario above, to authenticate your code/app running on your virtual machine and get access to a certificate stored on an Azure Key Vault, all you need to do on your Key Vault is grant your Managed Identity the needed RBAC permission.

In your code, you will then need to first get a token from the IMDS and then use this token to get access to your Key Vault. Getting a token in this case does not require you to provide any sort of credentials, because IMDS recognizes the Virtual Machine’s Managed Identity and grants you the token. For a tutorial on how this is done you can see this document from Microsoft Docs.

System-Assigned Managed Identity vs. User-Assigned Identity
They are the same in the way they work. The only difference is that if you enable System-Assigned Managed Identity for an Azure resource, the Managed Identity gets automatically created and assigned to that Azure resource, and will also get deleted when you delete the resource.

User-Assigned Managed Identity is created manually and likewise manually assigned to an Azure resource. The lifecycle of a User-Assigned Managed Identity is NOT tied to the lifecycle of the Azure resource to which it is assigned. That means it the Azure resource gets deleted, the User-Assigned Managed Identity will not be deleted from Azure.

Leave a Reply

Your email address will not be published. Required fields are marked *