Fine tuning Key and Secret access with Managed Identities - Azure

We want to protect cloud assets by giving processes the "list privilege" possible. This can be done through a combination of identities and access policies.

Cloud assets are protected by access policies that describe the operations available to roles and identities. The Access Policies bind identities to permissions.  Application and system processes present their identity as part of resource requests and the Access Policies decide if access is granted.  Organizations can avoid creating "powerful" identities by creating multiple fine-grained identities, similar to roles.  Processes are assigned the minimum combination of identities required to access only the resources they required.  The Processes present the right identity when making a resource request. The Access Policies allow access based on the presented identity.  

The example is implemented in Microsoft Azure.  Amazon AWS has similar capabilities.

Use Case

Virtual machines can need access to overlapping sets of secrets with other machines in other roles.  By default, computing resources run with a system identity.  That determines which resources processes on that machine can reach without requiring usernames and passwords for that role. We could create a few very powerful roles that we share across machines. This would guarantee the compute resources (VMs) would have access to what they need. This violates "least privilege" where want to restrict each process to as few resources as possible.  

Computing resources can be run with multiple identities, similar to roles.  The individual identities each have a limited set of privileges.  Individual machines build up their privileges by operating with multiple identities.
The picture shows three VMs with overlapping and independent needs.  We can implement this with 3 identities, 3 secrets and 4 access policies.  

VMs run with a minimum set of identities required to access their data and messaging resources.
  • The top two VMs both need access to some database connection secret. They share an identity
  • The middle VM also needs encrypt privilege on some encryption keys so it can send a message. It has a 2nd identity.
  • The access needs of the bottom VM are merged into a single identity. bound to multiple Access Policies.  The identities should have probably be split to increase isolation.  
    • The bottom VM needs decrypt privilege on the same encryption key so it can receive and decrypt the message.
    • The bottom VM also needs access to some partner connection secret so it can send a message to another network.

Video Talk

This video walks through identities, key vaults and, permissions.  An implementation is available in https://github.com/freemansoft/ephemeral-disk-encryption-azure

Azure Resource Layout

This example contains a subscription with a single resource group
  1. The resource group contains a Key Vault, a Managed Identity, and a VirtualMachine.  
  2. The KeyVault contains a Secret and an Access Policy.  
    1. It could be any type of secret.
    2. The Access Policy describes the operations available to any request made with the Managed Identity. 
  3. The Virtual Machine has two identities, a system identity and a managed identity.  The managed identity has permissions in the KeyVault as specified by the Access Policy
  4. The image doesn't show the OAuth server used to get identity tokens required to invoke the KeyVault APIs and retrieve the secret.


Azure CLI Demonstration Code

Creating an Azure VM with multiple identities

This Azure CLI example creates a VM with two identities, one system and one user assigned. Processes on that VM can make API calls with either identity when requesting access to encryption keys and secrets.  

    vm_create_results=$( az vm create --resource-group "$resource_group" \
        --name "$vm_name" \
        --assign-identity [system] $identity_id \
        --image UbuntuLTS \
        --admin-username "$vm_admin_user" \
        --size "$vm_type" \
        --public-ip-sku Standard \
        --generate-ssh-keys )

Accessing a resource

Access a resource like a secret or encryption operation requires two API calls.  
  1. A REST call to the OAuth server to get credentials.  The OAuth request must include the identity that has access to the resource.  This is important when the VM has been assigned multiple identities.
  2. A REST call to the KeyVault to retrieve the Secret or invoke Encryption or Decryption using a key.

Azure Resources from the sample

The sample code creates a Resource Group that holds the VM, the KeyVault, and Identity that will be assigned to the VM or other computing resources.

The VM runs with multiple identities. There is a single system identity and any number of user assigned identities. This image shows that this VM has the user assigned identity we created in this resource group.

The KeyVault contains an AccessPolicy that describes the allowed operations of an identity.  This image shows that the demonstration user assigned identity has GET and List privileges on the Secrets in this KeyVault.

Related blogs and videos

Created 2021 08 09


Comments

Post a Comment

Popular posts from this blog

Understanding your WSL2 RAM and swap - Changing the default 50%-25%

Image
The Windows Subsystem for Linux operates as a virtual machine that can dynamically grow the amount of RAM to a maximum set at startup time.  Microsoft sets a default maximum RAM available to 50% of the physical memory and a swap-space that is 1/4 of the maximum WSL RAM.  You can scale those numbers up or down to allocate more or less RAM to the Linux instance. The first drawing shows the default WSL memory and swap space sizing. The images below show a developer machine that is running a dev environment in WSL2 and Docker Desktop.  Docker Desktop has two of its own WSL modules that need to be accounted for.  You can see that the memory would actually be oversubscribed, 3 x 50% if every VM used its maximum memory.  The actual amount of memory used is significantly smaller allowing every piece to fit. Click to Enlarge The second drawing shows the memory allocation on my 64GB laptop. WSL Linux defaults to a maximum RAM size of 5
Read more

Installing the RNDIS driver on Windows 11 to use USB Raspberry Pi as network attached

Image
I do a lot of my development and configuration via ssh into my Raspberry Pi Zero over the RNDIS connection. Some models of the Raspberry PIs can be configured with  gadget drivers  that let the Raspberry pi emulate different devices when plugged into computers via USB. My favorite gadget  is the network profile that makes a Raspberry Pi look like an RNDIS-attached network device.  All types of network services travel over an RNDIS device without knowing it is a USB hardware connection. A Raspberry Pi shows up as a Remote NDIS (RNDIS) device when you plug the Pi into a PC or Mac via a USB cable. The gadget  in the Windows Device Manager picture shows this RNDIS Gadget connectivity between a Windows machine and a Raspberry Pi. The Problem Windows 11 and Windows 10 no longer auto-installs the RNDIS driver that makes magic happen. Windows recognizes that the Raspberry Pi is some type of generic USB COM device. Manually running W indows Update  or  Update Driver  does  not  install the RNDI
Read more

DNS for Azure Point to Site (P2S) VPN - getting the internal IPs

Image
I wanted to access all my Azure resources without making any of them visible to the Internet.   The easiest give my local machine access to everything on my Azure Virtual Network (VNET) was to connect to it over VPN. It turns out creating Azure VPN gateways and connecting to Azure VPN endpoints is easy.  There are some subtleties in getting DNS name resolution to work that can confuse when first starting out. Setting the Stage There are a few ways to get to Azure endpoints and resources that are blocked from the internet.  We can  Create a Point-to-Site connection from our local machines to Azure Network Gateways Create a Site-to-Site network connection from our local networks to Azure Network Gateways. Use Bastion Hosts Use Cloud Shell Leave everything open to the internet. I chose a Point-to-Site (P2S) VPN connection that connects from my laptop to a VNet Gateway.  That joins my laptop
Read more