Fine tuning Key and Secret access with Managed Identities - Azure

We want to protect cloud assets by giving processes the "list privilege" possible. This can be done through a combination of identities and access policies.

Cloud assets are protected by access policies that describe the operations available to roles and identities. The Access Policies bind identities to permissions.  Application and system processes present their identity as part of resource requests and the Access Policies decide if access is granted.  Organizations can avoid creating "powerful" identities by creating multiple fine-grained identities, similar to roles.  Processes are assigned the minimum combination of identities required to access only the resources they required.  The Processes present the right identity when making a resource request. The Access Policies allow access based on the presented identity.  

The example is implemented in Microsoft Azure.  Amazon AWS has similar capabilities.

Use Case

Virtual machines can need access to overlapping sets of secrets with other machines in other roles.  By default, computing resources run with a system identity.  That determines which resources processes on that machine can reach without requiring usernames and passwords for that role. We could create a few very powerful roles that we share across machines. This would guarantee the compute resources (VMs) would have access to what they need. This violates "least privilege" where want to restrict each process to as few resources as possible.  

Computing resources can be run with multiple identities, similar to roles.  The individual identities each have a limited set of privileges.  Individual machines build up their privileges by operating with multiple identities.
The picture shows three VMs with overlapping and independent needs.  We can implement this with 3 identities, 3 secrets and 4 access policies.  

VMs run with a minimum set of identities required to access their data and messaging resources.
  • The top two VMs both need access to some database connection secret. They share an identity
  • The middle VM also needs encrypt privilege on some encryption keys so it can send a message. It has a 2nd identity.
  • The access needs of the bottom VM are merged into a single identity. bound to multiple Access Policies.  The identities should have probably be split to increase isolation.  
    • The bottom VM needs decrypt privilege on the same encryption key so it can receive and decrypt the message.
    • The bottom VM also needs access to some partner connection secret so it can send a message to another network.

Video Talk

This video walks through identities, key vaults and, permissions.  An implementation is available in

Azure Resource Layout

This example contains a subscription with a single resource group
  1. The resource group contains a Key Vault, a Managed Identity, and a VirtualMachine.  
  2. The KeyVault contains a Secret and an Access Policy.  
    1. It could be any type of secret.
    2. The Access Policy describes the operations available to any request made with the Managed Identity. 
  3. The Virtual Machine has two identities, a system identity and a managed identity.  The managed identity has permissions in the KeyVault as specified by the Access Policy
  4. The image doesn't show the OAuth server used to get identity tokens required to invoke the KeyVault APIs and retrieve the secret.

Azure CLI Demonstration Code

Creating an Azure VM with multiple identities

This Azure CLI example creates a VM with two identities, one system and one user assigned. Processes on that VM can make API calls with either identity when requesting access to encryption keys and secrets.  

    vm_create_results=$( az vm create --resource-group "$resource_group" \
        --name "$vm_name" \
        --assign-identity [system] $identity_id \
        --image UbuntuLTS \
        --admin-username "$vm_admin_user" \
        --size "$vm_type" \
        --public-ip-sku Standard \
        --generate-ssh-keys )

Accessing a resource

Access a resource like a secret or encryption operation requires two API calls.  
  1. A REST call to the OAuth server to get credentials.  The OAuth request must include the identity that has access to the resource.  This is important when the VM has been assigned multiple identities.
  2. A REST call to the KeyVault to retrieve the Secret or invoke Encryption or Decryption using a key.

Azure Resources from the sample

The sample code creates a Resource Group that holds the VM, the KeyVault, and Identity that will be assigned to the VM or other computing resources.

The VM runs with multiple identities. There is a single system identity and any number of user assigned identities. This image shows that this VM has the user assigned identity we created in this resource group.

The KeyVault contains an AccessPolicy that describes the allowed operations of an identity.  This image shows that the demonstration user assigned identity has GET and List privileges on the Secrets in this KeyVault.

Related blogs and videos

Created 2021 08 09


Popular posts from this blog

Understanding your WSL2 RAM and swap - Changing the default 50%-25%

Installing the RNDIS driver on Windows 11 to use USB Raspberry Pi as network attached

DNS for Azure Point to Site (P2S) VPN - getting the internal IPs