Azure IAM | Azure Managed Identities | Microsoft Entra ID
AZURE IAM
Authentication: Authentication is the process of verifying the identity of a user or a system. In simpler terms, it's confirming who you are. Azure uses various methods for authentication, such as passwords, certificates, or multi-factor authentication (like using a phone or an authentication app). Once a user or system proves its identity, it gets access to Azure services or resources.
Authorization: Authorization comes after authentication. Once Azure confirms the identity of a user or system, authorization determines what actions that user or system is allowed to perform. It's like checking whether someone has permission to do something. Azure employs role-based access control (RBAC) to manage authorization, where permissions are assigned based on roles, and users or systems are assigned to those roles.
So, in simple terms, authentication verifies who you are, while authorization decides what you're allowed to do once your identity is confirmed.
-- when users want to access the resources, we make use of roles, users and groups
-- when one resource wants to access other resources , we make use of managed identities and service principles
difference between service principal and managed identities
-- if we use service principles for resources, then we have to rotate them for specific times for security purpose
-- if we use managed identities then azure will do the rotation of secrets for us
Azure managed identities demo project:
--create a resource group
--Create a storage account in that rg
--Create a container and upload any file in it
-- Create a VM
--After VM is created go to option identity and enable the system assigned identity and save
-- Go the storage account and add role assignment
-- search for owner role and click on next
--select managed identity >add members and select VM created
-- Connect to the vm using the terminal and below commands
ssh azureuser@public ip address , and give password
-- Execute below command to fetch access token
access_token=$(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fstorage.azure.com%2F' -H Metadata:true | jq -r '.access_token')
-- it will fail , try to update and run the ftech command again
sudo apt update access_token=$(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fstorage.azure.com%2F' -H Metadata:true | jq -r '.access_token')
-- it will ask you to install jq, install jq and run fetch command again
sudo apt install jq
-- run echo command to copy the access token
echo $access_token
-- Access the blob from VM
curl "https://$storage_account_name.blob.core.windows.net/$container_name/$blob_name" -H "x-ms-version: 2017-11-09" -H "Authorization: Bearer $access_token"
note: replace storage account, container and blob names respectively
curl "https://iamdemoys.blob.core.windows.net/test/01-virtualization.md" -H "x-ms-version: 2017-11-09" -H "Authorization: Bearer $access_token"
-- when you execute above command , whatever present in the blob file will be displayed