Azure IAM | Azure Managed Identities | Microsoft Entra ID

AZURE IAM

  1. Authentication: Authentication is the process of verifying the identity of a user or a system. In simpler terms, it's confirming who you are. Azure uses various methods for authentication, such as passwords, certificates, or multi-factor authentication (like using a phone or an authentication app). Once a user or system proves its identity, it gets access to Azure services or resources.

  2. Authorization: Authorization comes after authentication. Once Azure confirms the identity of a user or system, authorization determines what actions that user or system is allowed to perform. It's like checking whether someone has permission to do something. Azure employs role-based access control (RBAC) to manage authorization, where permissions are assigned based on roles, and users or systems are assigned to those roles.

So, in simple terms, authentication verifies who you are, while authorization decides what you're allowed to do once your identity is confirmed.

-- when users want to access the resources, we make use of roles, users and groups

-- when one resource wants to access other resources , we make use of managed identities and service principles

difference between service principal and managed identities

-- if we use service principles for resources, then we have to rotate them for specific times for security purpose

-- if we use managed identities then azure will do the rotation of secrets for us

Azure managed identities demo project:

--create a resource group

--Create a storage account in that rg

--Create a container and upload any file in it

-- Create a VM

--After VM is created go to option identity and enable the system assigned identity and save

-- Go the storage account and add role assignment

-- search for owner role and click on next

--select managed identity >add members and select VM created

-- Connect to the vm using the terminal and below commands

ssh azureuser@public ip address , and give password

-- Execute below command to fetch access token

access_token=$(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fstorage.azure.com%2F' -H Metadata:true | jq -r '.access_token')

-- it will fail , try to update and run the ftech command again

sudo apt update access_token=$(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fstorage.azure.com%2F' -H Metadata:true | jq -r '.access_token')

-- it will ask you to install jq, install jq and run fetch command again

sudo apt install jq

-- run echo command to copy the access token

echo $access_token

-- Access the blob from VM

curl "https://$storage_account_name.blob.core.windows.net/$container_name/$blob_name" -H "x-ms-version: 2017-11-09" -H "Authorization: Bearer $access_token"

note: replace storage account, container and blob names respectively

curl "https://iamdemoys.blob.core.windows.net/test/01-virtualization.md" -H "x-ms-version: 2017-11-09" -H "Authorization: Bearer $access_token"

-- when you execute above command , whatever present in the blob file will be displayed