AAD Azure ARC managed identities

Quick spin: Azure Managed Identity on non-Azure VM’s with Azure ARC and Node.JS Runtime

I saw recently cool demo by John Patrick (Twitter: @AzureAndChill) – The demo was about using Managed Identity’s on non-Azure VM’s. Immediately after seeing the demo decided I should take the feature for a spin in my Local NodeJS apps.

… Let me say this is a total game changer for local development scenarios! 🙂

Background

For those who are interested about Azure ARC generally, I recommend checking docs@msft article, and Jussi’s short post about spinning it up on bunch of VM’s.

Short version is that Azure ARC can extend resources manageable from Azure to any other cloud or location, which have sufficient connectivity to Azure.

  • Personally I think Azure ARC is one of the services that sets Microsoft’s Azure apart from other big cloud vendors by bringing unrivalled Hybrid Cloud solution for management, identity and security features
Azure Arc management control plane diagram
https://docs.microsoft.com/en-us/azure/azure-arc/overview

Testing notes: Managed Identities on non-Azure VM’s

High level non detailed overview

Now that the formalities are out of the way, lets get into the business of setting the feature up.

  • As this is a ”quick spin” type blog I am just adding some of the key notes.
  • session I referred in the top of this blog contains more info, which I recommend checking before proceeding with any testing based on these notes

Enroll the VM into Azure ARC

  • This includes running the installation script in the VM
  • After the VM is enrolled it will show up on Azure ARC

Add the Managed Identity of VM to some consumable Azure Resource

  • I decided to use Azure Key Vault, as its kind of classic thing where I want to use managed identities for

NodeJS: Check that ARC VM can get tokens from Azure AD

Check! The app can get Access Tokens from Azure

NodeJS Code snippet for the part fetching tokens

const rq = require('request')
const fs = require('fs')
function getArcMSItoken() {
    return new Promise((resolve, reject) => {
        var options = {
            uri: "http://127.0.0.1:40342/metadata/identity/oauth2/token?api-version=2020-06-01&resource=https://vault.azure.net&api-version=2019-08-01",
            headers: {
                metadata: true
            }
        }
        rq(options, (error, response) => {
            //console.log(response.body)
            var msipath = 'C:/ProgramData/AzureConnectedMachineAgent/Tokens/'
            fs.readdirSync(msipath).map(file => {
                var key = fs.readFileSync(msipath + file)
                var options = {
                    json: true,
                    uri: `http://127.0.0.1:40342/metadata/identity/oauth2/token?api-version=2020-06-01&resource=https://vault.azure.net&api-version=2019-08-01`,
                    headers: {
                        metadata: true,
                        Authorization: `basic ${key}`
                    }
                }
                rq.get(options, (error, response) => {
                    return resolve(response.body)
                })
            })
        })
    })
}
module.exports = {
    getArcMSItoken
}

Results for Calling Azure Key Vault in the developer app

  • Shows signed in as the Managed Identity
  • Shows the Secrets listed from the Key Vault
Just small example of the getArcMSItoken() in action

Key Vault logs for the accessed objects by managed identity from Azure ARC enabled Server

In the Azure Key Vault Analytics you can see the logs related to the managed Identity

Further references

https://docs.microsoft.com/en-us/azure/azure-arc/servers/security-overview#using-a-managed-identity-with-arc-enabled-servers

0 comments on “Quick spin: Azure Managed Identity on non-Azure VM’s with Azure ARC and Node.JS Runtime

Vastaa

Täytä tietosi alle tai klikkaa kuvaketta kirjautuaksesi sisään:

WordPress.com-logo

Olet kommentoimassa WordPress.com -tilin nimissä. Log Out /  Muuta )

Google photo

Olet kommentoimassa Google -tilin nimissä. Log Out /  Muuta )

Twitter-kuva

Olet kommentoimassa Twitter -tilin nimissä. Log Out /  Muuta )

Facebook-kuva

Olet kommentoimassa Facebook -tilin nimissä. Log Out /  Muuta )

Muodostetaan yhteyttä palveluun %s

%d bloggaajaa tykkää tästä: