Quick spin: Azure Managed Identity on non-Azure VM’s with Azure ARC and Node.JS Runtime

I saw recently cool demo by John Patrick (Twitter: @AzureAndChill) – The demo was about using Managed Identity’s on non-Azure VM’s. Immediately after seeing the demo decided I should take the feature for a spin in my Local NodeJS apps.

… Let me say this is a total game changer for local development scenarios! 🙂

Background

For those who are interested about Azure ARC generally, I recommend checking docs@msft article, and Jussi’s short post about spinning it up on bunch of VM’s.

Short version is that Azure ARC can extend resources manageable from Azure to any other cloud or location, which have sufficient connectivity to Azure.

• Personally I think Azure ARC is one of the services that sets Microsoft’s Azure apart from other big cloud vendors by bringing unrivalled Hybrid Cloud solution for management, identity and security features

Testing notes: Managed Identities on non-Azure VM’s

Now that the formalities are out of the way, lets get into the business of setting the feature up.

• As this is a ”quick spin” type blog I am just adding some of the key notes.
• session I referred in the top of this blog contains more info, which I recommend checking before proceeding with any testing based on these notes

Enroll the VM into Azure ARC

• This includes running the installation script in the VM
• After the VM is enrolled it will show up on Azure ARC

Add the Managed Identity of VM to some consumable Azure Resource

• I decided to use Azure Key Vault, as its kind of classic thing where I want to use managed identities for

NodeJS: Check that ARC VM can get tokens from Azure AD

NodeJS Code snippet for the part fetching tokens

const rq = require('request')
const fs = require('fs')
function getArcMSItoken() {
    return new Promise((resolve, reject) => {
        var options = {
            uri: "http://127.0.0.1:40342/metadata/identity/oauth2/token?api-version=2020-06-01&resource=https://vault.azure.net&api-version=2019-08-01",
            headers: {
                metadata: true
            }
        }
        rq(options, (error, response) => {
            //console.log(response.body)
            var msipath = 'C:/ProgramData/AzureConnectedMachineAgent/Tokens/'
            fs.readdirSync(msipath).map(file => {
                var key = fs.readFileSync(msipath + file)
                var options = {
                    json: true,
                    uri: `http://127.0.0.1:40342/metadata/identity/oauth2/token?api-version=2020-06-01&resource=https://vault.azure.net&api-version=2019-08-01`,
                    headers: {
                        metadata: true,
                        Authorization: `basic ${key}`
                    }
                }
                rq.get(options, (error, response) => {
                    return resolve(response.body)
                })
            })
        })
    })
}
module.exports = {
    getArcMSItoken
}

Results for Calling Azure Key Vault in the developer app

• Shows signed in as the Managed Identity
• Shows the Secrets listed from the Key Vault

Key Vault logs for the accessed objects by managed identity from Azure ARC enabled Server

Further references

https://docs.microsoft.com/en-us/azure/azure-arc/servers/security-overview#using-a-managed-identity-with-arc-enabled-servers