Using managed identities with logic apps

How I used managed identities with Logic Apps at Arctic Cloud Developer Challenge 2020

This is one of several posts I have planned as the aftermath of Arctic Cloud Developer Challenge 2020. I am going to explain the technologies I used to build my Voting Machine and corresponding Vote Manipulation System. In this post I'll explain how I used managed identities and how I leveraged them to improve security.

What are managed identities?


Managed identity (formerly Managed Service Identity) is an Azure AD object which is tightly coupled to a service principal, it shows as only one object and deleting one means deleting both, and connected to another Azure Resource (like a VM or an App Service). We have two types, one is System Assigned Managed Identity (SMI), where Azure automatically creates one and connects it to your resource, and then we have User Assigned Managed Identity (UMI) which is an Azure resource itself connected to a System Assigned Managed Identity. The user assigned can be used for several services. The system assigned MI automatically gets deleted when the resource is deleted, while the user managed one needs to be deleted manually.

When do I use what?

It depends, but as a general rule I'll give you this: If two or more resources need the same access to the same services, use User Assigned Managed Identity, otherwise use System Assigned. For example if you're using both Function Apps and Logic Apps that access the same services, you can use the user assigned for both of them. They are just like traditional service accounts, and you should provide your services with as little access as possible.

Why use them?

Using managed identities is a great way to prevent having to deal with credentials. Instead of providing a service with a variant of a username and password or a security certificate used to authenticate you have created a link between a resource and a service principal, and the resource can then retrieve a valid auth token directly from Azure AD. That means no credentials in a config file, no certificates in a certificate store, and no client secrets stored in a key vault. The only way to get those credentials would be to figure out a way to hack an AAD service principal (good luck!).

Using managed identities with an Azure Logic App


Azure Logic Apps are awesome. It's a mostly click-and-point tool to get a lot of work done in a short time, and they are relatively easy to debug. It's not for complex logic, efficient processing or moving large amounts of data, but it works great for most interfacing tasks. The reason why I chose Logic Apps to perform a lot of the logic was that unlike Flow it supports managed identities. Where flow needs to store connector credentials and mask secret information from input/output debugging, Logic Apps simply retrieves an access token on demand with a short validity period and uses that to perform the tasks at hand. No going into an Azure Key Vault or creating a custom connector with inbuilt security. Additionally, running a Logic App as a service principal means not having to deal with which user is going to own and run the flow.

To use a managed identity simply go into the settings for a logic app (so you need to create the resource first), then go to the identity section. Switch the status to on and hit save. Azure will create a new SMI and connect it to your app.

Using the managed identity

What I needed to do in this logic app was capture responses from an Office Forms form and post it to a custom API I had built (check out my next post on how to enable MSI to authenticate against an Azure Function). I first created a trigger for when a response came in, and then another step to retrieve the actual response (why isn't there a trigger which could retrieve the data as well? SMH).
Next I added an Azure Function action to my logic app, and then I get to click and select which function I want to call, and which action I want



Next I add the content body, then add a parameter for authentication. Here I select managed identity as authentication type, and select the SMI as the managed identity I want to use. Finally I have to specify the audience, which is configured on the App Registration for the azure function


Testing the app

Finally I'm ready to test the app. So what I do is add a new response to the form and submit. I check out the logic app run history and I can see that it's all green. If you go into the details and check the raw input and raw output you'll see that you can't actually see any authentication details, but you can see that authentication type is set to ManagedServiceIdentity.



So you get to see what actually happens during input and output, but the authentication bit is completely opaque and there's no risk of users extracting data from the run history.

Wrap-up

Using managed identities with Azure Logic Apps is a breeze, and the added security benefit is infinitely better than having to specify credentials in a connector. When you've built everything from scratch like I did for this hackathon then you don't need to store secrets in a Key Vault either, but if you did you could still give access to the managed identity for that logic app.
Check out my next post to see how to allow MSI authentication in an Azure Function.

Until next time!
First

5 comments

Write comments
vandababbit
AUTHOR
March 4, 2022 at 3:55 PM delete

The Venetian Resort & Casino - Mapyro
The Venetian Resort & Casino is an 구미 출장샵 MGM Resorts Luxury Destination, conveniently located on the Las 영주 출장안마 Vegas Strip, near 광명 출장마사지 the 목포 출장샵 Venetian 전라남도 출장안마 Casino and Palazzo

Reply
avatar
Anonymous
AUTHOR
November 22, 2022 at 7:24 PM delete

The numerous on line 카지노 casino bonuses, provides, situations and promotions make this a posh multi-facited topic. We have tried our best to cowl any data that we predict affects the general participant experience, but it is likely you would be} not have found the data you were in search of. Should this be the case, you can to|you possibly can} both ship our staff a question, or browse the most frequently requested questions found beneath.

Reply
avatar
Anonymous
AUTHOR
December 4, 2022 at 6:37 PM delete

The aim of Blackjack is to have a hand that totals larger than the dealer’s, but doesn’t complete to larger than 21. If your hand totals larger than 21, it's referred to bet365 as a “bust”, which suggests may be} out of the game. The game starts with everyone in addition to the vendor putting a bet. Then, the vendor offers 1 card resist every player and 1 card withstand themselves.

Reply
avatar
qgwq0aw9nz
AUTHOR
December 21, 2022 at 2:07 AM delete

Texture can even present higher product function, corresponding to enhanced grip or decreased put on from friction. Types of textures embody matte, gloss, graphics, grains, logos, and geometric patterns. Depending on the type, depth, and placement of texture, draft may have to be adjusted to facilitate part ejection, Long Shower Curtains which is determined in the course of the mildew design course of. Design engineers should take into account steel hardness versus steel brittleness.

Reply
avatar
bh9m80pyxh
AUTHOR
January 11, 2023 at 6:13 PM delete

CNC machines characteristic built-in tools for drilling and slicing, and after supplies are positioned inside them, the computer will information the drilling and slicing tools to work their magic. Computer Numerical Control machining is a versatile, high-precision conventional manufacturing course of that’s ideal for medium to high-volume production runs of advanced elements. With CNC machining, manufacturers can rapidly produce prototypes and sturdy elements Shower Caps for specific purposes. CNC machining is a producing course of in which pre-programmed laptop software dictates the motion of factory tools and machinery. Using kind of|this type of|this kind of} machine versus handbook machining outcome in|may end up in|can lead to} improved accuracy, elevated production speeds, enhanced security, elevated effectivity, and most of all cost financial savings. The measurement and number of segments are decided by the accuracy required and the tactic chosen, and will instantly influence the execution.

Reply
avatar