Connect to an Azure service via User Assigned Managed Identities
User Assigned Managed Identities (UAMI) are more secure and easier to manage than connection strings or account keys.
In this show we setup UAMI's to access an Azure Storage Account and KeyVault, plus look at what .Net code changes are required to properly use those Managed Identities.
We leverage Copilot to generate most of the required code (both .Net and bicep).
Finally, we consider a strategy for managing UAMI's for many Azure resources.
LINKS
UAMI services: https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-status
Principal of Least Privilege: https://en.wikipedia.org/wiki/Principle_of_least_privilege
00:01 Intro
00:43 Why UAMI's (User Assigned Managed Identities)?
01:15 UAMI's have their own life cycle
01:35 Can assign a UAMI to multiple services
01:56 Old school way of providing access to a Storage Account
02:46 Summary of what we're going to do in this show
03:47 Create .Net API (just out of the box weather forecast)
04:20 Add code to test connectivity to Storage and KeyVault, using Copilot
05:20 Use Copilot in VS Code (because the result in VS wasn't ideal)
06:15 Check Copilot generated code...
07:53 DefaultAzureCredential
08:41 Create Azure Resources using bicep and Copilot
09:55 Review (scan) Copilot generated bicep and powershell
11:27 Working bicep after resolving a few issues
12:03 Added name for the deployment in the powershell
12:51 For KeyVault's, check the Access Configuration, must be RBAC! [enableRbacAuthorization: true]
14:15 Deploy the API to the Web App
14:49 See the error generated by the API (DefaultAzureCredential failed to retrieve token)
15:09 Create UAMI's and assign roles to provide access (using Copilot)
17:04 One ugly error deploying the bicep "Principal does not exist" (and solution)
17:48 Use "Fix using Copilot" (generally does a good job)
18:23 Examine newly created UAMI's in Azure portal
20:15 After deploying UAMI's, check new error from our API (Unable to load proper Managed Identity)
20:27 Error is occurring because there are TWO UAMI's assigned to our WebApp
20:58 Change .Net code to specify which UAMI to use for each resource
23.17 Where do we get the UAMI Client ID?
24:17 API response after deploying the "specify UAMI" change...works!
26:05 Suggested strategy for implementing UAMI's for many resources.
27:38 Summary
Видео Connect to an Azure service via User Assigned Managed Identities канала SprintDeployLearnRepeat
In this show we setup UAMI's to access an Azure Storage Account and KeyVault, plus look at what .Net code changes are required to properly use those Managed Identities.
We leverage Copilot to generate most of the required code (both .Net and bicep).
Finally, we consider a strategy for managing UAMI's for many Azure resources.
LINKS
UAMI services: https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-status
Principal of Least Privilege: https://en.wikipedia.org/wiki/Principle_of_least_privilege
00:01 Intro
00:43 Why UAMI's (User Assigned Managed Identities)?
01:15 UAMI's have their own life cycle
01:35 Can assign a UAMI to multiple services
01:56 Old school way of providing access to a Storage Account
02:46 Summary of what we're going to do in this show
03:47 Create .Net API (just out of the box weather forecast)
04:20 Add code to test connectivity to Storage and KeyVault, using Copilot
05:20 Use Copilot in VS Code (because the result in VS wasn't ideal)
06:15 Check Copilot generated code...
07:53 DefaultAzureCredential
08:41 Create Azure Resources using bicep and Copilot
09:55 Review (scan) Copilot generated bicep and powershell
11:27 Working bicep after resolving a few issues
12:03 Added name for the deployment in the powershell
12:51 For KeyVault's, check the Access Configuration, must be RBAC! [enableRbacAuthorization: true]
14:15 Deploy the API to the Web App
14:49 See the error generated by the API (DefaultAzureCredential failed to retrieve token)
15:09 Create UAMI's and assign roles to provide access (using Copilot)
17:04 One ugly error deploying the bicep "Principal does not exist" (and solution)
17:48 Use "Fix using Copilot" (generally does a good job)
18:23 Examine newly created UAMI's in Azure portal
20:15 After deploying UAMI's, check new error from our API (Unable to load proper Managed Identity)
20:27 Error is occurring because there are TWO UAMI's assigned to our WebApp
20:58 Change .Net code to specify which UAMI to use for each resource
23.17 Where do we get the UAMI Client ID?
24:17 API response after deploying the "specify UAMI" change...works!
26:05 Suggested strategy for implementing UAMI's for many resources.
27:38 Summary
Видео Connect to an Azure service via User Assigned Managed Identities канала SprintDeployLearnRepeat
Комментарии отсутствуют
Информация о видео
12 марта 2025 г. 9:00:01
00:28:41
Другие видео канала
