Azure — Managed identities
When you connect from a resource like an app, Event Hub, VM, Logic App, etc. to Azure SQL Server, Storage, and others. You have to store and maintain credentials. In some cases isn’t too secure solution. You must to store passwords, remember about changing policies and so on. A Managed Identity doesn’t have these drawbacks.
There are two types of managed identities: a system and a user assigned. The system assigned is related to only one service within this identity has been created and it exists along with the service — if the service is deleted then the managed identity is removed. The user assigned identity is a separate entity which can be assigned to more than one service.
The first example — the system assigned identity. We want to store events originate from an Azure Stream Analytics service inside an Azure SQL database. So we need to create a managed identity for Stream Analytics. Go to the Stream Analytics Job. Select a Managed Identity option.
And create a system-assigned managed identity.
You can review your managed identities here: Azure Active Directory -> Enterprise Applications -> All applications -> set Application filter type to: Managed Identities.
Connect to the Azure SQL database as an Active Directory Administrator. Add a new user — username needs be the same as managed identity name. Assign permissions to objects.
CREATE USER [eightfive-stream-analytics] FROM EXTERNAL PROVIDER;
GRANT SELECT, INSERT ON [Iowa_Liquor_Sales].[dbo].[stream-output] TO [eightfive-stream-analytics]
From now on, you are able to connect store Stream Analytics data inside the Azure SQL database. The managed identity did the trick. Let’s check.
Add a new output in Stream Analytics with an authentication mode set to Managed Identity.
After the code has been adjusted to take into account a new output.
New records are inserted to a SQL database.
In order to create a User-assigned managed identity head over to the Managed Identities service.
Enter necessary information.
In this example we use a Logic App which executes a stored procedure placed inside an Azure SQL database.
In order to assign a managed identity go to Identity -> User assigned and then add previously created identity.
In the SQL database, create a contained database user like in case of the system assigned identity. Notice that I’ve assigned different permissions in this case.
Create a new connection in the Logic App. Then select Authentication type: Logic Apps Managed Identity.
From now on, you can use this connection to create an Execute stored procedure step.
Third and fourth examples show how to configure the Managed Identity when you want to connect to an Azure Data Lake Storage. We will connect there form Azure Data Factory.
System-assigned managed identity is automatically created in ADF. So, you can use it directly in a linked service.
When you select an Authentication method, choose a Managed Identity, then a system-assigned MI is provided out of the box.
Now it is the time for an ADLS2. Select Access Control (IAM) -> Add -> Add role assignments.
Select a role which you want to assign.
In a Members tab select Managed identity -> Select members and pick previously created managed identity.
From now on, ADF is entitled to perform operation on ADLS2.
In case of the user-assigned managed identity, the first step is to create a Managed Identity in the same way like in the penultimate step. And assign it to the credential directly in ADF.
…and add it to an Access Control (IAM).
