Azure — Managed identities
When you connect from some resource like an app, Event Hub, VM, Logic App, etc. to Azure SQL Server, Storage, etc. You have to store and maintan credentials. Which in some cases isn’t secure solution. You must to store passwords, remember about changing policy and so on. Managed identity don’t have these drawbacks.
There are two types of managed identities: system and user assigned. System is related to only one service within was created and it exists along with service — if service is deleted then managed identity is removed. User assigned identity is separate entity which can be assigned to more than one service.
First example — system assigned identity. We want to store events from Azure Stream Analytics in Azure SQL Database. So we need to create managed identity for Stream Analitycs. Go to the Stream Analytics Job. Select Managed Identity.
And create system-assigned managed identity.
You can review your managed identities here: Azure Active Directory -> Enterprise Applications -> All applications -> set Application filter type to: Managed
Connect to Azure SQL Database as Active Directory Admin, add new user — username needs be the same as managed isdentity name. And assign permissions to objects.
CREATE USER [eightfive-stream-analytics] FROM EXTERNAL PROVIDER;GRANT SELECT, INSERT ON [Iowa_Liquor_Sales].[dbo].[stream-output] TO [eightfive-stream-analytics]
From now on, you are able to connect Stream Analytics to Azure SQL Databse through Managed Identity.
Let’s add new output in Stream Analytics with Managed Identity authentication mode.
After output had been changed to already created output.
Table new records are inserted.
In order to create User-assigned managed identity head over to Managed Identities service.
Enter necessary information.
In this example we use Logic App which executes stored procedure in Azure SQL Database.
In order to assign managed identity go to Identity -> User assigned and then add previously created identity.
Create contained database user like in case of system-assigned identity. Notice that I’ve assigned different permissions in this case.
And in logic app select Authentication type: Logic Apps Managed Identity.
So, you can use this connection to continue next steps.
Third and fourth example show how to configure Managed Identity when you want to connect to Azure Data Lake Storage. We will connect form Azure Data Factory.
System-assigned managed identity is autmaticly created by ADF. So, you can use it directly in linked service.
When select Authentication method: Managed Identity then system-assigned MI is provided out of the box.
Now it is time for ADLS. Select Access Control (IAM) -> Add -> Add role assignments.
Select role which you want to assign.
In Member tab select Managed identity -> Select members and pick previously created managed identity.
From now on, ADF is entitled to perform operation on ADLS.
In case of user-assigned managed identity the first step is create Managed Identity the same way like in one before previous step. And assign it to credential directly in ADF.
…and add it to Access Control(IAM)