Azure Managed Identity

 

Image by https://www.pexels.com/@cookiecutter/
Image by https://www.pexels.com/@cookiecutter/

In this blog, we discuss about the different options for service identity. Let's first lay down the objective of having a service identity for a service.

In a typical landscape, we have service to service communication. The diagram below shows a function app needs to read and write to blob storage, call Azure Cognitive Service, Azure Cognitive Search and read from Azure SQL service. In this example, we need to authorize the function app to make requests to these services. In short, authorization is needed for service to service communication.

To make thing simple, let's consider the case when we needed to authorize function app to read from a blob storage.

Option 1: Connection String of Blob Storage

Here, we set the connection string of the Blob Storage to a Azure Key Vault and have this string populated in function app's configuration. So that the function app can get it at runtime to read blob data.

This option is not ideal because
  1. With connection string, the function app has permissions to perform all kind of operations on the blob storage. We are unable to restrict it to read operation
  2. Azure Key Vault is needed to store the connection string for security reasons.
  3. We need to update the connection string in Key Vault when the connection string changes.

Option 2: Shared Access Token

In the past, I have written blobs on Shared Access Token, this blog and another one. Essentially, it is a bearer token to grant the bearer to have permisssion(s) to perform operations for a limited period of time. Similar to Option 1, we need to store this token in a Azure Key Vault. With this option, we are unable to restrict the operation to read access. This option has the same #2 and #3 caveats as option #1.


Option 3: User Assigned Identity

In Azure Active Directory (AAD), we create an  (application) identity object and assign it to the function app. In this manner, the function app bears the identity of this object.


Next, we can grant blob storage read access to this identity. The advantage of this approach is that the identity to be assigned to multiple function applications and then all these applications have the same permissions. The only caveat is this identity object needs to be deleted once it is no longer needed that's when it is no longer assigned to any applications.


Option 4: Managed (Service) Identity (MSI)

Most of the Azure Services support MSI. For function app, we can enable it as show below.


Once it is enabled, we can grant blob storage read access to this identity. The advantage of this approach is that this identity is deleted once the function app is deleted. Similar to User Assigned Identity, there are no secrets exposed in the function application configuration values.


Conclusion

In most case, I like to go with the Managed Identity approach because it is simple, more secure and less maintenance (do not need to change secrets because there are no secrets stored in configuration)






Comments

Post a Comment

Popular posts from this blog

OpenAI: Functions Feature in 2023-07-01-preview API version

Image
  Image from https://www.pexels.com/@pavel-danilyuk/ One of the cool features of OpenAI version 2023-07-01 is its custom Functions feature. This feature is close to me because I am working on a project where we require OpenAI to generate JSON responses. We always want the generated JSON to be consistent, otherwise, we need to do some post-processing tasks to get the JSON object in the correct schema. In the blog, we observe the completion with and without this new feature. Development Setup python -m venv .venv poetry init poetry shell poetry add openai poetry add python-dotenv poetry add pydantic I am using Python version 3.11 Create .env file OPENAI_API_TYPE="azure" OPENAI_API_BASE="<OpenAI endpoint>" OPENAI_API_KEY="<OpenAI secret>" OPENAI_API_VERSION="2023-07-01-preview" OPENAI_DEPLOYMENT_ID="<deployment identifier>" Without OpenAI functions feature We use two sample texts for experimentation. We want to get the na
Read more

Storing embedding in Azure Database for PostgreSQL

Image
  Image from https://www.pexels.com/@tara-winstead/ There are many options to store text embeddings. In this blog, we shall look at storing embedding in Azure Database for PostgreSQL. Installing Azure Database for PostgreSQL Install Azure Database for PostgreSQL Flexible Server.  Once it is deployed, enable two extensions. Install Python modules python -m venv .venv poetry init poetry shell poetry add openai[datalib] poetry add python-dotenv poetry add psycopg2-binary My Python version is 3.10. Create .env OPENAI_API_TYPE="azure" OPENAI_API_BASE="<HTTP endpoint to Azure OpenAI Service>" OPENAI_API_KEY="<secret to Azure OpenAI Service>" OPENAI_API_VERSION="2023-05-15" TEXT_MODEL="<deployment id of text embedding model>" PGHOST="<my-service>.postgres.database.azure.com" PGUSER="<user name>" PGPASSWORD="<secret>" PGPORT="5432" PGDATABASE="< database name
Read more

Happy New Year, 2024 from DALL-E

Image
generated by DALL-E Wishing everyone a happy new year. Year 2023 is great for me because I learned much about OpenAI. I am involved in a live deployment with it, and involved in a handful of interesting user scenarios around it. On top of this, a copilot hackathon. The image above is generated by DALL-E and following is the code. 1. Dependencies python = "^3.10" pydantic-settings = "^2.1.0" openai = "^1.3.8" 2. Environment Parameters OPENAI_AZURE_ENDPOINT="<your azure openai endpoint>" AZURE_OPENAI_API_KEY="<your azure openai secret>" OPENAI_API_VERSION="2023-12-01-preview" OPENAI_DALLE_MODEL="dalle" Note: OPENAI_API_VERSION has to be 2023-12-01-preview otherwise you will get an exception openai.NotFoundError: Error code: 404 - {'error': {'code': '404', 'message': 'Resource not found'}} dalle  is the name of my dall-e-3 deployment model. You need to change it to
Read more