Introduction:
What is Managed Identity?
Azure Active Directory Managed Identities is one of the features in Azure App services to simplify the Secret management for our cloud services. Basically, our code can use the service principal created for the app service with Managed identity. As a developer we use to manage the client secrets of the Azure App services in the configuration file or with Azure Key Vault, either way at some level we use to define the secretes in the code, which can be unsecured when the code is committed.
From this article you will learn how to configure the managed identity in Azure Web App by deploying the .NET Core web application and this hosted web application will talk to the Azure storage account with using the client secrets in the code, just by configuring the identity for the Azure storage which can be accessible by Web App service.
Configure Managed Identity for Azure Web App:
I have hosted my .NET Core web application in one of my Azure Web App Service. Login to Azure portal.
Note: This Managed Identity feature can’t be authenticated in local development environment or in another word for running applications in localhost. We should deploy to the application into Web app to leverage this feature.
MylearningMIapp is my web app service. Go to settings blade and you can see identity option.
You can see two options 1. System Assigned 2. User Assigned.
Your application can be granted two types of identities:
• A system-assigned identity will go with your application, which means it will be deleted if your application is deleted. An application can only have one system-assigned identity.
• A user-assigned identity is an independent or in other word a standalone Azure resource that can be assigned to your application. An application can have multiple user-assigned identities.
Here we are going to use system-assigned identity:
Select System Assigned option and turn on the status and click on Save as shown in the below figure, it will generate the principal ID and enable the identity for you web app.
Our web application is developer using .NET 7 with MVC and deployed in this web app server which will be talking with the Azure store account to upload the file.
This below code is used to upload the file in the blob.
static public async Task UploadBlob(string accountName, string containerName, string blobName, string blobContents)
{
// Construct the blob container endpoint from the arguments.
string containerEndpoint = string.Format("https://{0}.blob.core.windows.net/{1}",
accountName,
containerName);
// Get a credential and create a client object for the blob container.
BlobContainerClient containerClient = new BlobContainerClient(new Uri(containerEndpoint),
new DefaultAzureCredential());
try
{
// Create the container if it does not exist.
await containerClient.CreateIfNotExistsAsync();
// Upload text to a new block blob.
byte[] byteArray = Encoding.ASCII.GetBytes(blobContents);
using (MemoryStream stream = new MemoryStream(byteArray))
{
await containerClient.UploadBlobAsync(blobName, stream);
}
}
catch (Exception e)
{
throw e;
}
}Usually we get the storage account connection string and use it with our code to Manage the Azure Storage account service, but since we configured the Identity of the Azure Web App, maintaining the secrete is no more required.
Switch to Azure storage account in Azure portal.
Select Access control (IAM) – > Add -> Add role assignment, under role table, select the Job function roles -> Storage Blob Data Contributor and click on next.
Under Members tab, Select Managed Identity and click on Select Members. Under Select Managed identities pane, select Managed Identity as App Service and select our web app, and click on select.
The conditions are optional, just skip and click on next. Finally, click on Review + Assign.
After completing all these steps, the web app can talk with the storage account to read, write, add and delete blob container.
Code used in web app to upload the new blob file inside a container “mycontainer”
await ManageBlob.UploadBlob("mysawebappmi", "mycontainer", "DemoFile", "Hello World");Deploy the web app and open the application in the browser. I have used above code in Index action from a Home controller, so the blob file will be uploaded when loading the home page.
Blob file create after running the web app in the browser
Summary:
We have seen how to configure the Identity for our Azure Web App and how to assign a role to the System- assigned identity in the Azure storage account service, so that our web app can talk to the Storage account through code without managing the secrets in code.
Get Source code here.
