51CTO blog address: https://blog.51cto.com/14669127
Requirements: plans to deploy a named App1 application will be 5 Ge Azure VM running on, will deploy more later VM to run App1 , to run App1 the VM , need to meet the following requirements, you need to consider how to configure Type of identity?
· Ensure that the VM can authenticate to Azure Active Directory ( Azure AD ) to access Azure keystore, Azure Logic Apps instance and Azure SQL database
· Avoid assigning new roles and permissions to Azure services when deploying additional VMs
· Avoid VM storage secrets and Certificates
· Minimize the work of managing Identities
Solution analysis: IT Admin often faces a challenge to manage secrets and credentials to protect the communication between different services. On Azure , by providing an identity for Azure Resource of Azure AD , and using it to obtain Azure Active Directory commands Brand, Managed identities eliminates the need for IT Admin to manage Credentials and helps access the Azure keystore. Developers can store credentials in a secure way .
Managed identities of Azure resources are a feature of Azure Active Directory , and there are two types:
· System-assigned: Some Azure services allow the managed identity to be directly enabled on the service instance. When a System-assigned managed identity is enabled, an identity bound to the life cycle of the service instance will be created in Azure AD . Therefore, when When the resource is deleted, Azure will automatically delete the identity for you . According to the design, only Azure resources can use this identity to request tokens from Azure AD .
· User-assigned : You can create a User-assigned managed identity and assign it to one or more instances of Azure services. In the case of User-assigned managed identity , the identity and the resources that use it can be managed separately.
The following table shows the difference between System-assigned managed identity and User-assigned managed identity .
Attributes |
System-assigned managed identity |
User-assigned managed identity |
Creation |
You can create part of Azure Resource , such as Azure VM or App Service |
You can create an independent Azure Resource |
Lifecycle |
The life cycle is shared with Azure resources that create Managed Identities . When the parent resource is deleted, managed Identities are also deleted |
Independent life cycle Must be deleted explicitly |
Sharing across Azure Resource |
Can't share Only one Azure Resource can be associated |
Can be shared Can manage multiple Azure Resources |
In summary, the User-assigned managed identity can be shared, and the same User-assigned managed identity can be associated with multiple Azure resources to meet customer needs.
Relevant information:
· Configure managed identities for Azure resources on a VM using the Azure portal
· How to use managed identities for Azure resources on an Azure VM to acquire an access token
· Create, list, delete, or assign a role to a user-assigned managed identity using the Azure portal