Reputation: 491
Developer support with Managed Identity for Custom API in Azure AD
I have created a proposal to implement managed identity between Azure web app hosted APIs. All APIs share one app identity. This app has defined a role. This role is assigned to all the services so every api can call every other api without configuring any passwords. Every app validates the Audience, the issuer and the authority.
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(o =>
{...
Every caller acquires the access token using
azureServiceTokenProvider.GetAccessTokenAsync().
Having done that, now the challenge is how to make this work for developers. When Both the calling as well as called API or one of these is in my visual studio, there is no system defined identity for the caller and no "IDENTITY_ENDPOINT" header to get the token from.
Upvotes: 0
Views: 573
Answers (1)
Reputation: 2746
Since you said all apis share one app identity, that would imply you are using a user-assigned managed identity and not a system one. Either way, managed identities are basically a special type of Service principal locked to azure services, meaning only azure services can use them. so for developers you basically need an azure service, in this case a web app / app service to deploy things to in order to test with the managed identity. There is no way around that if you are using managed identities.
However, as per https://learn.microsoft.com/en-us/azure/key-vault/general/service-to-service-authentication#authenticating-to-azure-services using appauthentication library, uses your dev credentials to run in your local development environment. so if you gave the role / access to all your dev's identities testing locally would work.
Other option include creating your own app registrations / service principals, and configuring your apis / apps etc to use them. in theory you can do the same, eg create a single app registration , and expose/give permissions to all apis, then create a client secret, and make all your apis use that single app registration. then using the secret/cert whatever method as the connection string of the azureservicetokenprovider. https://learn.microsoft.com/en-us/azure/key-vault/general/service-to-service-authentication#connection-string-support
Upvotes: 1
Related Questions
- Use Azure AD Managed Identity/Service Principal user in ADO to use ADO API
- Can I assign API permissions to User Assigned Managed Identities?
- Restrict Azure WebApp to APIM through Managed Identity?
- Is managed identity available for communication between API Management service and Azure functions?
- What permissions are needed in Azure to grant access to a managed identity for calling a custom api
- How do I specify a user-assigned managed identity in Azure API Management
- Azure API Management + Azure Function and managed identity
- Can I add Managed Identity to my ADO pipeline?
- Azure AD and Authorization on self Developed Applications
- How to configure an ASP.Net Core 2.0 API to use Azure AD as Identity Provider