In less than two weeks, I'll go on stage at Techorama Netherlands 2019 in the city of Ede. It's my first time at Techorama, and I'm quite excited about the chance to speak there.
You can see the abstract for my session, as well as add it to your schedule if you are attending here: https://sched.co/Or91.
Keys are always needed to access services in Azure and beyond. Storing and managing keys presents many problems, for example rotating and disabling them. Keys often also allow blanket access to the service with no way to limit it. Sometimes there is only one key that needs to be shared by services, so you won't have any way to disable access from one individually. In this talk we will go through Managed Identities for Azure Resources, how they work, and how you can use them to use Azure services in a secure way without having to manage any keys yourself. We will go through a demo application which uses various Azure services through a managed identity, removing the need to use keys entirely. The source code will be available to the audience so they have samples that they can use to implement managed identities in their own applications.
If you have been reading my blog, you know I really like Managed Identities. So it made sense as a topic.
It's not the first time I've spoken about Managed Identities as I did presentations on it at a Finland Azure User Group meeting as well as at last MVP Summit. That was essentially the same presentation with the same demo app.
New sample app
This time I wanted to have a demo with an app that actually has some purpose and features, instead of just being a set of small demos.
So I created Managed Identity File Sharing, with the idea that users could upload and download files and share them with people in their organization. It's currently deployed in an App Service, but I keep it stopped most of the time. If you are interested in the app, you can check out the source code.
It's an ASP.NET Core 3.0 application where users can upload, download, and delete files. Users sign in through Azure AD, and they can use their organizational or personal account. If a user uses an organizational account, any files they upload are visible to all users in their organization. Personal account users can only see their own files and can't actually share the files.
Two Azure services are used via Managed Identity, Blob Storage and Azure SQL Database. While the current Storage SDK supports Azure AD access tokens, the new preview SDK (Azure.Storage.Blobs) combined with the new Azure.Identity library offers built-in Managed Identity support. So the sample app uses those.
var client = new BlobServiceClient(
new Uri($"https://{_options.AccountName}.blob.core.windows.net"),
new ManagedIdentityCredential());
var containerClient = client.GetBlobContainerClient(_options.FileContainerName);
var blobClient = containerClient.GetBlobClient(name);
var res = await blobClient.DownloadAsync(cancellationToken);
It's quite a lot nicer than the approach with the current SDK, and it is also very easy to use different authentication methods.
The only difference is how the BlobServiceClient is constructed.
For SQL Database, we use the latest preview of Entity Framework Core 3.0. It offers a quite nice way to add interceptors to add an access token to each connection before they are opened. In my previous samples, we attached an access token the connection after getting a DbContext. Now on the data layer we do not need to think about access tokens at all, as the interceptor automatically attaches tokens to all connections as needed.
The interceptor inherits from DbConnectionInterceptor, overrides ConnectionOpeningAsync and attaches an access token:
var sqlConnection = (SqlConnection)connection;
string accessToken = await GetAccessTokenAsync(cancellationToken);
sqlConnection.AccessToken = accessToken;
See you at Techorama NL
I've been spending the last moth preparing the samples and preparing my presentation, but I'm not done yet. I still need to figure out how long each section of the presentation will take, so I'll know if I'm on time while presenting.
If you are attending Techorama NL, come say hi! :)
There will definitely be time after my presentation for questions that you might have, and I'll be around the conference on both days for any more complicated questions you may have :D
I'm already looking forward to seeing old and new friends at Techorama NL, see you there!
P.S. I'll post a link to my slides after the presentation so you can see that even if you don't attend. I did minimize the amount of text in my slides this year though.