Net core application and my application communicates to various azure resources such as Storage Account V2. My app is deployed into azure app service. I have various ways for my web app to connect to storage account. Out of them first way is using connection string like below
CloudStorageAccount storageAccount = CloudStorageAccount.Parse(_azureStorageClient.AzureStorageAccount03ConnectionString);
In the above code I am passing connection string. I can get connection string from azure key vault and I can avoid hard coding of connection string in appsettings.json. This is secured I can understand but If someone changes or regenerates access key in storage account accidentally then my app will not work.
I found one more way using app registred in azure portal and give RBAC in storage account.
TokenCredential credential = new ClientSecretCredential(
_authenticationConfig.TenantId, clientId, _authenticationConfig.ClientSecret, new TokenCredentialOptions());
In this way also I can avoid using connection strings and based on roles I can access storage account. But in this case also I will end up with managing client secrete and client id in code/key vault.
I found last option which is using managed identities. I feel this is more reliable way so far.No secretes in code nor in keyvault. This is all my understanding and I am in conclusion that third way is more reliable and I am trying to implement through out the application. So I want to know all my understanding is correct and I can get rid of first two ways and go with third approach and it does not have any problems? Can someone help me weather I am in correct understanding or If I have understood the things in wrong way then someone can help me to design best practices? Any help would be appreciated greatly. Thanks a lot
Where possible do use managed identities as they allow you to access azure resource withouth having to expose secrets. An early blog post by microsoft states:
Your code needs credentials to authenticate to cloud services, but you want to limit the visibility of those credentials as much as possible. Ideally, they never appear on a developer’s workstation or get checked-in to source control. Azure Key Vault can store credentials securely so they aren’t in your code, but to retrieve them you need to authenticate to Azure Key Vault. To authenticate to Key Vault, you need a credential! A classic bootstrap problem. Through the magic of Azure and Azure AD, MSI provides a “bootstrap identity” that makes it much simpler to get things started.
Here is an overview of the supported services. As you can see most services do support managed identities.
Here is a step-by-step tutorial that shows you how to connect to azure storage using managed identities.