KubeQuest

Appearance

Lab 04: Managed Identities for Azure Resources

Time: 45 minutes
Difficulty: Intermediate-Advanced
Portal Locations: Resource → Identity blade, IAM for target resources

Lab Overview

You are deploying applications on Azure that need to access other Azure resources securely. Instead of managing credentials (which can be leaked, expired, or stolen), you'll use Managed Identities to let Azure handle authentication automatically.

Core Concept 

╔═══════════════════════════════════════════════════════════════════════╗
║  THE PROBLEM: Application needs to access Key Vault                   ║
║                                                                       ║
║  ❌ Old Way: Store connection string/password in code or config       ║
║     - Credentials can be leaked                                       ║
║     - Credentials expire and break the app                            ║
║     - Credentials end up in source control                            ║
║                                                                       ║
║  ✅ New Way: Managed Identity                                         ║
║     - Azure automatically handles authentication                      ║
║     - No credentials to manage                                        ║
║     - Credentials never leave Azure                                   ║
╚═══════════════════════════════════════════════════════════════════════╝

Pre-Lab Setup

Create these resources:

  1. Resource Group: rg-identity-lab

  2. Key Vault: kv-identity-lab-[random]

    • Permission model: Azure role-based access control
    • Create a secret: Name = DatabasePassword, Value = SuperSecret123!

  3. Storage Account: stidentitylab[random]

    • Create a blob container: app-data
    • Upload any test file

  4. Virtual Machine: (for System-assigned identity)

    • Name: vm-app-server
    • OS: Windows Server 2022 or Ubuntu 22.04
    • Size: B2s (smallest available)
    • No public IP needed for this lab

Task 1: Enable System-Assigned Managed Identity on VM

Objective

Enable a system-assigned managed identity on an existing virtual machine.

Requirements

  1. Navigate to the virtual machine vm-app-server
  2. Enable System-assigned managed identity
  3. Note the Object (principal) ID that is generated

Validation

  • [ ] Identity blade shows System-assigned status: On
  • [ ] An Object ID is displayed (GUID format)
  • [ ] This identity is unique to this VM

Task 2: Grant VM Identity Access to Key Vault

Objective

Allow the VM's managed identity to read secrets from Key Vault.

Requirements

  1. Navigate to the Key Vault kv-identity-lab-[random]
  2. Grant the VM's managed identity the Key Vault Secrets User role
  3. Scope: This Key Vault resource only

Validation

  • [ ] Role assignment exists on Key Vault
  • [ ] Principal is the VM's managed identity (check the Object ID)
  • [ ] Role is Key Vault Secrets User (not Contributor!)

Task 3: Test Secret Access from VM (Conceptual)

Objective

Understand how an application would use the managed identity.

Requirements

If you have access to the VM:

Connect to the VM and run this PowerShell (Windows) or bash (Linux) to test:

PowerShell (Windows VM):

powershell
# Get access token using the managed identity
$response = Invoke-RestMethod -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://vault.azure.net' -Headers @{Metadata="true"}
$accessToken = $response.access_token

# Use token to get secret from Key Vault
$secretUrl = "https://kv-identity-lab-XXXX.vault.azure.net/secrets/DatabasePassword?api-version=7.0"
$secret = Invoke-RestMethod -Uri $secretUrl -Headers @{Authorization="Bearer $accessToken"}
$secret.value

If you cannot access the VM:

  • Understand that the VM can call the Instance Metadata Service (IMDS) at 169.254.169.254
  • This returns an access token for the managed identity
  • The token can then be used to authenticate to Azure services

Validation

  • [ ] Understand the IMDS endpoint (169.254.169.254)
  • [ ] Understand the flow: VM → IMDS → Token → Key Vault
  • [ ] No credentials stored on VM

Task 4: Create a User-Assigned Managed Identity

Objective

Create a managed identity that can be shared across multiple resources.

Requirements

  1. Navigate to Managed Identities service (search in portal)

  2. Create a new user-assigned managed identity:

    • Name: id-app-backend
    • Resource Group: rg-identity-lab
    • Region: Same as other resources

  3. Note the differences from system-assigned:

    • Has its own lifecycle (doesn't delete when resource deletes)
    • Can be assigned to multiple resources
    • Created as a separate Azure resource

Validation

  • [ ] Managed identity appears in the Managed Identities service
  • [ ] Has its own Resource ID and Object ID
  • [ ] Shows 0 resources assigned (initially)

Task 5: Assign User-Assigned Identity to VM

Objective

Attach the user-assigned identity to an existing resource.

Requirements

  1. Navigate to VM vm-app-server → Identity blade
  2. Go to User-assigned tab
  3. Add the id-app-backend managed identity

Validation

  • [ ] VM shows both system-assigned AND user-assigned identities
  • [ ] User-assigned tab shows id-app-backend
  • [ ] The managed identity resource shows "1" in Assigned resources

Task 6: Grant User-Assigned Identity Storage Access

Objective

Grant the user-assigned identity access to blob storage.

Requirements

  1. Navigate to Storage Account stidentitylab[random]
  2. Go to Access Control (IAM)
  3. Assign Storage Blob Data Contributor role
  4. Principal: id-app-backend (the user-assigned managed identity)

Validation

  • [ ] Role assignment exists on storage account
  • [ ] Principal is id-app-backend (user-assigned identity)
  • [ ] The same identity could now be used by any resource it's assigned to

Task 7: Compare Identity Types

Objective

Understand when to use each type of managed identity.

Requirements

Complete this comparison based on what you've learned:

FeatureSystem-AssignedUser-Assigned
Created asPart of resourceStandalone resource
LifecycleTied to resourceIndependent
Shared across resources??
One resource, one identity??
Use case??

Validation

  • [ ] You can explain when to use system-assigned
  • [ ] You can explain when to use user-assigned
  • [ ] You understand the lifecycle implications

Task 8: Managed Identity for App Service (Concept)

Objective

Understand managed identity in a PaaS scenario.

Requirements

This is conceptual - you don't need to create an App Service

Consider this scenario:

  • You have a web app in Azure App Service
  • The app needs to read secrets from Key Vault
  • The app needs to write logs to a Storage Account

Design the identity configuration:

  1. What type of managed identity would you use?
  2. What role assignments are needed?
  3. How would the application code change?

Validation

  • [ ] You can design a managed identity solution for PaaS resources
  • [ ] You understand that managed identities work with App Service, Functions, etc.
  • [ ] You know that code uses Azure SDKs which automatically detect managed identities

Task 9: Troubleshooting Access Issues

Objective

Diagnose why a managed identity might not be able to access a resource.

Requirements

Scenario: A VM with managed identity cannot read secrets from Key Vault. The code returns "Forbidden" error.

Troubleshooting Checklist:

  1. Is managed identity enabled on the VM?

    • Check: VM → Identity blade

  2. What is the Object ID of the identity?

    • Note it for comparison

  3. Does a role assignment exist on Key Vault?

    • Check: Key Vault → IAM → Role assignments
    • Look for the identity's Object ID

  4. Is the correct role assigned?

    • Key Vault Secrets User = read secrets
    • Key Vault Reader = view Key Vault properties (NOT secret values)

  5. Is Key Vault using RBAC or Access Policies?

    • Check: Key Vault → Access configuration
    • If using Access Policies, RBAC roles won't work!

  6. Are there any networking restrictions?

    • Check: Key Vault → Networking
    • Is the VM's network allowed?

Validation

  • [ ] You can systematically troubleshoot managed identity access
  • [ ] You understand the difference between Key Vault RBAC and Access Policies
  • [ ] You check both identity configuration and target resource configuration

Cleanup Instructions

  1. Delete the Virtual Machine vm-app-server

    • This automatically deletes the system-assigned identity
    • User-assigned identity remains

  2. Delete the user-assigned managed identity id-app-backend

  3. Delete the resource group rg-identity-lab

    • This removes Key Vault, Storage Account, and any remaining resources

Key Concepts Tested

  • System-assigned vs User-assigned managed identities
  • Managed identity lifecycle
  • RBAC for managed identities (they're principals like users!)
  • Data plane access (Key Vault secrets, Storage blobs)
  • Instance Metadata Service (IMDS) - 169.254.169.254
  • No credentials to manage or rotate
  • PaaS support (App Service, Functions, etc.)

Released under the MIT License.

Copyright © 2026 OpsAlchemy