Lab 04: Solution - Portal Walkthrough

Only refer to this after attempting the tasks yourself!

---

Pre-Lab Setup

Create Resource Group

1. Go to Resource groups → + Create
2. Name: rg-identity-lab
3. Region: East US
4. Create

Create Key Vault

1. Go to Key vaults → + Create

2. Configure:

   • Resource group: rg-identity-lab
   • Key vault name: kv-identity-lab- + random numbers
   • Region: East US
   • Pricing tier: Standard

3. Next: Access configuration

4. Permission model: Azure role-based access control ← Important!

5. Review + create → Create

6. Go to the Key Vault → Secrets → + Generate/Import

7. Name: DatabasePassword, Value: SuperSecret123!

8. Create

Create Storage Account

1. Go to Storage accounts → + Create

2. Configure:

   • Resource group: rg-identity-lab
   • Storage account name: stidentitylab + random numbers
   • Region: East US
   • Redundancy: LRS

3. Create

4. Go to storage account → Containers → + Container

5. Name: app-data

6. Create

Create Virtual Machine

1. Go to Virtual machines → + Create → Azure virtual machine
2. Configure Basics:
   • Resource group: rg-identity-lab
   • Name: vm-app-server
   • Region: East US
   • Image: Windows Server 2022 Datacenter (or Ubuntu 22.04)
   • Size: Standard_B2s
   • Username/Password: Set for management
3. Networking:
   • Public inbound ports: None (or RDP/SSH if you want to connect)
4. Review + create → Create

---

Task 1: Enable System-Assigned Managed Identity

1. Go to Virtual machines → Click vm-app-server

2. In left menu, scroll down to Settings → Click Identity

3. You'll see two tabs: System assigned and User assigned

4. On System assigned tab:

   • Status: Click On
   • Click Save
   • Click Yes to confirm

5. Wait a few seconds - an Object (principal) ID appears

   • This is a GUID like: a1b2c3d4-e5f6-7890-abcd-ef1234567890
   • Copy this ID (you'll need it for Task 2)

---

Task 2: Grant VM Identity Access to Key Vault

1. Go to Key vaults → Click your Key Vault

2. Click Access control (IAM) in left menu

3. Click + Add → Add role assignment

4. Role tab:

   • Search for Key Vault Secrets User
   • Select it → Next

5. Members tab:

   • Assign access to: Managed identity
   • Click + Select members
   • In the right panel:
     • Subscription: Your subscription
     • Managed identity: Virtual machine
     • Select: vm-app-server
   • Click Select
   • Next

6. Review + assign → Review + assign

Verify Assignment

1. Stay in IAM → Role assignments tab
2. You should see:
   • Principal: vm-app-server
   • Role: Key Vault Secrets User
   • Scope: This resource

---

Task 3: Understanding the Code Flow

When an application on the VM needs to access Key Vault:

1. Application calls IMDS endpoint
   URL: http://169.254.169.254/metadata/identity/oauth2/token
   
2. IMDS returns an access token
   (Azure handles authentication behind the scenes)
   
3. Application uses token to call Key Vault
   Authorization: Bearer <token>
   
4. Key Vault checks the token and RBAC
   - Token is valid ✓
   - Identity has Key Vault Secrets User role ✓
   - Access granted ✓

No credentials are stored anywhere on the VM!

---

Task 4: Create User-Assigned Managed Identity

1. Search for Managed Identities in portal search bar

2. Click + Create

3. Configure:

   • Subscription: Your subscription
   • Resource group: rg-identity-lab
   • Region: East US
   • Name: id-app-backend

4. Review + create → Create

5. Go to the created identity:

   • Note the Object (principal) ID
   • Note the Client ID (also called Application ID)
   • Note the Resource ID (full Azure resource path)

---

Task 5: Assign User-Assigned Identity to VM

1. Go to Virtual machines → vm-app-server

2. Click Identity in left menu

3. Click User assigned tab

4. Click + Add

5. In the right panel:

   • Find and select id-app-backend
   • Click Add

6. Wait for deployment to complete

Verify

• System assigned tab shows: Status On
• User assigned tab shows: id-app-backend

The VM now has TWO identities it can use!

---

Task 6: Grant User-Assigned Identity Storage Access

1. Go to Storage accounts → Click your storage account

2. Click Access control (IAM)

3. Click + Add → Add role assignment

4. Role: Search for Storage Blob Data Contributor → Select → Next

5. Members:

   • Assign access to: Managed identity
   • Click + Select members
   • Managed identity dropdown: User-assigned managed identity
   • Select: id-app-backend
   • Click Select
   • Next

6. Review + assign → Review + assign

---

Task 7: Identity Type Comparison

Feature	System-Assigned	User-Assigned
Created as	Part of resource	Standalone resource
Lifecycle	Deleted when resource is deleted	Independent - must delete separately
Shared across resources	No - one identity per resource	Yes - can assign to multiple resources
One resource, one identity	Yes - 1:1 relationship	No - many:many relationship
Use case	Simple scenarios, single resource	Complex scenarios, shared identity needed

When to use System-Assigned:

• Simple deployments
• Each resource needs unique identity
• Want automatic cleanup

When to use User-Assigned:

• Multiple resources need same permissions
• Identity must survive resource deletion
• Blue-green deployments (identity persists across versions)

---

Task 9: Troubleshooting Guide

Step-by-Step Troubleshooting

1. Verify Identity is Enabled:

VM → Identity → System assigned → Status: On?
If Off, enable it and try again

2. Get the Object ID:

VM → Identity → Object (principal) ID
Copy this value

3. Check Role Assignment Exists:

Key Vault → Access control (IAM) → Role assignments
Look for the VM's Object ID in the list

4. Verify Correct Role:

Common mistake: Key Vault Reader vs Key Vault Secrets User
- Key Vault Reader: View KV properties (NOT secrets)
- Key Vault Secrets User: Read secret VALUES

5. Check Permission Model:

Key Vault → Access configuration
If "Vault access policy" is selected, RBAC won't work!
Change to "Azure role-based access control"

6. Check Networking:

Key Vault → Networking
If firewall is enabled, ensure VM's VNet/subnet is allowed

---

Common Errors and Solutions

Error	Cause	Solution
"Managed identity not found"	Identity not enabled	Enable system/user-assigned identity
"Forbidden" from Key Vault	Missing role or wrong role	Add Key Vault Secrets User role
"Access denied"	Access policy mode	Switch to RBAC mode
"Network error"	Firewall blocking	Add VM network to allowed networks
"Token expired"	Stale token	Get fresh token from IMDS