GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → juunas11 → Joonasw.ManagedIdentityDemos

juunas11 / Joonasw.ManagedIdentityDemos

Licence: other
Example uses of Azure Managed Identities

Programming Languages

javascript
184084 projects - #8 most used programming language
C#
18002 projects
HTML
75241 projects
CSS
56736 projects

Labels

azureasp-net-coreazure-active-directoryazure-managed-service-identity

Projects that are alternatives of or similar to Joonasw.ManagedIdentityDemos

aspnetcore2aadauth
ASP.NET Core 2.0 Azure AD authentication example
Stars: ✭ 37 (+54.17%)
Mutual labels:  asp-net-core, azure-active-directory
Cake-Shop
A sample Cake Shop Website built with ASP.NET Core (Multi-Page Application)
Stars: ✭ 44 (+83.33%)
Mutual labels:  asp-net-core
AspNetCoreMvcAngular
ASP.NET Core MVC with angular in MVC View OpenID Connect Hybrid Flow
Stars: ✭ 54 (+125%)
Mutual labels:  asp-net-core
SQRL-For-Dot-Net-Standard
SQRL for the .Net Standard runtimes. Secure Quick Reliable Login is a highly secure user privacy based authentication system that removes the need for users to have more than one password for a global identity https://www.grc.com/sqrl/sqrl.htm for more information of the protocal.
Stars: ✭ 26 (+8.33%)
Mutual labels:  asp-net-core
NClient
💫 NClient is an automatic type-safe .Net HTTP client that allows you to call web service API methods using annotated interfaces or controllers without boilerplate code.
Stars: ✭ 25 (+4.17%)
Mutual labels:  asp-net-core
ImageResize
Image resizing tool for .Net applications with ability to add text/image watermark, Supports animated images as well.
Stars: ✭ 45 (+87.5%)
Mutual labels:  asp-net-core
SimpleSocial
A simple social network web application using ASP.NET Core 3.1
Stars: ✭ 16 (-33.33%)
Mutual labels:  asp-net-core
aspnet-core-vuejs-template
ASP.NET Core / Vue.js SPA Template App
Stars: ✭ 75 (+212.5%)
Mutual labels:  asp-net-core
prometheus.aspnetcore
Prometheus instrumentation for .NET Core
Stars: ✭ 29 (+20.83%)
Mutual labels:  asp-net-core
high-performance-aspnet-core-workshop
Sample application used in the High-Performance ASP.NET Core Workshop
Stars: ✭ 29 (+20.83%)
Mutual labels:  asp-net-core
MediatR.AspNetCore.Endpoints
No description or website provided.
Stars: ✭ 89 (+270.83%)
Mutual labels:  asp-net-core
Demo.AspNetCore.WebApi
Sample Web API powered by ASP.NET Core MVC, Azure Cosmos DB and MediatR
Stars: ✭ 24 (+0%)
Mutual labels:  asp-net-core
ExcelExport
Classes to generate Excel/CSV Report in ASP.NET Core
Stars: ✭ 39 (+62.5%)
Mutual labels:  asp-net-core
react-native-msal
MSAL for React Native
Stars: ✭ 62 (+158.33%)
Mutual labels:  azure-active-directory
Awesome-Nuget-Packages
📦 A collection of awesome and top .NET packages sorted by most popular needs.
Stars: ✭ 87 (+262.5%)
Mutual labels:  asp-net-core
RestWithASP-NETUdemy
No description or website provided.
Stars: ✭ 40 (+66.67%)
Mutual labels:  asp-net-core
PressCenters.com
News aggregator for the press releases of the Bulgarian government sites written in ASP.NET Core
Stars: ✭ 91 (+279.17%)
Mutual labels:  asp-net-core
ProductsStoreOnKubernetes
Demoing deployment of Docker containers into Kubernetes for both minikube and Azure AKS.
Stars: ✭ 90 (+275%)
Mutual labels:  asp-net-core
DFIR-O365RC
PowerShell module for Office 365 and Azure log collection
Stars: ✭ 158 (+558.33%)
Mutual labels:  azure-active-directory
AngularAspNetCoreSignalR
Build a simple chat app with Angular and ASP.NET Core SignalR
Stars: ✭ 12 (-50%)
Mutual labels:  asp-net-core
View All Similar Projects ➔

Azure Managed Identity demo collection

This is an ASP.NET Core 6.0 app which demonstrates usage of some Azure services with Managed Identity authentication:

  • Key Vault
  • App Configuration
  • Cosmos DB
  • SQL Database
  • Data Lake Gen 2
  • Blob Storage
  • Event Hub
  • Service Bus Queue
  • Azure Maps
  • Cognitive Services

There is also a demo of calling a custom API, which is in the Joonasw.ManagedIdentityDemos.CustomApi folder.

Setup instructions

For local development you will need the 6.0 .NET SDK. If you use Visual Studio, currently you'd need at least VS 2022.

For local development, you can give your user account access to the resources. You will need to login to the az CLI and ensure you are logged in to the right Azure AD tenant. Another option for Visual Studio users is to set your account in Tools -> Options -> Azure Service Authentication.

For local development, it is usually preferrable to set the Azure AD tenant id explicitly in the appsettings.Development.json of the app. You should be able to find the following setting: ManagedIdentityTenantId. Find your Azure AD tenant id from the Azure Portal (Azure Active Directory -> Properties) and set it there. This will ensure that you are always acquiring tokens for the correct Azure AD tenant at runtime locally.

To run the app in Azure, you'll need at least one Web App to run the main app. And don't forget to enable Managed Identity on the app. This will generate a Service Principal that you'll be giving access to.

Key Vault

My article on the subject: https://joonasw.net/view/aspnet-core-azure-keyvault-msi

You'll need to create an Azure Key Vault first. The only configuration setting in appsettings.json you'll have to set is KeyVaultBaseUrl. Here is an example:

{
  "Demo": {
    "KeyVaultBaseUrl": "https://keyvaultname.vault.azure.net/"
  }
}

You should then add a secret in the Key Vault with the name Demo--KeyVaultSecret. The value can be anything you want.

Then you will need to create an access policy that gives Secret Get & List permissions to your user account and/or the generated managed identity service principal.

Now you should be able to run the app and see the secret value in the Key Vault tab.

An extension method (UseAzureKeyVaultConfiguration) is used in Program.cs to add the Key Vault configuration source.

Blob Storage

Documentation: https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad

My article on the subject: https://joonasw.net/view/azure-ad-authentication-with-azure-storage-and-managed-service-identity

This time you'll need to a Storage Account. The settings that affect this demo are:

{
  "Demo": {
    "StorageAccountName": "your-storage-account-name",
    "StorageContainerName": "your-blob-container-name",
    "StorageBlobName": "name-of-file-in-container"
  }
}

These should be fairly self-explanatory. The first one is the name of the Storage account, the second a blob container that you have created, and the last the name of a file that you have added to that container.

Once you have done those things, add one of the following roles to either your user account and/or the generated service principal:

  • Storage Blob Data Reader
  • Storage Blob Data Contributor

The role is added via the Access Control (IAM) tab of the Storage account or the container.

After doing these things, the Storage demo tab should work. It will load the files contents and display them as text on the view.

You can see how it uses the Storage SDK in the AccessStorage function of DemoService.

SQL Database

First you'll need an Azure SQL Database of course. The explanation on how to enable Azure AD authentication there is a bit long. You can read the official documentation here: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure.

The main thing that you need to achieve is add your user account and/or service principal read access to a database. The article above will tell you how to add your user account there.

Adding service principals used to be a bit difficult. You needed to add the service principal to an Azure AD group, and then add this group access in the SQL database. Not anymore. You can now give the service principal access on SQL just by using its name.

You can find the service principal's name in the Azure Portal (under Azure Active Directory -> Enterprise applications). It'll be e.g. your App Service's name if it is system-assigned, or the name you chose if it is a user-assigned identity.

The app does not generate the database table, so here is an SQL script you can run after doing the Azure AD admin setup and connecting with your admin account:

--Login with the AAD Admin

CREATE TABLE Test
(
 [Id] INT IDENTITY,
 [Value] NVARCHAR(128)
);

INSERT INTO Test ([Value]) VALUES ('Test');
INSERT INTO Test ([Value]) VALUES ('Test 2');
INSERT INTO Test ([Value]) VALUES ('Test 3');

-- joonasmsitests is the name of the service principal in Azure AD
CREATE USER [joonasmsitests] FROM EXTERNAL PROVIDER;
GRANT SELECT ON dbo.Test TO [joonasmsitests];

-- Here is how you would add access to a user
--CREATE USER [[email protected]] FROM EXTERNAL PROVIDER;
--GRANT SELECT ON dbo.Test TO [[email protected]];

Then you can setup the configuration settings needed for the SQL database. Here is an example value for the connection string:

{
  "Demo": {
    "SqlConnectionString": "Data Source=yourserver.database.windows.net; Initial Catalog=DatabaseName;"
  }
}

Just replace yourserver with your SQL Server name and DatabaseName with your SQL Database name. No keys or passwords, just the way we like it.

This should (finally) be enough to run the sample. There is a commented-out call in the DemoService class which uses ADO.NET instead of EF Core if you are interested in that option.

Azure Service Bus

For this sample, you need to create an Azure Service Bus namespace and create a queue in it. Then, configure the relevant settings in appsettings.json:

{
  "Demo": {
    "ServiceBusNamespace": "your-namespace-name",
    "ServiceBusQueueName": "your-queue-name"
  }
}

Then, add your user account/the generated service principal to the Contributor/Owner role on the Service Bus namespace via the Access Control (IAM) tab.

If you run the app on Azure, make sure you enable Web Sockets so the listener works.

That's it for the configuration. The demo should now work, and consists of two parts. The listener tab connects to the SignalR hub using a WebSocket connection and prints all received messages. The sender tab sends messages to the queue.

Sending messages is done in the SendServiceBusQueueMessage function of DemoService. Receiving messages happens in the background service QueueListenerService.

Custom API

My article on this: https://joonasw.net/view/calling-your-apis-with-aad-msi-using-app-permissions

The last demo calls an API we have made. For this demo, you will need to register an application in Azure AD that represents the API. To do this, go to Azure Active Directory -> App registrations. When creating the registration, make sure the type is Web app/API. The sign-on URL can be https://localhost, it won't be used anyway.

After creating it, grab the Application Id. Also go to the Properties and grab the Application ID URI. Enter the ID URI in the front-end application's settings:

{
  "Demo": {
    "CustomApiApplicationIdUri": "your-api-id-uri"
  }
}

Then set the following settings in the API app's configuration:

{
  "Authentication": {
    "ClientId": "your-app-application-id",
    "ApplicationIdUri": "your-app-application-id-uri",
    "Authority": "https://login.microsoftonline.com/your-tenant-id"
  }
}

The first two settings are the bits of info we got after creating the app. The authority should contain your Azure AD's id. You can find it from Azure Active Directory -> Properties.

To run the demo on Azure, you will need an additional Web App to run the API.

Now technically we could run the sample. But if we want to do things properly, we will want to specify an application permission on our API that the front-end then uses. This way we can limit what the app can do.

As a sample, here is the application permission defined in the API Manifest:

{
  "appRoles": [
    {
      "allowedMemberTypes": [
        "Application"
      ],
      "displayName": "Read all things",
      "id": "32028ccd-3212-4f39-3212-beabd6787d81",
      "isEnabled": true,
      "description": "Allow the application to read all things as itself.",
      "value": "Things.Read.All"
    }
  ]
}

This can then be assigned to the generated service principal with PowerShell:

#Login to Azure AD
Connect-AzureAD

#Id of the role specified in the manifet
$roleId = '32028ccd-3212-4f39-3212-beabd6787d81'

#Enter your App Service name in the SearchString
$msiSpId = (Get-AzureADServicePrincipal -SearchString 'your-app-name').ObjectId

#Enter the name of the app registration for the API in the SearchString
$apiSpId = (Get-AzureADServicePrincipal -SearchString 'your-api-name').ObjectId

New-AzureADServiceAppRoleAssignment -ObjectId $msiSpId -Id $roleId -PrincipalId $msiSpId -ResourceId $apiSpId

Now we can run the API and front-end app, and call the API from the Custom API tab. The call is implemented in the AccessCustomApi function of DemoService.

Azure Event Hubs

To run the Event Hubs demos, you'll of course need an Event Hubs namespace. Create an Event Hub there. You also need to create a Storage account (or use the same one from the other demo). This Storage account is used by the listener to keep locks on the partitions. Then, configure the relevant settings in appsettings.json:

{
  "Demo": {
    "EventHubNamespace": "your-namespace-name",
    "EventHubName": "your-hub-name",
    "EventHubStorageContainerName": "mi-demos-leases"
  }
}

You can leave the container name as it is or change it to another.

Then, add your user account/the generated service principal to the Contributor/Owner role on the Event Hubs namespace via the Access Control (IAM) tab.

You also need to setup Key Vault as a configuration provider following the Key Vault section instructions.

You'll need a secret named Demo--EventHubsStorageConnectionString, containing a connection string for the Storage account you want to use for holding the partition locks.

If you run the app on Azure, make sure you enable Web Sockets so the listener works.

That's it for the configuration. The demo should now work, and consists of two parts. The listener tab connects to the SignalR hub using a WebSocket connection and prints all received messages. The sender tab sends messages to the queue.

Sending messages is done in the SendEventHubsMessage function of DemoService. Receiving messages happens in the background service EventHubsListenerService.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].