Shulou(Shulou.com)06/03 Report--

Realize the switch of VM in Azure by email? Is this possible? Of course it can, and it's actually very simple. Let's share a wave today.

In fact, by analyzing this requirement, we can find that if you want to operate on the environment in Azure by sending an email, then the first problem to be solved is authentication. The email itself certainly does not have credential. One way is to write the user name and password in the content of the email. Of course, this is silly, and this will never be recommended. Another way is through Azure key vault. Writing the user name and password in key vault is actually possible and relatively secure. Some basic uses have been shared before. If you are interested, you can take a look at https://blog.51cto.com/mxyit/2346350.

On the whole, this can ensure the availability and security of users' passwords, but in fact, this method is also very troublesome. At present, there are several methods that can be used for authentication in Azure.

1:Azure AD user credential login

This method is the most traditional and the oldest, directly logging in with a user name and password in the application. What we need to pay attention to is how to protect the security of credential, which is a key point that we should pay attention to. Basically, this method is rarely used by enterprises, because the security is so poor that individual users can occasionally use it in the test environment.

Here is how to log in using the Azure AD user password through PowerShell

2:Azure service principal mode

If you have code that needs to access or modify resources, you can create an identity for the application. This identity is called the service principal. You can assign the required permissions to the service principal. In this way, the service principal is given a role through RBAC, and then the application can have the corresponding permissions. When we operate, we can register an application through Portal or PowerShell, and we can log in directly through PowerShell. We can see that the login method is similar to the user name and password.

3: managed identification method

With the managed identity of Azure Active Directory, applications can easily access other AAD-protected resources, such as Azure Key Vault. The identity is hosted by the Azure platform and there is no need to set or transfer any secrets

Your application can be granted two types of identity:

The identity assigned by the system is bound to your application, and if the application is deleted, the identity will also be deleted. An application can only have one identity assigned by the system.

The identity assigned by the user is an independent Azure resource that can be assigned to the application. An application can have identities assigned by multiple users.

This approach does not require a username password, and if the application needs to call Azure's resources, it does not need to use a username password or service principal, and you can use the identity to prove identity to any service that supports Azure AD authentication, including Key Vault, without putting any credentials in the code.

To put it simply, RBAC used to assign user roles to users, groups, or service principal of Azure AD, but through identity, we can directly assign permissions assign to app service,key vault or VM

Here are some examples of applications. For example, you can find identity in app service and enable identity.

As you can see in IAM, not only Azure AD user but also other Azure service can be selected in assign access to.

Of course, this service is only available in Azure Global, and it is not available in mooncake at present.

In this way, web app can have the corresponding permissions! There is no need for any user name and password, which is also recommended

Let's go back to our original requirements and take a look at how the email switch should solve the security problem.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.