Configuration of Managed Identities in Azure portal

Overview

Binary Snaps that integrate with the Azure Storage Blob service to access Azure resources use the SAS URI or Access key authentication. The SnapLogic Platform now supports Managed Identities to authenticate the Azure Blob Storage service. Managed Identities are of two types:
  • System assigned managed identity: A resource created and managed by Azure for an Azure resource, such as a virtual machine or a web app, and is mapped to a single virtual machine.
  • User assigned managed identity: Resource created as a standalone Azure resource and is mapped with multiple resources.

The procedure of creating Managed identities for a Resource group in the Azure portal and linking them to a Storage account includes the following key steps:

Step 1: Create a Resource group in the Azure portal

Step 2: Create a Storage Account

Step 3: Create a Container in the Storage Account

Step 4: Create a Managed Identity

Step 5: Create a Virtual Machine

Step 5: Link the User-Assigned Managed Identity with the Virtual Machine and Storage Account

Step 6: Link System-Assigned Managed Identity to Virtual Machine and Storage Account

Prerequisites

Create a Resource group in the Azure portal

  1. Log in to the Azure portal.

  2. Search for the Resource group from the search bar.
  3. Click Create

  4. Specify the Subscription and Resource group and click Next.

  5. Specify the Name and Value of the Resource group and click Next. The Resource group is created, and the details of the Resource group display.



Create a Storage Account

  1. On the Home page of the Azure portal, search for Storage Account in the search bar.
  2. Click +Create. The Create a storage account page displays. Click Next.

  3. Select the Default to Microsoft Entra authorization in the Azure portal checkbox and click Next.

  4. Continue to click Next with the default settings until the Storage account validates.

  5. Click Create. The Storage account deploys successfully.

Create a Container in the Storage Account

  1. Click the Go to resource button on the Deployment completion page.

  2. Navigate to Containers and click Container.

  3. Specify the container name and click Create.

Create a Managed Identity

User assigned managed identity

  1. On the Home page of the Azure portal, search for Managed Identities in the search bar. The Managed Identities page displays the list of existing Managed Identities.

  2. Click Create.
  3. Specify the resource group you created earlier in Step 1.
  4. Specify the name of the User Assigned Managed Identity in the Name field.

  5. Click Next where TERMS appear.
  6. Click Create. The User-assigned Managed Identity deploys successfully.

System assigned managed identity
Note:

When you Create a Virtual Machine, Azure automatically creates a system-assigned identity associated with the machine.

Create a Virtual Machine

  1. On the home page of the Azure portal, search for Virtual Machine from the search bar.

  2. Click Create.
  3. Select the Resource group created in Step 1.
  4. Specify the name of the virtual machine.

  5. Continue to click Next:<> until the virtual machine validation passes.
  6. Click Create. The Generate new key pair pop-up appears.
  7. Click the Download private key and create resource button. The deployment completes.

    Note: The private key is not stored and cannot be retrieved if you miss to download the private key.
  8. Click Go to resource button.

Link the User-Assigned Managed Identity with the Virtual Machine and Storage Account

  1. Navigate to Security > Identity in the left navigation pane.

  2. Click the User assigned option.

  3. Click Add.

  4. Select the Managed identity (that you have created earlier in Step 4) from the User assigned managed identities list.

    Note: A single virtual machine can have multiple user-assigned managed identities assigned to it.
  5. Click Add. The identity is added to the virtual machine.
  6. Navigate to Home.
  7. Select the Storage account created in Step 2.
  8. Click Access Control (IAM) in the left navigation.

  9. Click Add>Add role assignment.

  10. Search for the Storage Blob Data Contributor role from the list of roles on the Add role assignment page.

  11. Click Next.
  12. Choose the Managed identity option in the Assign access to field.
  13. Click Select members in the Members field. The Select managed identities dialog box appears on the left.
  14. Select the User-assigned managed identity option in the Managed identity field.
  15. Select the name of the User-assigned managed identity created in Step 4.

  16. Click Select. The User-assigned Managed identity is added to the Storage account.
  17. Click Next until the Scope appears.
  18. Click Review + assign.
    Note: The following steps, 19 through 22, are optional. They verify whether the role was assigned as expected.
  19. Click the Check access tab to check the added role.
  20. Click Managed identity in the Check access box.
  21. Select the User-assigned managed identity in the Managed identity field.
  22. Select the name of the user-assigned managed identity. The current role assignments appear.

  23. Navigate to the User-assigned managed identity created in Step 4 from the search bar to obtain the client ID.

    Note: You must use the above client ID in the Azure Storage Account for User assigned managed identity authentication.

Link System-Assigned Managed Identity to Virtual Machine and Storage Account

  1. Navigate to Home.
  2. Navigate to Identity under the Security tab on the left navigation.
  3. Select the System assigned tab on the top.

  4. Select On for Status.
  5. Click Save. The Enable system assigned managed identity pop-up appears.

  6. Click Yes. A system-assigned managed identity is restricted to one per resource and is tied to the lifecycle of this resource.
  7. Navigate to Home.
  8. Select the storage account created in Step 2.
  9. Click Assess control (IAM) in the left navigation.

  10. Click Add>Add role assignment.

  11. Search for the Storage Blob Data Contributor role from the list of roles on the Add role assignment page.

  12. Click Next.
  13. Choose the Managed identity option in the Assign access to field.
  14. Click Select members in the Members field. The Select managed identities box appears on the left.
  15. Select All system-assigned managed identities in the Managed identity field.

  16. Select the name of the virtual machine created in Step 5.
  17. Click Select.
  18. Click Review + assign.

Configure Azure Storage Account with Managed Identity

User assigned managed identity System assigned managed identity
User assigned managed identity
  1. Choose the Auth type as Managed Identity.
  2. Choose the User assigned managed identity for Managed identity.
  3. Specify the Client ID obtained after creating the User assigned managed Identity in the Azure portal.
  4. Click Apply.


 System assigned managed identiy
  1. Choose the Auth type as Managed Identity.
  2. Choose System assigned managed identity for Managed identity.
  3. Click Apply.


Note: The System assigned managed identity does not require a Client ID because the resource (virtual machine) is created and managed by Azure.
Note:

Binary Snaps configured with Azure Storage Account that uses Managed identity must be executed on a Snaplex hosted on the Azure virtual machine.

Videos

  • Set up Azure Managed Identity in the Azure Portal
  • Configure Azure Storage Account with a Managed Identity in SnapLogic: