Keep credentials out of code: Introducing Azure AD Managed Service Identity
I've been waiting for this to go public. Last week Microsoft announced the preview of Azure Active Directory Managed Service Identity (MSI)... a new way that gives our code an automatically managed identity for authenticating to Azure services, so that we can keep credentials out of our code.
It's a pretty simple task to implement actually. When you enable MSI for an Azure service like VMs, App Service, Functions etc Azure creates a Service Principal for the instance of the service in Azure AD, and injects the credential for that principal into the instance of the service. Then your code just needs to call the MSI endpoint to get an access token for use with the service.
What's nice is that Azure takes care of all the backing. It even takes care of rolling the Service Principal's credentials for you. Your code and your developers will never see or manage them!
I love seeing implementation of more secure code with less hassles. The fact Microsoft isn't even charging for Managed Service Identity and making it free with Azure AD is awesome.
Get those creds out of code. Happy hacking!