Azurecloud~30 mins

Managed identity integration in Azure - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Managed Identity Integration in Azure

📖 Scenario: You are setting up an Azure Virtual Machine (VM) that needs to securely access Azure Key Vault without using passwords. To do this, you will enable a managed identity for the VM and grant it access to the Key Vault.

🎯 Goal: Enable a system-assigned managed identity on an Azure VM and configure an access policy on an Azure Key Vault to allow the VM to read secrets.

📋 What You'll Learn

Create an Azure Virtual Machine resource with system-assigned managed identity enabled.

Create an Azure Key Vault resource.

Add an access policy to the Key Vault granting the VM's managed identity permission to get secrets.

Use valid Azure Resource Manager (ARM) template JSON syntax.

💡 Why This Matters

🌍 Real World

Managed identities allow Azure resources to securely access other Azure services without storing credentials. This project shows how to set up this secure connection between a VM and Key Vault.

💼 Career

Understanding managed identity integration is essential for cloud engineers and architects to build secure, password-free authentication between Azure services.

Progress0 / 4 steps

Create Azure VM resource with system-assigned managed identity

Create an Azure Virtual Machine resource named myVM with the property identity set to enable systemAssigned managed identity.

Azure

{
  "type": "Microsoft.Compute/virtualMachines",
  "apiVersion": "2022-08-01",
  "name": "myVM",
  "location": "eastus",
  "identity": {
    // Enable systemAssigned managed identity here
  },
  "properties": {
    // VM properties here
  }
}

Need a hint?

Set the identity property with "type": "SystemAssigned" to enable managed identity.

Create Azure Key Vault resource

Create an Azure Key Vault resource named myKeyVault in eastus location with sku name set to standard.

Azure

{
  "type": "Microsoft.Compute/virtualMachines",
  "apiVersion": "2022-08-01",
  "name": "myVM",
  "location": "eastus",
  "identity": {
    "type": "SystemAssigned"
  },
  "properties": {
    "hardwareProfile": {
      "vmSize": "Standard_DS1_v2"
    },
    "storageProfile": {
      "imageReference": {
        "publisher": "MicrosoftWindowsServer",
        "offer": "WindowsServer",
        "sku": "2019-Datacenter",
        "version": "latest"
      },
      "osDisk": {
        "createOption": "FromImage"
      }
    },
    "osProfile": {
      "computerName": "myVM",
      "adminUsername": "azureuser",
      "adminPassword": "Password1234!"
    },
    "networkProfile": {
      "networkInterfaces": [
        {
          "id": "[resourceId('Microsoft.Network/networkInterfaces', 'myVMNic')]"
        }
      ]
    }
  }
},
{
  // Create Key Vault resource here
}

Need a hint?

Use "type": "Microsoft.KeyVault/vaults" and set sku.name to standard.

Add access policy to Key Vault for VM's managed identity

Add an access policy to myKeyVault granting the managed identity of myVM permission to get secrets. Use objectId from reference('myVM', '2022-08-01').identity.principalId and set permissions.secrets to ["get"].

Azure

{
  "type": "Microsoft.Compute/virtualMachines",
  "apiVersion": "2022-08-01",
  "name": "myVM",
  "location": "eastus",
  "identity": {
    "type": "SystemAssigned"
  },
  "properties": {
    "hardwareProfile": {
      "vmSize": "Standard_DS1_v2"
    },
    "storageProfile": {
      "imageReference": {
        "publisher": "MicrosoftWindowsServer",
        "offer": "WindowsServer",
        "sku": "2019-Datacenter",
        "version": "latest"
      },
      "osDisk": {
        "createOption": "FromImage"
      }
    },
    "osProfile": {
      "computerName": "myVM",
      "adminUsername": "azureuser",
      "adminPassword": "Password1234!"
    },
    "networkProfile": {
      "networkInterfaces": [
        {
          "id": "[resourceId('Microsoft.Network/networkInterfaces', 'myVMNic')]"
        }
      ]
    }
  }
},
{
  "type": "Microsoft.KeyVault/vaults",
  "apiVersion": "2022-07-01",
  "name": "myKeyVault",
  "location": "eastus",
  "properties": {
    "sku": {
      "family": "A",
      "name": "standard"
    },
    "tenantId": "[subscription().tenantId]",
    "accessPolicies": [
      {
        // Add access policy for VM's managed identity here
      }
    ]
  }
}

Need a hint?

Use reference('myVM', '2022-08-01').identity.principalId for objectId and set permissions.secrets to ["get"].

Complete ARM template with resources array

Wrap the VM and Key Vault resource objects inside a resources array in a valid ARM template JSON structure with $schema, contentVersion, and parameters as empty object.

Azure

{
  // Wrap resources in ARM template structure here
  // Add $schema, contentVersion, parameters, and resources array
}

Need a hint?

Wrap the VM and Key Vault objects inside a resources array and add $schema, contentVersion, and empty parameters.