Using Managed Identities for Secure Cross-Service Communication in Azure

Dec 23, 2024 am 12:40 AM

Managed identities are essential for secure cross-service communication in Azure. They eliminate the need to manage secrets, keys, or connection strings, enabling seamless integration of application components. In this blog, I'll demonstrate how to connect an Azure SQL Database to a Python backend running on Azure App Service using managed identities.

Microsoft Authentication Library

To connect to Azure services using Entra identities, you'll need the Microsoft Authentication Library (MSAL). In this example I‘m using the Python library, but don‘t worry, the MSAL exists for every major programming language.

import msal

Here’s a simple function to connect to an Azure SQL Database:

def get_db_connection():
    connection_string = f'DRIVER={{ODBC Driver 17 for SQL Server}};SERVER={server}.database.windows.net;PORT=1433;DATABASE={database};Authentication=ActiveDirectoryMsi'
    return pyodbc.connect(connection_string)

With these prerequisites in place, you can establish database connections within your code and execute queries, all without handling secrets or connection strings.

Demo Python Backend

For demonstration, I created a simple Python Flask API that returns employee data such as name, position, and salary. Notice how the get_db_connection() function is used to open the database connection and query the data.

def get_employees():
    conn = get_db_connection()
    cursor = conn.cursor()
    cursor.execute('SELECT ID, Name, Position, Salary FROM Employees')
    rows = cursor.fetchall()
    conn.close()

    # Convert data to a list of dictionaries.
    employees = []
    for row in rows:
        employees.append({
            'ID': row.ID,
            'Name': row.Name,
            'Position': row.Position,
            'Salary': row.Salary
        })

    return jsonify(employees)

This simple approach ensures that your backend interacts securely with the database using managed identities.

Dockerfile

If you're deploying your application in Docker containers, here’s the Dockerfile to install the ODBC Driver for SQL Server:

FROM python:3.13-slim

COPY . /app
WORKDIR /app

# Install Microsoft ODBC Driver 17 for SQL Server and dependencies
RUN apt-get update \
 && apt-get install -y gnupg curl apt-transport-https \
 && curl https://packages.microsoft.com/keys/microsoft.asc | tee /etc/apt/trusted.gpg.d/microsoft.asc \
 && echo "deb [arch=amd64] https://packages.microsoft.com/debian/11/prod bullseye main" | tee /etc/apt/sources.list.d/mssql-release.list \
 && apt-get update \
 && ACCEPT_EULA=Y apt-get install -y msodbcsql17 unixodbc-dev \
 && apt-get install -y build-essential \
 && apt-get clean -y

# Install Python dependencies
RUN pip install -r requirements.txt

EXPOSE 80

CMD ["gunicorn", "-w", "4", "-b", "0.0.0.0:80", "app:app"]

This setup ensures that your container is ready to securely connect to Azure SQL.

SQL Server and Database Deployment

When deploying an Azure SQL server, configure Azure AD Only Authentication. This is a requirement for the managed identity. Below is the Bicep template used to deploy the SQL server and database:

resource sqlServer 'Microsoft.Sql/servers@2023-08-01-preview' = {
  name: serverName
  location: location
  tags: {
    workload: 'Sample Backend with SQL Database'
    topic: 'SQL Server'
    environment: 'Production'
  }
  properties: {
    minimalTlsVersion: '1.2'
    administrators: {
      administratorType: 'ActiveDirectory'
      login: sqlAdminName
      sid: sqlAdminObjectId
      tenantId: tenantId
      principalType: principalType
      azureADOnlyAuthentication: azureADOnlyAuthentication
    }
  }
}

resource sqlDB 'Microsoft.Sql/servers/databases@2023-08-01-preview' = {
  parent: sqlServer
  name: sqlDBName
  location: location
  sku: {
    name: sqlDBSkuName
    tier: sqlDBSkuTier
    capacity: capacity
  }
}

This template ensures the database is securely configured and ready for use.

Granting Database Roles to Managed Identity

To enable your App Service to access the database without secrets, assign necessary database roles to the managed identity. You can‘t perform this step with Bicep or Terraform. Create a custom script or access the database via the Azure Portal.

CREATE USER [<displayname-of-appservice>] FROM EXTERNAL PROVIDER;
ALTER ROLE db_datareader ADD MEMBER [<displayname-of-appservice>];
ALTER ROLE db_datawriter ADD MEMBER [<displayname-of-appservice>];
ALTER ROLE db_ddladmin ADD MEMBER [<displayname-of-appservice>];
GO
</displayname-of-appservice></displayname-of-appservice></displayname-of-appservice></displayname-of-appservice>

These roles allow the managed identity to perform read, write, and schema-altering operations as needed.

Public Template on GitHub

For the complete code, including CI/CD integration, check out the public template on GitHub. This repository contains everything you need to replicate the setup described in this blog.

Latzox / quickstart-backend-with-sql-database

A lightweight backend environment for testing new application features. It includes everything from hosting the app to managing data persistence and integrates CI/CD for easy testing and iteration.

Quickstart Backend with SQL Database Connection

This use case involves deploying an Azure App Service with an Azure SQL Database to provide a lightweight backend environment for testing new application features. It includes everything from hosting the app to managing data persistence and integrates CI/CD for easy testing and iteration.

Objectives

Deploy a scalable and secure web backend on Azure for testing new application features.
Automate the infrastructure provisioning using Bicep.
Integrate continuous deployment for the application for frequent testing and easy updates.

Components Overview

Azure App Service - Deploy a simple backend API.
Azure SQL Database - Set up a SQL database for persistence.
Azure Container Registry (Optional) - Store container images for versioning (if you're using a containerized version).
Continuous Integration/Continuous Deployment (CI/CD) - Automate deployment using GitHub Actions.

View on GitHub

Using managed identities simplifies cross-service communication and enhances security by eliminating the need for secrets. This approach is highly recommended for anyone building secure and scalable applications in Azure.

The above is the detailed content of Using Managed Identities for Secure Cross-Service Communication in Azure. For more information, please follow other related articles on the PHP Chinese website!

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Learning Python: Is 2 Hours of Daily Study Sufficient?Apr 18, 2025 am 12:22 AM

Is it enough to learn Python for two hours a day? It depends on your goals and learning methods. 1) Develop a clear learning plan, 2) Select appropriate learning resources and methods, 3) Practice and review and consolidate hands-on practice and review and consolidate, and you can gradually master the basic knowledge and advanced functions of Python during this period.

Python for Web Development: Key ApplicationsApr 18, 2025 am 12:20 AM

Key applications of Python in web development include the use of Django and Flask frameworks, API development, data analysis and visualization, machine learning and AI, and performance optimization. 1. Django and Flask framework: Django is suitable for rapid development of complex applications, and Flask is suitable for small or highly customized projects. 2. API development: Use Flask or DjangoRESTFramework to build RESTfulAPI. 3. Data analysis and visualization: Use Python to process data and display it through the web interface. 4. Machine Learning and AI: Python is used to build intelligent web applications. 5. Performance optimization: optimized through asynchronous programming, caching and code

Python vs. C : Exploring Performance and EfficiencyApr 18, 2025 am 12:20 AM

Python is better than C in development efficiency, but C is higher in execution performance. 1. Python's concise syntax and rich libraries improve development efficiency. 2.C's compilation-type characteristics and hardware control improve execution performance. When making a choice, you need to weigh the development speed and execution efficiency based on project needs.

Python in Action: Real-World ExamplesApr 18, 2025 am 12:18 AM

Python's real-world applications include data analytics, web development, artificial intelligence and automation. 1) In data analysis, Python uses Pandas and Matplotlib to process and visualize data. 2) In web development, Django and Flask frameworks simplify the creation of web applications. 3) In the field of artificial intelligence, TensorFlow and PyTorch are used to build and train models. 4) In terms of automation, Python scripts can be used for tasks such as copying files.

Python's Main Uses: A Comprehensive OverviewApr 18, 2025 am 12:18 AM

Python is widely used in data science, web development and automation scripting fields. 1) In data science, Python simplifies data processing and analysis through libraries such as NumPy and Pandas. 2) In web development, the Django and Flask frameworks enable developers to quickly build applications. 3) In automated scripts, Python's simplicity and standard library make it ideal.

The Main Purpose of Python: Flexibility and Ease of UseApr 17, 2025 am 12:14 AM

Python's flexibility is reflected in multi-paradigm support and dynamic type systems, while ease of use comes from a simple syntax and rich standard library. 1. Flexibility: Supports object-oriented, functional and procedural programming, and dynamic type systems improve development efficiency. 2. Ease of use: The grammar is close to natural language, the standard library covers a wide range of functions, and simplifies the development process.

Python: The Power of Versatile ProgrammingApr 17, 2025 am 12:09 AM

Python is highly favored for its simplicity and power, suitable for all needs from beginners to advanced developers. Its versatility is reflected in: 1) Easy to learn and use, simple syntax; 2) Rich libraries and frameworks, such as NumPy, Pandas, etc.; 3) Cross-platform support, which can be run on a variety of operating systems; 4) Suitable for scripting and automation tasks to improve work efficiency.

Learning Python in 2 Hours a Day: A Practical GuideApr 17, 2025 am 12:05 AM

Yes, learn Python in two hours a day. 1. Develop a reasonable study plan, 2. Select the right learning resources, 3. Consolidate the knowledge learned through practice. These steps can help you master Python in a short time.

See all articles

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)

1 months agoBy尊渡假赌尊渡假赌尊渡假赌

R.E.P.O. Best Graphic Settings

1 months agoBy尊渡假赌尊渡假赌尊渡假赌

Assassin's Creed Shadows: Seashell Riddle Solution

3 weeks agoByDDD

What's New in Windows 11 KB5054979 & How to Fix Update Issues

2 weeks agoByDDD

Will R.E.P.O. Have Crossplay?

1 months agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

MinGW - Minimalist GNU for Windows

This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.