Support for Managed Services Identity (MSI) based Authentication for Microsoft Azure

Overview

Managed services identity based authentication for Microsoft Azure provides an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code. Microsoft Azure supports the following two types of managed identity service based authentication:

  • System-assigned managed identity: This feature is enabled directly on an Azure service instance. When the identity is enabled, Azure creates an identity for the instance in the Azure AD tenant that’s trusted by the subscription of the instance. After the identity is created, the credentials are provisioned onto the instance. The lifecycle of a system-assigned identity is directly tied to the Azure service instance that it’s enabled on. If the instance is deleted, Azure automatically cleans up the credentials and the identity in Azure AD.

  • User-assigned managed identity: This feature is created as a standalone Azure resource. Through a create process, Azure creates an identity in the Azure AD tenant that’s trusted by the subscription in use. After the identity is created, the identity can be assigned to one or more Azure service instances. The lifecycle of a user-assigned identity is managed separately from the lifecycle of the Azure service instances to which it’s assigned.

Avi Vantage release 17.2.14 supports managed services identity (MSI) based authentication for Microsoft Azure. This article explains how to configure MSI based authentication on Avi Vantage for Microsoft Azure.

Prerequisites

  • For resource group where the Avi Controller is spawned, a role of Contributor or higher is required.
  • For the virtual network where the Avi Service Engine instances are to be deployed, a role of Avi Controller or higher is required. For more details on creating the AviController role, refer to the Role Setup for Installation into Microsoft Azure KB article.

Above privileges are used in the below section to configure MSI based authentication.
Refer to Avi Deployment Guide for Microsoft Azure for the complete list of prerequisites.

Configuration

This section covers the following sections:

  • Configuring Microsoft Azure for MSI authentication
  • Configuring Avi Vantage to support MSI authentication

Configuring Microsoft Azure

This section covers the following:

  • Enabling MSI Authentication
  • Assigning appropriate role as per privileges section.

Enabling MSI Authentication

  1. Provision an Avi Controller virtual machine (VM) in Microsoft Azure. For information on deploying Microsoft Azure, refer to Avi Deployment Guide for Microsoft Azure.

  2. Login to the Microsoft Azure Portal, and navigate to Resource Groups as shown below.

    resource-group

  3. Select the specific Resource Group you created for your Controller VM. In this example, group is the Resource Group created for the VM.

    vm-resource

  4. Select the VM for the Avi Controller from the list.

    select-vm

  5. Navigate to Identity (Preview), and set System Assigned status to On to enable MSI based authentication for the selected Avi Controller.

    identity

Assigning Role to Avi Controller VM

  1. Select the Access Control (IAM) option from the menu option on the left side.

    access-control

  2. Click on Add to create a new role.

    add-role

  3. Select the appropriate role as present in the privileges section.
    • For resource group where the Avi Controller is spawned, a role of Contributor or higher is required.
    • For virtual network where the Avi Service Engine instances are to be deployed, a role of AviController or higher is required.

    role

  4. In the next drop-down, Assign access to the resource Virtual Machine.

    access

  5. Next, ensure the proper subscription is selected in the Subscription drop-down.

    subscription

  6. And for Resource Group, select appropriate resource group, and click on Save.

    save

Configuring Avi Vantage

In the azure cloud configuration, apply the no cloud_credentials_ref command.

Note: After performing this configuration, it is not possible to edit the cloud object in the portal UI as cloud credentials is a required field.