Azure Authenticator

This topic describes the DAP Azure Authenticator.

Overview

The DAP Azure Authenticator is a highly secure method for authenticating Azure workloads to DAP using their underlying Microsoft Azure attributes. A DAP identity can be established at varying granularity, allowing for a collection of resources to be identified to DAP as one, or for individual workloads to be uniquely identified. The method is based on Microsoft Azure AD Authentication, presenting developers with a familiar pattern.

The Azure Authenticator can be used instead of API key based authentication, leading to a higher security posture with no need to store a ‘secret-zero’.

The following diagram depicts the layered identification model:

This model offers the following options:

  • You can associate a set of workloads with one DAP identity, defined by the subscription and resource group properties only

  • You can associate each individual Azure workload with a unique DAP identity by including its user-assigned or system-assigned Azure managed identity in its definition.

    User-assigned managed identities are useful for pre-populating a DAP host policy before the Azure resource is created. They can also be used to share the same DAP identity among specific Azure resources within the resource group.

    System-assigned managed identities are created on the fly, so they need to be loaded into the DAP host policy at run time after the resource is created as part of the pipeline automation.

 

This layered approach allows you to authenticate workloads whether or not you are working with Azure managed identities.

Supported Azure services

  • Azure Virtual Machines

  • Azure App Services

  • Azure Functions

  • Azure Container Instances

How it works

This section describes how an application running on an Azure resource authenticates with DAP to retrieve secrets.

  1. An application requests its Azure AD token from the Azure Instance Metadata Service (IMDS).

  2. The IMDS responds with a signed JWT token.

  3. The application sends an authentication request to DAP using the Azure Authenticator REST API.

  4. DAP attempts to authenticate and authorize the request. If successful, DAP sends a short-lived access token back to the application.

  5. The application can retrieve secrets stored in DAP.

Configure the Azure Authenticator

To communicate with and retrieve secrets from DAP, the application running in Azure needs to authenticate to DAP and receive a DAP access token.

This section describes how to configure the Azure Authenticator, and how to define applications to use the Azure Authenticator to authenticate to DAP.

Retrieve an Azure AD token

To authenticate with DAP, you need an Azure AD token.

The following procedure is an example of how to retrieve an Azure AD token from an Azure VM using the IMDS REST API:

  1. Log in to the Azure VM.

  2. Run the following command, where <api_version> is the IMDS version. Use 2018-02-01 or greater:

    Token type Command

    User-assigned managed identity

    The following command requires the <client_ID> which can be found in the Azure portal.

     
    curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=<api_version>&client_id=<client_id>&resource=https%3A%2F%2Fmanagement.azure.com%2F' -H Metadata:true -s | jq -r '.access_token'

    System-assigned managed identity

     
    curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=<api_version>&resource=https%3A%2F%2Fmanagement.azure.com%2F' -H Metadata:true -s | jq -r '.access_token'
     

    When using a system-assigned managed identity, make sure that system-assigned managed identity is enabled in Azure. For details, see the Microsoft Azure documentation.

Azure Authenticator REST API

Once the Azure Authenticator is configured, you can send an authentication request from the Azure instance to DAP using the Azure Authenticator REST API.

For more information, see the Azure Authenticator API.

Troubleshooting the Azure Authenticator

This section lists issues that may arise and recommended solutions: