Authenticate Azure resources

This section describes how to authenticate your Azure resource to Conjur Cloud so that it can retrieve secrets from Conjur Cloud.

Supported Azure services

  • Azure Virtual Machines

  • Azure App Services

  • Azure Functions

  • Azure Container Instances

The layered identification model

The Conjur Cloud Azure Authenticator is a highly secure method for authenticating Azure workloads to Conjur Cloud using their underlying Microsoft Azure attributes. An application identity (host) can be established in Conjur Cloud at varying granularity, allowing for a collection of resources to be identified to Conjur Cloud as one, or allowing for individual workloads to be uniquely identified. The method is based on Microsoft Azure AD Authentication, presenting developers with a familiar pattern.

The Azure Authenticator can be used instead of API key based authentication, leading to a higher security posture with no need to store a ‘secret-zero’.

The following diagram depicts the layered identification model:

This model offers the following options:

  • You can associate a set of workloads with one application identity in Conjur Cloud, defined by the subscription and resource group properties only

  • You can associate each individual Azure workload with a unique application identity in Conjur Cloud by including its user-assigned or system-assigned Azure managed identity in its definition.

    User-assigned managed identities are useful for pre-populating a Conjur Cloud host policy before the Azure resource is created. User-assigned managed identities can also be used to share the same Conjur Cloud application identity among specific Azure resources within the resource group.

    System-assigned managed identities are created on the fly, so they need to be loaded into the Conjur Cloud host policy at run time after the resource is created as part of the pipeline automation.

 

This layered approach allows you to authenticate workloads whether or not you are working with Azure managed identities.

Authentication flow

This section describes how an application running on an Azure resource authenticates with Conjur Cloud to retrieve secrets.

  1. An application requests its Azure AD token from the Azure Instance Metadata Service (IMDS).

  2. The IMDS responds with a signed JWT token.

  3. The application sends an authentication request to Conjur Cloud using the Authenticate using Azure Authenticator REST API.

  4. Conjur Cloud attempts to authenticate and authorize the request. If successful, Conjur Cloud sends a short-lived access token back to the application.

  5. The application can retrieve secrets stored in Conjur Cloud.