Tags
The security configuration of Azure services is a fairly broad subject area, and this is more of an introduction to how it works for a Resource Group, in the context of a Logic App that needs to interact with multiple resources. If a DevOps team, instead of the developers, is managing the security, a considerable amount of time will be spent planning and designing services beforehand, and later trying to figure out which security configurations are preventing the services working. This is even more of a problem with Logic Apps on a standard subscription, as they can’t be saved unless everything is validated and runs.
There are two categories of authentication methods for Logic Apps:
- a) The service needs to authenticate with external services, APIs, whatever’s being integrated, etc., which means it will need API keys and tokens. Sensitive data will need methods of storage and access.
- b) Some components in the Resource Group need to authenticate with other components, for example the Key Vault.
App Registrations
The first thing a Resource Group will need is an App Registration, which is an object in Active Directory, and there is an ‘App registrations‘ section for this. Its profile in Azure Portal will list endpoints for various authentication methods, a ‘key vault’ for secrets and certificates, and owners. None of the permissions granted to the App Registration are managed in Active Directory, though. It is where we might enable access to Microsoft Graph, under ‘API permissions‘.
Managed Identities
A Logic App will also have a Managed Identity, which is a system-assigned identity that a Logic App might use for authenticating with other things in a Resource Group. It’s essentially an Object (principal) ID, which is assigned permissions by Active Directory.
The configuration/profile for a Managed Identity can be viewed by selecting the ‘Identity‘ option in the Settings section for the Logic App. The Role-Based Access Control (RBAC) access policies for the Managed Identity can be viewed and modified under ‘Azure role assignments‘. In the case of the Logic App I’m looking at, it has the following:
- Storage Blob Data Contributor
- Key Vault Secrets User
Selecting one of these, Azure Portal will display the actions that can be performed with that role.
Key Vault
A component in a Resource Group might need to use an API key to make requests to an external service. This API key might be stored in a Key Vault (recommended), which the Logic App would need access to. I’ve covered Key Vaults before, and how access to them can be restricted to specific Managed Identities and IP address ranges.
Putting it all together, and accessing an external API
A Logic App I’m currently working on has a Managed Identity, which has ‘Key Vault Reader’ permissions. From the Key Vault, it reads a secret, which is used as the password for getting an OAuth2 token from Azure Active Directory. The request for this looks something like:
https://login.microsoftonline.com/@{parameters('TenantId')}/oauth2/v2.0/token
The OAuth token that’s returned authenticates the Logic App with an external API. The TenantID here is the App Registration for that service.
So, the sequence is:
- Get secret from the Key Vault
- Get OAuth2 token, using username/password authentication. The password for this is the secret from the Key Vault.
- Declare the OAuth2 token as an AuthenticationKey variable.
- The AuthenticationKey variable is used as a header value in external API requests.
An API request can be of the following format, in the Logic App’s code view:
"HTTP_Get_Data": {
"inputs": {
"headers": {
"Authorization": "@variables('AuthKey')"
},
"method": "GET",
"uri": "https://api.myservice.net/api/alldata/"
},
"runAfter": {
"Initialize_variable": [
"Succeeded"
]
},
"type": "Http"
}