|
| 1 | +--- |
| 2 | +title: Use managed identities for Azure CDN to access Azure Key Vault certificates |
| 3 | +titleSuffix: Azure CDN |
| 4 | +description: This article shows you how to set up managed identities with Azure CDN to access certificates in an Azure Key Vault. |
| 5 | +services: networking |
| 6 | +author: duongau |
| 7 | +ms.service: azure-cdn |
| 8 | +ms.topic: conceptual |
| 9 | +ms.date: 03/18/2024 |
| 10 | +ms.author: duau |
| 11 | +--- |
| 12 | + |
| 13 | +# Use managed identities for Azure CDN to access Azure Key Vault certificates |
| 14 | + |
| 15 | +A managed identity generated by Microsoft Entra ID allows your Azure Content Delivery Network (CDN) instance to easily and securely access other Microsoft Entra protected resources, such as Azure Key Vault. Azure manages the identity resource, so you don't have to create or rotate any secrets. For more information about managed identities, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md). |
| 16 | + |
| 17 | +Once you enable managed identity for Azure Front Door and grant proper permissions to access your Azure Key Vault, Front Door only uses managed identity to access the certificates. If you don't **add the managed identity permission to your Key Vault**, custom certificate autorotation and adding new certificates fails without permissions to Key Vault. If you disable managed identity, Azure Front Door falls back to using the original configured Microsoft Entra App. This solution isn't recommended and will be retired in the future. |
| 18 | + |
| 19 | +You can grant two types of identities to an Azure Front Door profile: |
| 20 | + |
| 21 | +* A **system-assigned** identity is tied to your service and is deleted if your service is deleted. The service can have only **one** system-assigned identity. |
| 22 | + |
| 23 | +* A **user-assigned** identity is a standalone Azure resource that can be assigned to your service. The service can have **multiple** user-assigned identities. |
| 24 | + |
| 25 | +Managed identities are specific to the Microsoft Entra tenant where your Azure subscription is hosted. They don't get updated if a subscription gets moved to a different directory. If a subscription gets moved, you need to recreate and reconfigure the identity. |
| 26 | + |
| 27 | + |
| 28 | +## Prerequisites |
| 29 | + |
| 30 | +Before you can set up managed identity for Azure Front Door, you must have an Azure Front Door Standard or Premium profile created. To create a new Front Door profile, see [create an Azure CDN profile](../cdn/cdn-create-new-endpoint.md). |
| 31 | + |
| 32 | +## Enable managed identity |
| 33 | + |
| 34 | +1. Go to an existing Azure CDN profile. Select **Identity** from under **Settings** on the left side menu pane. |
| 35 | + |
| 36 | + :::image type="content" source="./media/managed-identity/overview.png" alt-text="Screenshot of the identity button under settings for a CDN profile."::: |
| 37 | + |
| 38 | +1. Select either a **System assigned** or a **User assigned** managed identity. |
| 39 | + |
| 40 | + * **[System assigned](#system-assigned)** - a managed identity is created for the Azure CDN profile lifecycle and is used to access Azure Key Vault. |
| 41 | + |
| 42 | + * **[User assigned](#user-assigned)** - a standalone managed identity resource is used to authenticate to Azure Key Vault and has its own lifecycle. |
| 43 | + |
| 44 | + ### System assigned |
| 45 | + |
| 46 | + 1. Toggle the *Status* to **On** and then select **Save**. |
| 47 | + |
| 48 | + :::image type="content" source="./media/managed-identity/system-assigned.png" alt-text="Screenshot of the system assigned managed identity configuration page."::: |
| 49 | + |
| 50 | + 1. You're prompted with a message to confirm that you would like to create a system managed identity for your Front Door profile. Select **Yes** to confirm. |
| 51 | + |
| 52 | + :::image type="content" source="./media/managed-identity/system-assigned-confirm.png" alt-text="Screenshot of the system assigned managed identity confirmation message."::: |
| 53 | + |
| 54 | + 1. Once the system assigned managed identity gets created and registered with Microsoft Entra ID, you can use the **Object (principal) ID** to grant Azure CDN access to your Azure Key Vault. |
| 55 | + |
| 56 | + :::image type="content" source="./media/managed-identity/system-assigned-created.png" alt-text="Screenshot of the system assigned managed identity registered with Microsoft Entra ID."::: |
| 57 | + |
| 58 | + ### User assigned |
| 59 | + |
| 60 | + You must already have a user managed identity created. To create a new identity, see [create a user assigned managed identity](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md). |
| 61 | + |
| 62 | + 1. In the **User assigned** tab, select **+ Add** to add a user assigned managed identity. |
| 63 | + |
| 64 | + :::image type="content" source="./media/managed-identity/user-assigned.png" alt-text="Screenshot of the user assigned managed identity configuration page."::: |
| 65 | + |
| 66 | + 1. Search and select the user assigned manage identity. Then select **Add** to add the user managed identity to the Azure CDN profile. |
| 67 | + |
| 68 | + :::image type="content" source="./media/managed-identity/add-user-managed-identity.png" alt-text="Screenshot of the add a user assigned managed identity page."::: |
| 69 | + |
| 70 | + 1. You see the name of the user assigned managed identity you selected show in the Azure CDN profile. |
| 71 | + |
| 72 | + :::image type="content" source="./media/managed-identity/user-assigned-configured.png" alt-text="Screenshot of the add a user assigned managed identity added to an Azure CDN profile."::: |
| 73 | + |
| 74 | +## Configure Key Vault access policy |
| 75 | + |
| 76 | +1. Navigate to your Azure Key Vault. Select **Access policies** from under *Settings* and then select **+ Create**. |
| 77 | + |
| 78 | + :::image type="content" source="./media/managed-identity/access-policies.png" alt-text="Screenshot of the access policies page for a Key Vault."::: |
| 79 | + |
| 80 | +1. On the **Permissions** tab of the *Create an access policy* page, select **List** and **Get** for *Secret permissions*. Then select **Next** to configure the principal tab. |
| 81 | + |
| 82 | + :::image type="content" source="./media/managed-identity/permissions.png" alt-text="Screenshot of the permissions tab for the Key Vault access policy."::: |
| 83 | + |
| 84 | +1. On the *Principal* tab, paste the **object (principal) ID** if you're using a system managed identity or enter a **name** if you're using a user assigned manged identity. Then select **Review + create** tab. The *Application* tab is skipped since Azure Front Door gets selected for you already. |
| 85 | + |
| 86 | + :::image type="content" source="./media/managed-identity/system-principal.png" alt-text="Screenshot of the principal tab for the Key Vault access policy."::: |
| 87 | + |
| 88 | +1. Review the access policy settings and then select **Create** to set up the access policy. |
| 89 | + |
| 90 | + :::image type="content" source="./media/managed-identity/create.png" alt-text="Screenshot of the review and create tab for the Key Vault access policy."::: |
| 91 | + |
| 92 | +## Next steps |
| 93 | + |
| 94 | +- Learn how to [redirect users to HTTPS with Standard rules engine](cdn-standard-rules-engine.md) |
0 commit comments