azure-entra-id-zero-trust

Azure Entra ID Model (Zero Trust)

Azure Entra ID - Modern Identity Model (Zero Trust)

Illustrating the use of User-Assigned Managed Identities (UAMI) and Workload Identity Federation (OIDC) for credential-less access, aligned with Zero Trust principles.

Microsoft Entra ID Tenant

Central identity provider managing users, groups, and modern workload identities.

  • Users and Groups Standard users and administrative groups (e.g., "AKS Admins"). Access governed by PIM.
  • Workload Identities (Credential-less) Managed identities for Azure resources and federated identities for external systems.
    • -- CI/CD Pipeline Identity --OIDC / WIF
    • azdo-oidc-platform: Federated identity for Azure DevOps pipeline deploying Platform resources. Trusts AzDO OIDC tokens.
    • azdo-oidc-nonprod: Federated identity for deploying Non-Prod resources (Dev, QA).
    • azdo-oidc-prod: Federated identity for deploying Prod resources.
    • -- Application Workload Identities --UAMI
    • uami-prod-api-workload: Managed Identity assigned to Prod AKS pods needing Key Vault access.
    • uami-qa-api-workload: Managed Identity for QA workloads.
    • uami-dev-api-workload: Managed Identity for Dev workloads.
    • uami-prod-appgw: Managed Identity assigned to Prod App Gateway for accessing Key Vault SSL Certs.

RBAC Assignment Strategy

Applying least privilege using modern identities.

  • CI/CD Pipeline (OIDC)OIDC / WIF Roles assigned directly to the Service Principal associated with the OIDC Federated Credential (managed in Azure Portal/CLI, not Terraform state).
    • `azdo-oidc-prod` needs: Contributor/AKS Cluster Admin on Prod Sub, AcrPush on Prod ACR.
    • `azdo-oidc-nonprod` needs: Contributor on Dev/QA Subs.
    • `azdo-oidc-platform` needs: Contributor on Connectivity Sub, MG Contributor on Platform MG.
  • Application Workloads (UAMI)UAMI Roles assigned via Terraform `rbac` module, referencing the UAMI `principal_id`.
    • `uami-prod-api-workload` assigned "Key Vault Secrets User" on `kv-prod-secrets`.
    • `uami-qa-api-workload` assigned "Key Vault Secrets User" on QA Key Vault.
  • Infrastructure Services (UAMI)UAMI Roles assigned via Terraform or Portal/CLI.
    • `uami-prod-appgw` assigned "Key Vault Secrets User" on `kv-prod-secrets`.
  • Human Administrators Roles assigned to Entra ID Groups, eligible via PIM.
Terraform `rbac` module assigns roles primarily to UAMIs. OIDC SP roles managed outside TF state.

Key Principles & Notes

  • Eliminate Static Secrets: OIDC for pipelines and UAMI for Azure workloads remove the need for managing client secrets or certificates.
  • Least Privilege: Identities are granted only the necessary roles on specific scopes (resource, resource group, subscription).
  • Declarative RBAC (for UAMI): UAMI creation and role assignments are managed within Terraform state, ensuring infrastructure and identity permissions evolve together.
  • External RBAC (for OIDC): Role assignments for OIDC service principals are configured once in Entra ID, decoupling pipeline permissions from the Terraform codebase.
  • PIM for Admins: Human administrative access uses Just-in-Time elevation via Entra ID PIM.

No comments:

Post a Comment