Share a single identity across resources using user-assigned managed identity in Azure IoT Hub

Published 05-11-2021 11:00 AM 864 Views
Microsoft

Azure support for user-assigned managed identity is now generally available! With today’s release, you can now use the user-assigned managed identity to connect your hubs to resources that support Azure Active Directory (Azure AD) authentication.

 

There are two different types of managed identities: system-assigned and user-assigned managed identity. In IoT Hub, managed identities can be used for egress connectivity from IoT Hub to Azure blob storage, event hub and service bus resources for message routingfile upload, and bulk device import/export. IoT Hub has the existing support for the system-assigned managed identity, and now we are adding support for user-assigned managed identity as well.

  • User-assigned managed identity. It is created as a standalone resource and can be shared across Azure resources and instances. For example, if there are multiple IoT Hubs that require the same access permissions to a storage account, you can create a single user-assigned managed identity, use the RBAC role assignment to control the identity’s access and add this identity to multiple IoT Hubs. In this way, you no longer need to manage multiple identities for different IoT Hubs. In addition, user-assigned managed identity has its own independent life cycle. If one of your IoT Hubs is recycled, the identity remains unchanged and permissions stay consistent.
  • System-assigned managed identity. Unlike user-assigned managed identity, system-assigned managed identity is tied to your IoT Hub instance. Therefore, the system-assigned managed identity cannot be shared across different hubs, and it has a shared lifecycle with the associated hub instance. System-assigned can be used when your hub requires an independent identity.

 Both system-assigned and user-assigned managed identity come with the common benefits of using the managed identities:

  • You don’t need to manage secret keys.
  • You can use managed identities to authenticate to any resource that supports Azure Active Directory (Azure AD) authentication.
  • Managed identities can be used without additional charge.

With the support for both system-assigned and user-assigned managed identity in IoT Hub, you’re able to select different types based on your scenarios and requirements.

 

Picture1.png

 

Getting started

To get started, create a user-assigned managed identity as a standalone resource and add the identity to your IoT Hub. Instructions and samples are published on our documentation page IoT Hub support for managed identities.

%3CLINGO-SUB%20id%3D%22lingo-sub-2337198%22%20slang%3D%22en-US%22%3EShare%20a%20single%20identity%20across%20resources%20using%20user-assigned%20managed%20identity%20in%20Azure%20IoT%20Hub%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2337198%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20support%20for%20user-assigned%20managed%20identity%20is%20now%20generally%20available!%20With%20today%E2%80%99s%20release%2C%20you%20can%20now%20use%20the%20user-assigned%20managed%20identity%20to%20connect%20your%20hubs%20to%20resources%20that%20support%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Factive-directory-whatis%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Active%20Directory%20(Azure%20AD)%3C%2FA%3E%20authentication.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20are%20two%20different%20types%20of%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanaged-identities-azure-resources%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Emanaged%20identities%3C%2FA%3E%3A%20system-assigned%20and%20user-assigned%20managed%20identity.%20In%20IoT%20Hub%2C%20managed%20identities%20can%20be%20used%20for%20egress%20connectivity%20from%20IoT%20Hub%20to%20Azure%20blob%20storage%2C%20event%20hub%20and%20service%20bus%20resources%20for%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Freview.docs.microsoft.com%2Fen-us%2Fazure%2Fiot-hub%2Fiot-hub-devguide-messages-d2c%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Emessage%20routing%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Freview.docs.microsoft.com%2Fen-us%2Fazure%2Fiot-hub%2Fiot-hub-devguide-file-upload%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Efile%20upload%3C%2FA%3E%2C%20and%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Freview.docs.microsoft.com%2Fen-us%2Fazure%2Fiot-hub%2Fiot-hub-bulk-identity-mgmt%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ebulk%20device%20import%2Fexport%3C%2FA%3E.%20IoT%20Hub%20has%20the%20existing%20support%20for%20the%20system-assigned%20managed%20identity%2C%20and%20now%20we%20are%20adding%20support%20for%20user-assigned%20managed%20identity%20as%20well.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EUser-assigned%20managed%20identity.%20It%20is%20created%20as%20a%20standalone%20resource%20and%20can%20be%20shared%20across%20Azure%20resources%20and%20instances.%20For%20example%2C%20if%20there%20are%20multiple%20IoT%20Hubs%20that%20require%20the%20same%20access%20permissions%20to%20a%20storage%20account%2C%20you%20can%20create%20a%20single%20user-assigned%20managed%20identity%2C%20use%20the%20RBAC%20role%20assignment%20to%20control%20the%20identity%E2%80%99s%20access%20and%20add%20this%20identity%20to%20multiple%20IoT%20Hubs.%20In%20this%20way%2C%20you%20no%20longer%20need%20to%20manage%20multiple%20identities%20for%20different%20IoT%20Hubs.%20In%20addition%2C%20user-assigned%20managed%20identity%20has%20its%20own%20independent%20life%20cycle.%20If%20one%20of%20your%20IoT%20Hubs%20is%20recycled%2C%20the%20identity%20remains%20unchanged%20and%20permissions%20stay%20consistent.%3C%2FLI%3E%0A%3CLI%3ESystem-assigned%20managed%20identity.%20Unlike%20user-assigned%20managed%20identity%2C%20system-assigned%20managed%20identity%20is%20tied%20to%20your%20IoT%20Hub%20instance.%20Therefore%2C%20the%20system-assigned%20managed%20identity%20cannot%20be%20shared%20across%20different%20hubs%2C%20and%20it%20has%20a%20shared%20lifecycle%20with%20the%20associated%20hub%20instance.%20System-assigned%20can%20be%20used%20when%20your%20hub%20requires%20an%20independent%20identity.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3BBoth%20system-assigned%20and%20user-assigned%20managed%20identity%20come%20with%20the%20common%20benefits%20of%20using%20the%20managed%20identities%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EYou%20don%E2%80%99t%20need%20to%20manage%20secret%20keys.%3C%2FLI%3E%0A%3CLI%3EYou%20can%20use%20managed%20identities%20to%20authenticate%20to%20any%20resource%20that%20supports%20Azure%20Active%20Directory%20(Azure%20AD)%20authentication.%3C%2FLI%3E%0A%3CLI%3EManaged%20identities%20can%20be%20used%20without%20additional%20charge.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EWith%20the%20support%20for%20both%20system-assigned%20and%20user-assigned%20managed%20identity%20in%20IoT%20Hub%2C%20you%E2%80%99re%20able%20to%20select%20different%20types%20based%20on%20your%20scenarios%20and%20requirements.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Picture1.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F279404iC71D64DE22AFCA44%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture1.png%22%20alt%3D%22Picture1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--468723377%22%20id%3D%22toc-hId--468724053%22%3EGetting%20started%3C%2FH2%3E%0A%3CP%3ETo%20get%20started%2C%20create%20a%20user-assigned%20managed%20identity%20as%20a%20standalone%20resource%20and%20add%20the%20identity%20to%20your%20IoT%20Hub.%20Instructions%20and%20samples%20are%20published%20on%20our%20documentation%20page%20%3CA%20href%3D%22https%3A%2F%2Freview.docs.microsoft.com%2Fen-us%2Fazure%2Fiot-hub%2Fiot-hub-managed-identity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EIoT%20Hub%20support%20for%20managed%20identities%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2337198%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22teaser.png%22%20style%3D%22width%3A%20370px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F279406i4F6BFB2C3497E879%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22teaser.png%22%20alt%3D%22teaser.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ELeverage%20the%20user-assigned%20managed%20identity%20support%20in%20IoT%20Hub%20to%20have%20an%20easy%20and%20secure%20connect%20to%20other%20Azure%20resources%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Co-Authors
Version history
Last update:
‎May 10 2021 12:04 AM
Updated by: