Ensure that Spring Cloud App has system-assigned managed identity enabled

Azure managed identity will automatically provide an Azure resource with managed identity in Azure Active Directory. This can reduce credentials usage within the application, by enabling authentication to any service that supports Azure AD authentication.

Suggest Edits

Risk Level: Medium
Cloud Entity: Spring Cloud
CloudGuard Rule ID: D9.AZU.IAM.33
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

SpringCloud should have apps contain-all [ identity.type='SystemAssigned' ]

REMEDIATION

From Portal

  1. Go to 'Azure Spring Cloud' and choose your Spring Cloud resource
  2. Under 'Settings', select 'Apps' on the navigation menu
  3. For each Spring Cloud app:
  4. Under 'Settings', select 'Identity' on the navigation menu
  5. Under the 'System assigned' tab, set 'Status' to 'On'
  6. Save

From TF
Set the identity 'type' argument to 'SystemAssigned':

resource "azurerm_spring_cloud_app" "example" {
	..
	identity {
		type = "SystemAssigned"
	}
	..
}

From Command Line
To enable system-assigned managed identity on an existing app, run:

az spring-cloud app identity assign --name APP-NAME --resource-group RESOURCE-GROUP --service SPRING-CLOUD-SERVICE

References

  1. https://docs.microsoft.com/en-in/azure/spring-cloud/how-to-enable-system-assigned-managed-identity
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/spring_cloud_app#identity

Spring Cloud

Azure Spring Cloud makes it easy to deploy Spring Boot applications to Azure without any code changes.

Compliance Frameworks

  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset

Updated 7 months ago