Ensure that Spring Cloud App has system-assigned managed identity enabled
Azure managed identity will automatically provide an Azure resource with managed identity in Azure Active Directory. This can reduce credentials usage within the application, by enabling authentication to any service that supports Azure AD authentication.
Risk Level: Medium
Cloud Entity: Spring Cloud
CloudGuard Rule ID: D9.AZU.IAM.33
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
SpringCloud should have apps contain-all [ identity.type='SystemAssigned' ]
REMEDIATION
From Portal
- Go to 'Azure Spring Cloud' and choose your Spring Cloud resource
- Under 'Settings', select 'Apps' on the navigation menu
- For each Spring Cloud app:
- Under 'Settings', select 'Identity' on the navigation menu
- Under the 'System assigned' tab, set 'Status' to 'On'
- Save
From TF
Set the identity 'type' argument to 'SystemAssigned':
resource "azurerm_spring_cloud_app" "example" {
..
identity {
type = "SystemAssigned"
}
..
}
From Command Line
To enable system-assigned managed identity on an existing app, run:
az spring-cloud app identity assign --name APP-NAME --resource-group RESOURCE-GROUP --service SPRING-CLOUD-SERVICE
References
- https://docs.microsoft.com/en-in/azure/spring-cloud/how-to-enable-system-assigned-managed-identity
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/spring_cloud_app#identity
Spring Cloud
Azure Spring Cloud makes it easy to deploy Spring Boot applications to Azure without any code changes.
Compliance Frameworks
- Azure CloudGuard Best Practices
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago