Using azure-native managedidentity with cdn
TypeScriptIn Azure, when integrating an Azure CDN (Content Delivery Network) with Managed Identities, what we're usually trying to achieve is to provide the CDN with a secure identity that it can use for accessing other Azure resources. Managed Identities allow for an Azure service to authenticate to cloud services without storing credentials in code. This is known as a Managed Service Identity (MSI).
Azure CDN can use Managed Identities to securely access blobs in an Azure Blob Storage container for instance, without requiring to store access keys or using shared access signatures which could potentially be more vulnerable.
Below I will show you how you can set up an Azure CDN using
azure-native
resources, including setting up a Managed Identity and assigning it to the CDN. We will useProfile
to create a CDN profile,Endpoint
to create the CDN endpoint, and we will integrate the Managed Identity (Identity
) with these resources.Here is a step-by-step guide and the Pulumi program written in TypeScript:
- Profile Creation: A CDN profile is a collection of CDN endpoints and is the top-level resource for the CDN service. We create one as the first step.
- Managed Identity: We'll create a new Managed Identity which will be used by our CDN. This identity will authenticate against other Azure services if needed.
- Endpoint Configuration: After setting up the profile and the identity, we'll set up a CDN endpoint that serves content from a specified origin, such as a storage account or an Azure Web App.
- Associating Managed Identity: Lastly, we associate the managed identity with our CDN endpoint.
Let's get started with the Pulumi TypeScript program:
import * as pulumi from "@pulumi/pulumi"; import * as cdn from "@pulumi/azure-native/cdn"; import * as resources from "@pulumi/azure-native/resources"; // Create a resource group const resourceGroup = new resources.ResourceGroup("resourceGroup"); // Create a new CDN Profile const cdnProfile = new cdn.Profile("cdnProfile", { resourceGroupName: resourceGroup.name, sku: { name: "Standard_Microsoft", // You can choose different SKU based on your requirement }, location: "global", // CDN profiles are global resources }); // Enabling the system assigned managed identity on the CDN Profile // An identity block is not necessary as it defaults to 'SystemAssigned' when added const cdnProfileWithIdentity = new cdn.Profile("cdnProfileWithIdentity", { resourceGroupName: resourceGroup.name, sku: { name: "Standard_Microsoft", }, location: "global", identity: { type: "SystemAssigned", }, }, { dependsOn: cdnProfile }); // Ensure this is created after the initial profile // Create a new CDN Endpoint const cdnEndpoint = new cdn.Endpoint("cdnEndpoint", { location: "WestUS", // Endpoints have specific locations profileName: cdnProfileWithIdentity.name, resourceGroupName: resourceGroup.name, // The endpoint needs the origin details where your content is stored. // This could be a storage account, a web app, or any publicly accessible server. // Assuming you have a storage account set up, you will use the URL of the storage account here. origins: [{ name: "cdnOrigin", // Name for the origin hostName: "your-storage-account.blob.core.windows.net", httpPort: 80, httpsPort: 443, }], }); // Exporting the hostname of the CDN Endpoint export const cdnEndpointHostName = cdnEndpoint.hostName;
In this program:
- We import required modules from the Pulumi Azure Native package.
- We create a Resource Group, which is a container that holds related resources for an Azure solution.
- We then define a CDN profile using
cdn.Profile
. The SKUStandard_Microsoft
is specified, but you can change it depending on your requirements. - With
cdn.Profile
, we enable a system-assigned Managed Identity. This would allow your CDN to authenticate with other cloud services that support Azure AD authentication. - Next, we create a CDN endpoint using
cdn.Endpoint
. The endpoint takes an origin, which is the location of your content that the CDN will distribute. You would replaceyour-storage-account.blob.core.windows.net
with the actual hostname of your storage account or origin server. - Finally, we export the hostname of the CDN endpoint, which will be the URL used to access your content through the CDN.
After deploying this program with Pulumi, the Azure CDN will be configured with a system-assigned Managed Identity. You would then give this identity the necessary permissions to the resources it needs to access, for example, using Azure Role-Based Access Control (RBAC) or by configuring the storage account to grant access to this identity.