Skip to content
Back to Blog
1 min read

Keyless Authentication: The Future of Cloud Security

azure security authentication zero-trust

I wrote “Keyless Authentication: The Future of Cloud Security” to share practical, production-minded guidance on this topic.

The Keyless Architecture

┌─────────────────────────────────────────────────────┐
│                  No Stored Secrets                   │
├─────────────────────────────────────────────────────┤
│  Managed Identities    │  Workload Identity         │
│  (Azure Resources)     │  Federation (External)     │
├─────────────────────────────────────────────────────┤
│  Short-lived Tokens    │  Just-in-Time Access       │
└─────────────────────────────────────────────────────┘

Implementing Keyless in Azure

Service-to-Service Communication

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
using Azure.Storage.Blobs;
using Microsoft.Data.SqlClient;

public class KeylessService
{
    private readonly DefaultAzureCredential _credential;

    public KeylessService()
    {
        // Single credential for all Azure services
        _credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions
        {
            ExcludeEnvironmentCredential = true,
            ExcludeAzureCliCredential = false,  // For local development
            ManagedIdentityClientId = Environment.GetEnvironmentVariable("AZURE_CLIENT_ID")
        });
    }

    public async Task<string> GetSecretAsync(string vaultUri, string secretName)
    {
        var client = new SecretClient(new Uri(vaultUri), _credential);
        var secret = await client.GetSecretAsync(secretName);
        return secret.Value.Value;
    }

    public async Task<BlobContainerClient> GetBlobContainerAsync(string storageUri, string containerName)
    {
        var client = new BlobServiceClient(new Uri(storageUri), _credential);
        return client.GetBlobContainerClient(containerName);
    }

    public async Task<SqlConnection> GetDatabaseConnectionAsync(string server, string database)
    {
        var connectionString = $"Server={server};Database={database};";
        var connection = new SqlConnection(connectionString);

        // Get token for SQL Database
        var token = await _credential.GetTokenAsync(
            new Azure.Core.TokenRequestContext(new[] { "https://database.windows.net/.default" }));

        connection.AccessToken = token.Token;
        return connection;
    }
}

Kubernetes Workload Identity

# kubernetes/deployment.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: keyless-app-sa
  annotations:
    azure.workload.identity/client-id: "$CLIENT_ID"
  labels:
    azure.workload.identity/use: "true"\n\n## Takeaways\n\n*Add a concise, personal takeaway and recommended next steps here.*\n
Michael John Peña

Michael John Peña

Senior Data Engineer based in Sydney. Writing about data, cloud, and technology.