Fix 1755

[ItalyPaleAle]

Thank you for helping make the Dapr documentation better!

Please follow this checklist before submitting:

• Read the contribution guide
• Commands include options for Linux, MacOS, and Windows within codetabs
• New file and folder names are globally unique
• Page references use shortcodes instead of markdown or URL links
• N/A Images use HTML style and have alternative text
• Places where multiple code/command options are given have codetabs

Description

This PR addresses #1755.

As of writing, this is still a WIP:

• Create a page that explains how to authenticate with Azure AD
• Update the Azure Key Vault page
• Deprecate the old Azure Key Vault w/ MSI page
• Update the page for Azure Storage as state store

Issue reference

#1755

[ItalyPaleAle]

@orizohar @berndverst Here's the first work on the docs as discussed in #1755

It's my first contribution to the Dapr docs and it's a fairly large one, so even before I write the docs for the last component, your help as reviewers would be highly appreciated, to ensure that I've followed the right style.

Some of these things aren't super easy to explain, including all of the Azure AD parts... I've tried to clean up the AKV docs which were mixing concepts related to AKV and some related to AAD.

The result is less like a straightforward "do 1, 2, 3 and you're done", but it offers better security (using az ad sp create-for-rbac as was recommended before creates a SP that has access to manage EVERY resource in the Azure subscription - and that's even useless for Dapr since we need data plane access) and more flexibility because the same SP can be used for multiple Azure components.

Also, cc @cmatskas to keep me accountable and make sure I've documented AAD topics correctly

[cmatskas]

Small feedback but overall it looks great

[cmatskas]

Azure Active Directory

[ItalyPaleAle]

No in this case it should be "Azure" because it's for components authenticating with Azure. Also, for symmetry with the AWS one: https://docs.dapr.io/developing-applications/integrations/cloud-providers/

[cmatskas]

Azure Arc - joined devices also provide support for Managed Identities so the solution doesn't have to run on Azure to benefit from this security feature.

[ItalyPaleAle]

I don't know if Dapr supports Arc at this time. @berndverst and I were talking about that but there may be other issues with Arc...

[cmatskas]

You can oversimplify this by using the az ad sp create-for-rbac --role Contributor --scopes <optional>

[cmatskas]

Does Dapr still need an App Registration to authenticate to AAD? if that's the case, ignore above comment.

[ItalyPaleAle]

Yes Dapr does need the App Registration to authenticate with AAD. I also would prefer not using the short-hand comment because the SP doesn't need any access at the entire subscription level.

[cmatskas]

you can pass the scope you want during the creation of the SP using the --scopes parameter

[ItalyPaleAle]

See my comment above. The SP shouldn't have any access at the subscription level, it only needs data plane access and that should be granted at the resource level (for the principle of the least privileges)

[orizohar]

@orizohar @berndverst Here's the first work on the docs as discussed in #1755

It's my first contribution to the Dapr docs and it's a fairly large one, so even before I write the docs for the last component, your help as reviewers would be highly appreciated, to ensure that I've followed the right style.

Some of these things aren't super easy to explain, including all of the Azure AD parts... I've tried to clean up the AKV docs which were mixing concepts related to AKV and some related to AAD.

The result is less like a straightforward "do 1, 2, 3 and you're done", but it offers better security (using az ad sp create-for-rbac as was recommended before creates a SP that has access to manage EVERY resource in the Azure subscription - and that's even useless for Dapr since we need data plane access) and more flexibility because the same SP can be used for multiple Azure components.

Also, cc @cmatskas to keep me accountable and make sure I've documented AAD topics correctly

Thanks for working on this. If you haven't yet you can see the docs contribution guidelines here. Also, where it makes sense it is okay to not go too deep with explaining Azure and just linking to Azure docs

[ItalyPaleAle]

I've updated the Azure Blob Storage doc too. PR is complete and ready for your review.