maskati

Acquire an access token for a user-assigned identity

Did you know that you can acquire an access token for an Azure user-assigned identity using PowerShell and an Azure Storage account? You can achieve this by hosting a minimal OpenID Provider and delegating trust via workload identity federation. This post will also help you better understand the technical details of how federated credentials work.

Note

This only gives you the access token. There might also be network access control or Entra conditional access for workload identities which limit calling resources with the token.

The process in brief:

1. Create an RSA sign

maskati

Diagnosing .NET applications remotely

Performing .NET diagnostics such as memory dumps and process tracing can be challenging in some scenarios, for example when running distroless containers which do not have an interactive shell. Fortunately .NET provides several options for performing remote diagnostics. The options differ somewhat in their capabilities.

Tool	Description	Supports remote diagnostics
diagnostic tools	Command line utilities, which connect to your .NET process to perform diagnostics.	Limited support. dotnet-counters and dotnet-trace support remote diagnostics with shared diagnostic port socket (for example shared /tmp for default port). Currently other utilities such as dotnet-dump require shared process namespace. T

maskati

The Azure AD B2C hash claims transformation takes the following form:

<ClaimsTransformation Id="MyHashClaimsTransformation" TransformationMethod="Hash">
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="myPlaintext" TransformationClaimType="plaintext" />
    <InputClaim ClaimTypeReferenceId="mySalt" TransformationClaimType="salt" />
  </InputClaims>
  <InputParameters>
    <InputParameter Id="randomizerSecret" DataType="string" Value="B2C_1A_MyRandomizerSecret" />
 

maskati

Bicep v0.34.1 brings many great features to Bicep. One that I think is underrated by not having it as a highlighted feature is the new --pattern argument for faster batch operations on multiple files. Below is a comparison of a simulated linting of 100 Bicep files using a parallel invocation of bicep lint vs a single invocation of bicep lint --pattern. The difference is dramatic, with pattern based linting being 40 times faster in clock time on a 4 core system, and 261 times faster in CPU usage. I typically lint all Bicep files that are part of an IaC repository to ensure that module changes do not break upstream or downstream dependencies. This change will allow you to save CI runner resources and have your IaC PR checks completed faster.

> docker run --rm -it alpine /bin/sh -c 'apk add -q --no-progress libstdc++ icu-libs icu-data-full parallel && wget

maskati

Until recently Azure Private Link has been restricted to specific Microsoft enabled resource types or your own Azure VM hosted resources.

A notable limitation has been the requirement for the destination to be a Standard Load Balancer with a backend pool configured by NIC. This excluded services such as VNet integrated Azure Container Instances, which do not support private endpoints and also do not provision a NIC in the VNet and therefore could only be routed by IP address.

Microsoft recently released in public preview Private Link Service [Direct Connect](https://learn.microsoft.com/en-us/azure/private-link/configur

maskati

Azure Network Canary

This Azure template deploys a low-interaction network honeypot VM that acts as a canary detection sensor. It monitors and logs all incoming TCP connection attempts (TCP SYN packets), providing early warning of network reconnaissance and attack activities.

The deployment creates a minimal B1ls VM (1 vCPU, 0.5GB RAM) running Azure Linux 3. This demo deployment also deploys a public IP address to demonstrate functionality based on Internet port scans. The VM is configured with cloud-init to use nftables to log TCP SYN packets to the systemd-journal. Journal SYN probe logs are continuously read, transformed and stored