I keep reading about how Azure Managed Identities are the way to go to secure access to Azure resources, and i totally get the convenience and level of security they offer. But i often worry that at the same time they leave open the possibility that any vulnerability to any application that is running within my resource can then leverage that identity to do things that i may not want it to do, not just the application i want to give access to that resource.
This method of securing things while convenient has always felt awkward. Its like if i need to give a friend of mine access to my apartment to watch my dog while im on vacation, instead of giving my friend my keys i instead just slip the keys through the mail slot and they have 4 other roommates. (lets pretend that these keys are soul-bound to everyone that lives there and cannot be stolen)
Is it possible to combine both Managed Identities with traditional credentials to consume resources?
A specific example might be, i have a JAVA spring based application that consumes Azure Database for MySQL that i have deployed into a Kubernetes environment. I am using a sidecar container with NGINX to provide external HTTP access to that application. Using a pod-managed identity here implies to me that both the JAVA application and NGINX will have access to the database, when i only want my application to be the one that has access. Certainly there are other architectural approaches that i could take in this example but more trying to outline my concerns with managed identities alone.