Azure Managed Identity (formerly known as Managed Service Identity (MSI)) has come a long way, from being an unstable toggle to ensuring a solid mutual trust between Azure resources using Azure Active Directory as the Identity Provider.

There are two types of managed identities:

A system-assigned managed identity is enabled directly on an Azure service instance. When the identity is enabled, Azure creates an identity for the instance in the Azure AD tenant that’s trusted by the subscription of the instance. After the identity is created, the credentials are provisioned onto the instance. The lifecycle of a system-assigned identity is directly tied to the Azure service instance that it’s enabled on. If the instance is deleted, Azure automatically cleans up the credentials and the identity in Azure AD.

A user-assigned managed identity is created as a standalone Azure resource. Through a create process, Azure creates an identity in the Azure AD tenant that’s trusted by the subscription in use. After the identity is created, the identity can be assigned to one or more Azure service instances. The lifecycle of a user-assigned identity is managed separately from the lifecycle of the Azure service instances to which it’s assigned.

Ref: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/

In this blog post, I’m going to explain how you can achieve a unique state, allowing you to run Azure CLI from a VM itself using System-Assigned Managed Identity. This allows for scenarios such as performing CRUD operations on Azure through a VM.

Example scenarios include;

  • Self Attach/Detach IP addresses.
  • Mount/Unmount Storage on demand.

Also, this method does not require passing explicit secrets to authenticate, as the secrets are all managed by Azure itself.

  1. Let’s login to Azure and select a subscription in which you want the resources to be created.
az login 
# Insert your subscription_id below
_subscription_id='00000000-0000-0000-0000-000000000000'
az account set --subscription $_subscription_id
  1. Get our resource group created in Sydney.
az group create --name myResourceGroup --location australiaeast
  1. Create our Linux VM with system assigned managed identity enabled, scope & role also defined.
az vm create --resource-group myResourceGroup --name myVM --image UbuntuLTS --admin-username azureuser --generate-ssh-keys --assign-identity --location australiaeast --scope "/subscriptions/${_subscription_id}/resourcegroups/myResourceGroup" --role contributor
  1. Install Azure CLI on the VM (via Custom Script Extension)
az vm extension set --resource-group myResourceGroup --vm-name myVM --name customscript --publisher Microsoft.Azure.Extensions --settings '{"commandToExecute": "curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash"}'
  1. Get the current Public IP.
_public_ip=$(az vm list-ip-addresses -g myResourceGroup -n myVM --query "[].virtualMachine.network.publicIpAddresses[0].ipAddress" --output tsv)
  1. Login to the VM.
ssh azureuser@${_public_ip}
  1. From the VM just run below to login with Managed Identity (it’s always possible to use the custom script extension to run more commands at VM creation).
az login --identity

managed-identity-login-azure-vm.png

  1. Clean up after we’re done.
 az group delete --name myResourceGroup --yes

Need to learn more about attaching Managed Identities to VMs? More information about Managed Identities can be found at: https://aka.ms/azure-msi-docs

Need to learn more about Azure CLI? More information about Azure CLI can be found at: https://aka.ms/cli