Deploy a Linux or Windows VMSS with MSI

Azure Public Test Date Azure Public Test Result

Azure US Gov Last Test Date Azure US Gov Last Test Result

Best Practice Check Cred Scan Check

Deploy To Azure Deploy To Azure US Gov Visualize

This template shows how to use Managed Service Idenity with VM Scale Sets and how to access azure resources from within VMs in the Scale Set, in particular it shows how to:

  • Create a VM SCale Set with a system assigned idenity
  • Install the MSI extension to allow OAuth tokens to be issued for Azure resources
  • Assign RBAC permissions to the Managed Identity
  • Run a script that uses the Azure CLI or PowerShell with the MSI

This template creates a new VM Scale Set with a MSI and deploys the MSI extension to each VM. The MSI associated with the VM Scale Set is given contributor permission on a storage account that is created by the template. A script is then run on the VM using the customscript extension. On Linux, this script installs Docker and then creates a container with the Azure CLI 2, it runs a script in this container that logs in to the CLI using the token issuing endpoint installed in the VM by the MSI extension. It then uses the cli to retrieve the keys for the storage account and writes a blob with a name matching the VM name into the storage account. On Windows, the script uses PowerShell.

In order to make sure that the MSI is created and given permissions before the scripts run first the VM Scale Set is created with 0 instances, the MSI is then given RBAC permissions and then the VS Scale Set is updated to create the VMs with the extensions.

The default configuration will deploy a scaleset with 2 DS1_V2 VMs.

Tags: Microsoft.Storage/storageAccounts, Microsoft.Network/virtualNetworks, Microsoft.Network/networkSecurityGroups, Microsoft.Resources/deployments, Microsoft.Compute/virtualMachineScaleSets, SystemAssigned, Microsoft.Storage/storageAccounts/providers/roleAssignments