Use MSI to authenticate simply from inside a VM

Última atualização: 19/12/2017
Editar no GitHub

This sample explains how to use the SDK from inside an Azure resource like a VM or a WebApp using Managed Service Identity (MSI) authentication. This sample covers the two types of MSI scenarios:

  • System Assigned Identity: the identity is created and assigned by ARM
  • User Assigned Identity: the identity is created and managed by the user, and assigned to a VM

User Assigned Identity is currently only available on VM/VMSS.

On this page

Run this sample

  1. This sample is intended to be executed from inside a VM with MSI enabled. This document explains how to create a VM with MSI enabled.

  2. If you don't already have it, install Python on that VM.

  3. We recommend to use a virtual environnement to run this example, but it's not mandatory. You can initialize a virtualenv this way:

    pip install virtualenv
    virtualenv mytestenv
    cd mytestenv
    source bin/activate
    
  4. Clone the repository.

    git clone https://github.com/Azure-Samples/resource-manager-python-manage-resources-with-msi.git
    
  5. Install the dependencies using pip.

    cd resource-manager-python-manage-resources-with-msi
    pip install -r requirements.txt
    
  6. Run the sample.

    python example.py
    

What is example.py doing?

The sample creates a MSI Authentication credentials class. Then it uses this credentials to extract the current subscription ID. Finally it uses this credentials and subscription ID to list all the available Resource Groups.

Note that listing Resource Group is just an example, there is no actual limit of what you can do with this credentials (creating a KeyVault account, managing the Network of your VMs, etc.). The limit will be defined by the roles and policy assigned to the MSI token at the time of the creation of the VM.

Create a System Assigned MSI authentication instance

Creating a MSIAuthentication instance using a System Assigned Identity does not require any parameter.

from msrestazure.azure_active_directory import MSIAuthentication

credentials = MSIAuthentication()

Create a User Assigned MSI authentication instance

You need to provide a reference to your User Assigned object in order to create an instance. You can provide a client_id, an object_id (Active Directory IDs) or the MSI resource id that must conform to: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/msiname

The fastest way to get a client_id is to use the CLI 2.0: az identity show -g myR -n myMSi

You can get the object_id using the az ad sp show --id <client_id> command, or thougt the Azure Portal in the Active Directory section.

You can also use the azure-mgmt-msi package.

Creating the Authentication class is then:

from msrestazure.azure_active_directory import MSIAuthentication

credentials = MSIAuthentication(
    client_id = '00000000-0000-0000-0000-000000000000'
)

or

from msrestazure.azure_active_directory import MSIAuthentication

credentials = MSIAuthentication(
    object_id = '00000000-0000-0000-0000-000000000000'
)

or

from msrestazure.azure_active_directory import MSIAuthentication

credentials = MSIAuthentication(
    msi_res_id = '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/msiname'
)

Get the subscription ID of that token

from azure.mgmt.resource import SubscriptionClient

subscription_client = SubscriptionClient(credentials)
subscription = next(subscription_client.subscriptions.list())
subscription_id = subscription.subscription_id

List resource groups

List the resource groups in your subscription.

from azure.mgmt.resource import ResourceManagementClient

resource_client = ResourceManagementClient(credentials, subscription_id)
for item in resource_client.resource_groups.list():
    print(resource_group.name)