Deploy a Linux or Windows VM with MSI

Azure Public Test Date Azure Public Test Result

Azure US Gov Last Test Date Azure US Gov Last Test Result

Best Practice Check Cred Scan Check

Bicep Version

Deploy To Azure Deploy To Azure US Gov Visualize

This shows how to use Managed Service Idenity from within a VM to access azure resources, in particular it shows how to:

  • Create a VM with a system assigned idenity
  • Install the MSI extension on the VM to allow OAuth tokens to be issued for Azure resources
  • Assign RBAC permissions to the Managed Identity
  • Run a script that uses Azure CLI or PowerShell to login using the MSI

This template creates a new VM with a MSI and deploys the MSI extension to the VM. The MSI associated with the VM is given contributor permission on a storage account that is created by the template. A script is then run on the VM using the customscript extension. On Linux this script installs Docker and then creates a container with the Azure CLI 2, it runs a script in this container that logs in to the CLI using the token issuing endpoint installed in the VM by the MSI extension. It then uses the cli to retrieve the keys for the storage account and writes a blob with a name matching the VM name into the storage account. On Windows, PowerShell is used.

Tags: Microsoft.Storage/storageAccounts, Microsoft.Network/virtualNetworks, Microsoft.Network/networkSecurityGroups, Microsoft.Resources/deployments, Microsoft.Network/publicIPAddresses, Microsoft.Network/networkInterfaces, Microsoft.Compute/virtualMachines, SystemAssigned, Microsoft.Compute/virtualMachines/extensions, CustomScriptExtension, CustomScript, Microsoft.Storage/storageAccounts/providers/roleAssignments