MicrosoftMicrosoftNice improvement!
But why not use the system managed identity? Since the guest config extension runs as a local service inside the VM, shouldn't that be possible?
MicrosoftHey! The main constraints are: 1) there is a 2000 role assignment limit per subscription for system-assigned identities 2) there can only be one system assigned identity per machine making it infeasible to assign each individual machine to a storage account. User Assigned Identities are scalable to a larger set of machines and only need one identifier :)
But you can assign the System Managed Identities to a group and add this group to the storage account. This is actually what we do with our Arc Servers to give access to certain blobs in a storage account. As far as I can see this would be alt least as flexible and simple as using a user assigned managed identity!?
Is it NOT possible to use the System Managed Identity at all?! I can see that there is a pull request in github (https://github.com/Azure/GuestConfiguration/pull/309), but no comments or anything for 2 months!
Microsoftbkirk Cyr-Az we now have GA support for system assigned identities! You can read more here: Securely store your Machine Configuration packages in Azure Storage using System Assigned Identities
Unfortunately it seems that this is also only supported on Azure VM's and not Azure Arc Servers as it is using the 169.254.169.254 endpoint to get the MI and does not seem to try the localhost::40342 endpoint as used by Azure Arc Servers :-(
Is there a reason that not both endpoints are tried for the contentManagedIdentity?
