Forum Discussion

Matt McNabb's avatar
Matt McNabb
Iron Contributor
Oct 05, 2019

Connect-AzAccount with Managed Service Identity

I'm running PowerShell in the context of an Azure Web App that has a System Managed Service Identity configured. Currently, I can access the Key Vault by doing this:

 

 

 

 

$MsiHeader = @{'Secret' = $env:MSI_SECRET}
$VaultResource = "<a href="https://vault.azure.net" target="_blank">https://vault.azure.net</a>"
$ApiVersion = "2017-09-01"
$VaultUri = "{0}?resource={1}&api-version={2}" -f $env:MSI_Endpoint, $VaultResource, $ApiVersion
$VaultHeader = @{ Authorization = "Bearer $($VaultAuth.access_token)" }
$Secret = Invoke-RestMethod "<a href="https://MyVault.vault.azure.net/secrets/testsecret?api-version=7.0" target="_blank">https://MyVault.vault.azure.net/secrets/testsecret?api-version=7.0</a>" -Headers $VaultHeader

 

 

 

This works just fine for accessing the vault, but is it possible to use the MSI to connect to Azure resources using the Az PowerShell module? If so, how can this be done? I can't quite seem to figure out how to do this properly. I've tried hacking at it like this:

 

 

 

$MsiHostName,$MsiPort = $env:MSI_ENDPOINT -replace 'http://' -replace '/MSI/token/' -split ':'
$null = Connect-AzAccount -ManagedServiceHostName $MsiHostName -ManagedServicePort $MsiPort -ManagedServiceSecret $env:MSI_SECRET

 

 

 


But this doesn't seem to work and I can't find any examples of this on the web. Any help with this is much appreciated!

  • Pwd9000's avatar
    Pwd9000
    Copper Contributor
    You should be able to just do:
    $null = Connect-AzAccount -Identity

    Given the Web App has been assigned a system assigned managed identity, is part of the right RBAC role and the identity is assigned in IAM to the resources you are interacting with.

Resources