Forum Discussion
Matt McNabb
Oct 05, 2019Iron Contributor
Connect-AzAccount with Managed Service Identity
I'm running PowerShell in the context of an Azure Web App that has a System Managed Service Identity configured. Currently, I can access the Key Vault by doing this:
$MsiHeader = @{'Secret' = $env:MSI_SECRET}
$VaultResource = "<a href="https://vault.azure.net" target="_blank">https://vault.azure.net</a>"
$ApiVersion = "2017-09-01"
$VaultUri = "{0}?resource={1}&api-version={2}" -f $env:MSI_Endpoint, $VaultResource, $ApiVersion
$VaultHeader = @{ Authorization = "Bearer $($VaultAuth.access_token)" }
$Secret = Invoke-RestMethod "<a href="https://MyVault.vault.azure.net/secrets/testsecret?api-version=7.0" target="_blank">https://MyVault.vault.azure.net/secrets/testsecret?api-version=7.0</a>" -Headers $VaultHeader
This works just fine for accessing the vault, but is it possible to use the MSI to connect to Azure resources using the Az PowerShell module? If so, how can this be done? I can't quite seem to figure out how to do this properly. I've tried hacking at it like this:
$MsiHostName,$MsiPort = $env:MSI_ENDPOINT -replace 'http://' -replace '/MSI/token/' -split ':'
$null = Connect-AzAccount -ManagedServiceHostName $MsiHostName -ManagedServicePort $MsiPort -ManagedServiceSecret $env:MSI_SECRET
But this doesn't seem to work and I can't find any examples of this on the web. Any help with this is much appreciated!
- Pwd9000Copper ContributorYou should be able to just do:
$null = Connect-AzAccount -Identity
Given the Web App has been assigned a system assigned managed identity, is part of the right RBAC role and the identity is assigned in IAM to the resources you are interacting with.