Home

Connect-AzAccount with Managed Service Identity

%3CLINGO-SUB%20id%3D%22lingo-sub-894758%22%20slang%3D%22en-US%22%3EConnect-AzAccount%20with%20Managed%20Service%20Identity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-894758%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20running%20PowerShell%20in%20the%20context%20of%20an%20Azure%20Web%20App%20that%20has%20a%20System%20Managed%20Service%20Identity%20configured.%20Currently%2C%20I%20can%20access%20the%20Key%20Vault%20by%20doing%20this%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-csharp%22%3E%3CCODE%3E%24MsiHeader%20%3D%20%40%7B'Secret'%20%3D%20%24env%3AMSI_SECRET%7D%0A%24VaultResource%20%3D%20%22%3CA%20href%3D%22https%3A%2F%2Fvault.azure.net%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fvault.azure.net%3C%2FA%3E%22%0A%24ApiVersion%20%3D%20%222017-09-01%22%0A%24VaultUri%20%3D%20%22%7B0%7D%3Fresource%3D%7B1%7D%26amp%3Bapi-version%3D%7B2%7D%22%20-f%20%24env%3AMSI_Endpoint%2C%20%24VaultResource%2C%20%24ApiVersion%0A%24VaultHeader%20%3D%20%40%7B%20Authorization%20%3D%20%22Bearer%20%24(%24VaultAuth.access_token)%22%20%7D%0A%24Secret%20%3D%20Invoke-RestMethod%20%22%3CA%20href%3D%22https%3A%2F%2FMyVault.vault.azure.net%2Fsecrets%2Ftestsecret%3Fapi-version%3D7.0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2FMyVault.vault.azure.net%2Fsecrets%2Ftestsecret%3Fapi-version%3D7.0%3C%2FA%3E%22%20-Headers%20%24VaultHeader%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20works%20just%20fine%20for%20accessing%20the%20vault%2C%20but%20is%20it%20possible%20to%20use%20the%20MSI%20to%20connect%20to%20Azure%20resources%20using%20the%20Az%20PowerShell%20module%3F%20If%20so%2C%20how%20can%20this%20be%20done%3F%20I%20can't%20quite%20seem%20to%20figure%20out%20how%20to%20do%20this%20properly.%20I've%20tried%20hacking%20at%20it%20like%20this%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-csharp%22%3E%3CCODE%3E%24MsiHostName%2C%24MsiPort%20%3D%20%24env%3AMSI_ENDPOINT%20-replace%20'http%3A%2F%2F'%20-replace%20'%2FMSI%2Ftoken%2F'%20-split%20'%3A'%0A%24null%20%3D%20Connect-AzAccount%20-ManagedServiceHostName%20%24MsiHostName%20-ManagedServicePort%20%24MsiPort%20-ManagedServiceSecret%20%24env%3AMSI_SECRET%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EBut%20this%20doesn't%20seem%20to%20work%20and%20I%20can't%20find%20any%20examples%20of%20this%20on%20the%20web.%20Any%20help%20with%20this%20is%20much%20appreciated!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-894758%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApp%20Service%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPowerShell%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1012967%22%20slang%3D%22en-US%22%3ERe%3A%20Connect-AzAccount%20with%20Managed%20Service%20Identity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1012967%22%20slang%3D%22en-US%22%3EYou%20should%20be%20able%20to%20just%20do%3A%3CBR%20%2F%3E%24null%20%3D%20Connect-AzAccount%20-Identity%3CBR%20%2F%3E%3CBR%20%2F%3EGiven%20the%20Web%20App%20has%20been%20assigned%20a%20system%20assigned%20managed%20identity%2C%20is%20part%20of%20the%20right%20RBAC%20role%20and%20the%20identity%20is%20assigned%20in%20IAM%20to%20the%20resources%20you%20are%20interacting%20with.%3C%2FLINGO-BODY%3E
Matt McNabb
Contributor

I'm running PowerShell in the context of an Azure Web App that has a System Managed Service Identity configured. Currently, I can access the Key Vault by doing this:

 

 

 

 

$MsiHeader = @{'Secret' = $env:MSI_SECRET}
$VaultResource = "<a href="https://vault.azure.net" target="_blank">https://vault.azure.net</a>"
$ApiVersion = "2017-09-01"
$VaultUri = "{0}?resource={1}&api-version={2}" -f $env:MSI_Endpoint, $VaultResource, $ApiVersion
$VaultHeader = @{ Authorization = "Bearer $($VaultAuth.access_token)" }
$Secret = Invoke-RestMethod "<a href="https://MyVault.vault.azure.net/secrets/testsecret?api-version=7.0" target="_blank">https://MyVault.vault.azure.net/secrets/testsecret?api-version=7.0</a>" -Headers $VaultHeader

 

 

 

This works just fine for accessing the vault, but is it possible to use the MSI to connect to Azure resources using the Az PowerShell module? If so, how can this be done? I can't quite seem to figure out how to do this properly. I've tried hacking at it like this:

 

 

 

$MsiHostName,$MsiPort = $env:MSI_ENDPOINT -replace 'http://' -replace '/MSI/token/' -split ':'
$null = Connect-AzAccount -ManagedServiceHostName $MsiHostName -ManagedServicePort $MsiPort -ManagedServiceSecret $env:MSI_SECRET

 

 

 


But this doesn't seem to work and I can't find any examples of this on the web. Any help with this is much appreciated!

1 Reply
You should be able to just do:
$null = Connect-AzAccount -Identity

Given the Web App has been assigned a system assigned managed identity, is part of the right RBAC role and the identity is assigned in IAM to the resources you are interacting with.
Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
36 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies