%3CLINGO-SUB%20id%3D%22lingo-sub-1442424%22%20slang%3D%22en-US%22%3EManaged%20Identity%20with%20Octopus%20Deploy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1442424%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20are%20using%20Octopus%20Deploy%20to%20deploy%20onto%20Azure%20the%20only%20options%20you'd%20find%20is%20to%20use%20a%20Service%20Principal%20for%20ARM-based%20deployments%2C%20or%20a%20Management%20Certificate%20for%20older%20ASM%20deployments.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22suhasrao_0-1591347743355.png%22%20style%3D%22width%3A%20634px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F196679iD9A3DAD2F6C2D207%2Fimage-dimensions%2F634x124%3Fv%3D1.0%22%20width%3D%22634%22%20height%3D%22124%22%20title%3D%22suhasrao_0-1591347743355.png%22%20alt%3D%22suhasrao_0-1591347743355.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20use%20of%20the%20Service%20Principals%20is%20deemed%20as%20a%20security%20risk%20since%20you%20need%20to%20store%20the%20credentials%20in%20your%20code.%20We%20know%20the%20problem%20that%20Managed%20Identities%20for%20Azure%20resources%20solves.%20A%20managed%20identity%20can%20be%20used%20to%20authenticate%20to%20any%20service%20that%20supports%20Azure%20AD%20authentication%20without%20any%20credentials%20in%20your%20code.%20If%20you%20are%20unfamiliar%20with%20Managed%20Identities%2C%20I%20would%20suggest%20going%20through%20our%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanaged-identities-azure-resources%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edocumentation%3C%2FA%3E.%20Unfortunately%2C%20this%20is%20not%20an%20option%20out%20of%20the%20box%2C%20even%20if%20your%20Octopus%20server%20or%20the%20tentacle%20agent%20is%20running%20on%20Azure.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%2C%20is%20there%20a%20way%20to%20use%20Managed%20Identity%20to%20perform%20secure%2C%20no%20credentials%20deployment%20on%20Azure%20using%20Octopus%20deploy%3F%20My%20colleague%20Apurva%20and%20I%20started%20exploring%20options%20and%2C%20in%20this%20blog%2C%20we%20describe%20our%20journey%20to%20successfully%20deploying%20an%20ARM%20template%20using%20Managed%20Identities.%26nbsp%3BAn%20Azure%20VM%20was%20used%20in%20our%20example%2C%20but%20this%20should%20also%20be%20possible%20if%20you%20are%20running%20on%20containers%20using%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fcontainer-instances%2Fcontainer-instances-managed-identity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EACI%3C%2FA%3E%20or%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Faks%2Fuse-managed-identity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAKS%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20first%20step%20would%20be%20to%20install%20PowerShell%20Core%20on%20the%20VM%20running%20your%20Octopus%20Server%20or%20Tentacle%20Agent%20on%20Azure.%20We%20installed%20-ERR%3AREF-NOT-FOUND-PowerShell%207%20on%20this%20VM.%20You%20must%20then%20add%20the%20az-*%20module%20to%20be%20able%20to%20execute%20Azure%20PowerShell%20commands.%20%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20must%20then%20assign%20a%20Managed%20Identity%20to%20the%20VM.%20You%20can%20use%20a%20system%20managed%20identity%20or%20a%20user%20managed%20identity.%20In%20the%20below%20example%20we%20are%20using%20System%20Assigned.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%24vm%20%3D%20Get-AzVM%20-ResourceGroupName%20myResourceGroup%20-Name%20myVM%0A%0AUpdate-AzVM%20-ResourceGroupName%20myResourceGroup%20-VM%20%24vm%20%E2%80%93IdentityType%20%22SystemAssigned%22%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22suhasrao_1-1591347743384.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F196680i8565CB828D3C0FB8%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22suhasrao_1-1591347743384.png%22%20alt%3D%22suhasrao_1-1591347743384.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20it%20is%20assigned%2C%20run%20following%20command%20to%20ensure%20you%20can%20utilize%20the%20newly%20Managed%20Service%20Identity%20(MSI)%20of%20the%20host%20environment.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EConnect-AzAccount%20-Identity%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20should%20be%20able%20to%20see%20the%20subscription%20details%20correctly%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EAccount%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20SubscriptionName%20TenantId%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Environment%0A%0A-------%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20----------------%20--------%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20-----------%0A%0AMSI%4050342%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Subscription1%26nbsp%3B%26nbsp%3B%26nbsp%3B%20xxxx-xxxx-xxxx-xxxx%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20AzureCloud%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20not%2C%20provide%20subscription%20access%20to%20the%20managed%20identity.%20The%20managed%20identity%20must%20also%20have%20Write%20permissions%20on%20the%20resource%20group%20where%20the%20ARM%20resources%20are%20to%20be%20deployed.%3C%2FP%3E%0A%3CP%3EFrom%20within%20Octopus%20Deploy%2C%20create%20a%20step%20to%20%E2%80%9CRun%20a%20script%E2%80%9D%20in%20your%20Deployment%20Process%20as%20shown%20below.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22suhasrao_2-1591347743429.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F196681i71B3E4611AE2EC2B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22suhasrao_2-1591347743429.png%22%20alt%3D%22suhasrao_2-1591347743429.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFrom%20Configure%20Options%20%E2%80%93%20check%20the%20%E2%80%9CPowershell%20Edition%E2%80%9D%20checkbox%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22suhasrao_3-1591347743461.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F196683i2B9177A6AD6BF2A9%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22suhasrao_3-1591347743461.png%22%20alt%3D%22suhasrao_3-1591347743461.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20will%20also%20need%20to%20set%20the%20environment%20variable%20to%20point%20to%20pwsh.exe.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlso%2C%20select%20%E2%80%9CPowerShell%20Core%E2%80%9D%20for%20the%20edition%20as%20shown%20below%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22suhasrao_4-1591347743468.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F196682iD867095080963A8B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22suhasrao_4-1591347743468.png%22%20alt%3D%22suhasrao_4-1591347743468.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThat%E2%80%99s%20it.%20You%20should%20now%20be%20able%20to%20run%20Azure%20PowerShell%20commands%20from%20your%20Octopus%20Server%20running%20in%20Azure%20without%20storing%20any%20credentials.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22suhasrao_5-1591347743480.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F196684iF2AA418B2FF8509C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22suhasrao_5-1591347743480.png%22%20alt%3D%22suhasrao_5-1591347743480.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EConnect-AzAccount%20-Identity%0A%0ANew-AzResourceGroupDeployment%20-ResourceGroupName%20%22xxx-demo-rg%22%20-TemplateUri%20%22https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F101-storage-blob-container%2Fazuredeploy.json%22%20-TemplateParameterObject%20%40%7B%22storageAccountName%22%3D%22strgacc29052020%22%7D%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-ERR%3AREF-NOT-FOUND-%3CEM%3EApurva%20Kolhe%3C%2FEM%3E%3CEM%3E%20is%20a%20Premier%20Field%20Engineer%20at%20Microsoft%20and%20%3C%2FEM%3E-ERR%3AREF-NOT-FOUND-%3CEM%3ESuhas%20Rao%3C%2FEM%3E%3CEM%3E%20is%20a%20Cloud%20Solution%20Architect%20at%20Microsoft%2C%20both%20specializing%20in%20the%20areas%20of%20DevOps%20and%20PaaS%20technologies%20on%20Azure.%20%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1442424%22%20slang%3D%22en-US%22%3E%3CP%3ELearn%20how%20to%20use%20Managed%20Identities%20with%20Octopus%20deploy%20to%20deploy%20Azure%20resources.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1442424%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApplication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EApps%20%26amp%3B%20DevOps%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EManaged%20Identity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

If you are using Octopus Deploy to deploy onto Azure the only options you'd find is to use a Service Principal for ARM-based deployments, or a Management Certificate for older ASM deployments.

suhasrao_0-1591347743355.png

 

The use of the Service Principals is deemed as a security risk since you need to store the credentials in your code. We know the problem that Managed Identities for Azure resources solves. A managed identity can be used to authenticate to any service that supports Azure AD authentication without any credentials in your code. If you are unfamiliar with Managed Identities, I would suggest going through our documentation. Unfortunately, this is not an option out of the box, even if your Octopus server or the tentacle agent is running on Azure.

 

So, is there a way to use Managed Identity to perform secure, no credentials deployment on Azure using Octopus deploy? My colleague Apurva and I started exploring options and, in this blog, we describe our journey to successfully deploying an ARM template using Managed Identities. An Azure VM was used in our example, but this should also be possible if you are running on containers using ACI or AKS

 

The first step would be to install PowerShell Core on the VM running your Octopus Server or Tentacle Agent on Azure. We installed PowerShell 7 on this VM. You must then add the az-* module to be able to execute Azure PowerShell commands.  

You must then assign a Managed Identity to the VM. You can use a system managed identity or a user managed identity. In the below example we are using System Assigned.

 

 

 

 

$vm = Get-AzVM -ResourceGroupName myResourceGroup -Name myVM

Update-AzVM -ResourceGroupName myResourceGroup -VM $vm –IdentityType "SystemAssigned"

 

 

 

 

suhasrao_1-1591347743384.png

 

Once it is assigned, run following command to ensure you can utilize the newly Managed Service Identity (MSI) of the host environment.

 

 

 

 

Connect-AzAccount -Identity

 

 

 

 

You should be able to see the subscription details correctly:

 

 

 

 

Account                SubscriptionName TenantId                Environment

-------                ---------------- --------                -----------

MSI@50342              Subscription1    xxxx-xxxx-xxxx-xxxx     AzureCloud

 

 

 

 

If not, provide subscription access to the managed identity. The managed identity must also have Write permissions on the resource group where the ARM resources are to be deployed.

From within Octopus Deploy, create a step to “Run a script” in your Deployment Process as shown below.

suhasrao_2-1591347743429.png

 

 

From Configure Options – check the “Powershell Edition” checkbox:

suhasrao_3-1591347743461.png

 

You will also need to set the environment variable to point to pwsh.exe.

 

Also, select “PowerShell Core” for the edition as shown below:

suhasrao_4-1591347743468.png

 

That’s it. You should now be able to run Azure PowerShell commands from your Octopus Server running in Azure without storing any credentials.

suhasrao_5-1591347743480.png

 

 

 

 

 

Connect-AzAccount -Identity

New-AzResourceGroupDeployment -ResourceGroupName "xxx-demo-rg" -TemplateUri "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-storage-blob-container/azuredeploy.json" -TemplateParameterObject @{"storageAccountName"="strgacc29052020"}

 

 

 

 

 

 

 

Apurva Kolhe is a Premier Field Engineer at Microsoft and Suhas Rao is a Cloud Solution Architect at Microsoft, both specializing in the areas of DevOps and PaaS technologies on Azure.