Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article shows you how to use the Azure CLI to give a managed identity access to an Azure resource. In this article, we use the example of an Azure virtual machine (Azure VM) managed identity accessing an Azure storage account. Once you've configured an Azure resource with a managed identity, you can then give the managed identity access to another resource, similar to any security principal.
Prerequisites
- Be sure you've enabled managed identity on an Azure resource, such as an Azure virtual machine.
- If you don't already have an Azure account, sign up for a Trial before continuing.
Prepare your environment
If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.
If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.
When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.
Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.
Use Azure RBAC to assign a managed identity access to another resource
In this example, you give an Azure virtual machine (VM) managed access to a storage account. First use az resource list to get the service principal for a VM named myVM:
spID=$(az resource list -n myVM --query [*].identity.principalId --out tsv)For an Azure Virtual Machine (VM) scale set, the command is the same except here you get the service principal for the VM set named "DevTestVMSS":
spID=$(az resource list -n DevTestVMSS --query [*].identity.principalId --out tsv)Once you have the service principal ID, use az role assignment create to give the virtual machine or virtual machine scale set Reader access to a storage account called "myStorageAcct":
az role assignment create --assignee $spID --role 'Reader' --scope /subscriptions/<mySubscriptionID>/resourceGroups/<myResourceGroup>/providers/Microsoft.Storage/storageAccounts/myStorageAcct