Christof VG

You don't need to come out of your comfort zone, if automation is in it!

Manage Azure Resource Manager using a Managed Identity

Read time: 5 minutes
Execution time: 5 minutes

Introduction

In some cases you want to grant someone access to your Azure environment, but you don’t want them to connect from everywhere or at any given moment. But if a user is given a role in Azure, he or she can access the environment from everywhere with the rights, configured in their assigned role.

To solve this, Managed Identities are an easy way to grant access to a user, but only on a certain virtual machine.

In this short article, I will show you how you can grant access this way.

What is a managed identity?

A managed identity is an Azure Active Directory object that can be used to authenticate. It comes in 2 flavors:

  • System-assigned managed identity: This identity is created direclty on an Azure resource and shares its lifecycle. So when a resource, like a virtual machine, is removed, then its managed identity is removed as well.
  • User-assigned managed identity: This identity is created as a separate resource and can be assigned to a resource. The lifecycle is not shared with its resource(s).

In case you use this on a single resource, a system-assigned managed identity will do, but for using it on more than one resource, a user-assigned managed identity is needed.

Grant access to a virtual machine

To create a managed identity on a virtual machine, simply turn the status on:

Now, this virtual machine has a managed identity. But this doesn’t mean it has any access. You still need to assign an Azure role to this managed identity. This is very similar to assigning a role for a normal user.

First select to what you want to assign access to:

Then select the virtual machine.

Of course, you still need to select the proper Role and then you are ready to roll.

Use the managed identity

So now you have created a managed identity and you have granted access to Azure. But how does this work?

  1. You tell PowerShell or the CLI you want to authenticate using a managed identity.
  2. Powershell or CLI talks to the Instance Metadata Service (IMDS) on the virtual machine. This is done through this URL: http://169.254.169.254/metadata/identity/oauth2/token that is obviously only accessible from the virtual machine itself.
  3. The IMDS connects to Azure Active Directory to request an access token
  4. An access token is returned
  5. The token is used to connect to Azure

In PowerShell the only command, needed to login is:

1
Add-AzAccount -Identity

For the Azure CLI, this command is used to login:

1
az login --identity

After you are logged in, you can manage the Azure resources you have access to.

Conclusion

This is a quite simple solution to grant access from a virtual machine you have under control, without giving users access from elsewhere. But there are some caveats:

  • All users with access to the virtual machine have access to Azure with the rights and scope, specified in the assigned role.
  • The actions, performed in Azure, are performed by the managed identity and the specific user will not be visible in the audit log.