question

sakuraime avatar image
0 Votes"
sakuraime asked shivapatpi-MSFT commented

Invoke-WebRequest to get access token for system assigned identity

On an Azure VM , I have assigned a system managed identity, and I would like to get that from powershell on that machine .

However I got the following error

72365-image.png




I want to use it to authen to Azure sql database

azure-virtual-machines
image.png (231.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

shivapatpi-MSFT avatar image
0 Votes"
shivapatpi-MSFT answered shivapatpi-MSFT commented

Hello @sakuraime ,
Thanks for your query. I was able to repro your issue locally but with different error message:
Initially for the below command in the client_id parameter, I was trying to pass the ObjectID instead of ApplicationID

PS C:\windows\system32> $response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&client_id=OBJECTIDRETRIEVEDFROMAZUREPORTALVM&resource=https://management.azure.com/' -Method GET -Headers @{Metadata="true"}

Invoke-WebRequest : {"error":"invalid_request","error_description":"Identity not found"}
At line:1 char:13
+ $response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/i ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand




This will be the complete working command:

PS C:\windows\system32> $response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&client_id=PASSTHEAPPLICATIONID&resource=https://management.azure.com/' -Method GET -Headers @{Metadata="true"}
PS C:\windows\system32> $response


StatusCode : 200
StatusDescription : OK
Content : {"access_token":"TOKENVALU}
RawContent : HTTP/1.1 200 OK
Content-Length: 1715
Content-Type: application/json; charset=utf-8
Date: Fri, 26 Feb 2021 18:49:16 GMT
Server: IMDS/150.870.65.489

Forms : {}
Headers : {[Content-Length, 1715], [Content-Type, application/json; charset=utf-8], [Date, Fri, 26 Feb 2021 18:49:16 GMT], [Server, IMDS/150.870.65.489]}
Images : {}
InputFields : {}
Links : {}
ParsedHtml : System.__ComObject
RawContentLength : 1715


How to get the applicationID:

1) Get-AzureRmADServicePrincipal -DisplayName "managedidentity"
Above command will display the list of all IDs.
2) Get the ObjectID of the VM from Azure Portal ( VMName - > Settings -> Identity ) -
3) From the output , search for that ObjectID copied from portal
4) Grab the ApplicationID
5) Try to run the whole command in one single line


Pass that applicationID to the Invoke-WebRequest command . It should work

My Azure VM machine Screen Shots of Successful and Unsuccessful attempts:


72538-image.png




Below Additional references should help you out in troubleshooting further:

https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-powershell-windows-vm
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-ua-arm

If the above information helps , Kindly "Accept the Answer and Upvote"


image.png (94.1 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

thanks. I haven't try the user assigned indentity .

But lastly it works by fixing the link of the uri passing to the invoke-webrequest. thanks

1 Vote 1 ·

Hello @sakuraime ,
If any of the above answered points helped you out in understanding and resolving the issue , can you kindly UpVote and Accept the answer so that it will help to the community out there.


0 Votes 0 ·