Assign a managed identity access to a resource using Azure CLI
|Managed identities for Azure resources is a feature of Azure Active Directory. Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. Make sure you review the availability status of managed identities for your resource and known issues before you begin.|
Once you've configured an Azure resource with a managed identity, you can give the managed identity access to another resource, just like any security principal. This example shows you how to give an Azure virtual machine or virtual machine scale set's managed identity access to an Azure storage account using Azure CLI.
- If you're unfamiliar with managed identities for Azure resources, check out the overview section. Be sure to review the difference between a system-assigned and user-assigned managed identity.
- If you don't already have an Azure account, sign up for a free account before continuing.
- To run the CLI script examples, you have three options:
Open Azure Cloud Shell
Azure Cloud Shell is an interactive shell environment hosted in Azure and used through your browse. Azure Cloud Shell allows you to
PowerShell shells to run a variety of tools to work with Azure services. Azure Cloud Shell comes pre-installed with the commands
to allow you to run the content of this article without having to install anything on your local environment.
To run any code contained in this article on Azure Cloud Shell, open a Cloud Shell session, use the Copy button on a code block to copy the code, and paste it into the Cloud Shell session with Ctrl+Shift+V on Windows and Linux, or Cmd+Shift+V on macOS. Pasted text is not automatically executed, so press Enter to run code.
You can launch Azure Cloud Shell with:
|Select Try It in the upper-right corner of a code block. This doesn't automatically copy text to Cloud Shell.|
|Open Azure Cloud Shell in your browser.|
|Select the Cloud Shell button on the menu in the upper-right corner of the Azure portal.|
Use RBAC to assign a managed identity access to another resource
If you're using the Azure CLI in a local console, first sign in to Azure using az login. Use an account that is associated with the Azure subscription under which you would like to deploy the VM or virtual machine scale set:
In this example, we are giving an Azure virtual machine access to a storage account. First we use az resource list to get the service principal for the virtual machine named myVM:
spID=$(az resource list -n myVM --query [*].identity.principalId --out tsv)
For an Azure virtual machine scale set, the command is the same except here, you get the service principal for the virtual machine scale set named "DevTestVMSS":
spID=$(az resource list -n DevTestVMSS --query [*].identity.principalId --out tsv)
Once you have the service principal ID, use az role assignment create to give the virtual machine or virtual machine scale set "Reader" access to a storage account called "myStorageAcct":
az role assignment create --assignee $spID --role 'Reader' --scope /subscriptions/<mySubscriptionID>/resourceGroups/<myResourceGroup>/providers/Microsoft.Storage/storageAccounts/myStorageAcct
- Managed identities for Azure resources overview
- To enable managed identity on an Azure virtual machine, see Configure managed identities for Azure resources on an Azure VM using Azure CLI.
- To enable managed identity on an Azure virtual machine scale set, see Configure managed identities for Azure resources on a virtual machine scale set using Azure CLI.
Send feedback about: