Assign a Managed Service Identity (MSI) access to a resource using Azure CLI
Once you've configured an Azure resource with an MSI, you can give the MSI access to another resource, just like any security principal. This example shows you how to give an Azure virtual machine's MSI access to an Azure storage account, using Azure CLI.
To run the CLI script examples, you have three options:
- Use Azure Cloud Shell from the Azure portal (see next section).
- Use the embedded Azure Cloud Shell via the "Try It" button, located in the top right corner of each code block.
- Install the latest version of CLI 2.0 (2.0.13 or later) if you prefer to use a local CLI console.
Launch Azure Cloud Shell
The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account. Just click the Copy to copy the code, paste it into the Cloud Shell, and then press enter to run it. There are two ways to launch the Cloud Shell:
|Click Try It in the upper right corner of a code block.|
|Click the Cloud Shell button on the menu in the upper right of the Azure portal.|
Use RBAC to assign the MSI access to another resource
After you've enabled MSI on an Azure resource, such as an Azure VM:
If you're using the Azure CLI in a local console, first sign in to Azure using az login. Use an account that is associated with the Azure subscription under which you would like to deploy the VM:
In this example, we are giving an Azure VM access to a storage account. First we use az resource list to get the service principal for the VM named "myVM", which was created when we enabled MSI on the VM:
spID=$(az resource list -n myVM --query [*].identity.principalId --out tsv)
Once we have the service principal ID, we use az role assignment create to give the VM "Reader" access to a storage account called "myStorageAcct":
az role assignment create --assignee $spID --role 'Reader' --scope /subscriptions/<mySubscriptionID>/resourceGroups/<myResourceGroup>/providers/Microsoft.Storage/storageAccounts/myStorageAcct
If the MSI for the resource does not show up in the list of available identities, verify that the MSI has been enabled correctly. In our case, we can go back to the Azure VM in the Azure portal and:
- Look at the "Configuration" page and ensure MSI enabled = "Yes."
- Look at the "Extensions" page and ensure the MSI extension deployed successfully.
If either is incorrect, you may need to redeploy the MSI on your resource again, or troubleshoot the deployment failure.
- For an overview of MSI, see Managed Service Identity overview.
- To enable MSI on an Azure VM, see Configure an Azure VM Managed Service Identity (MSI) using Azure CLI.
Use the following comments section to provide feedback and help us refine and shape our content.