Once you've configured an Azure resource with an MSI, you can give the MSI access to another resource, just like any security principal. This example shows you how to give an Azure virtual machine's MSI access to an Azure storage account, using Azure CLI.
If you're unfamiliar with MSI, check out the Managed Service Identity overview.
If you don't already have an Azure account, sign up for a free account before continuing.
To run the CLI script examples, you have three options:
- Use Azure Cloud Shell from the Azure portal (see next section).
- Use the embedded Azure Cloud Shell via the "Try It" button, located in the top right corner of each code block.
- Install the latest version of CLI 2.0 (2.0.13 or later) if you prefer to use a local CLI console.
Launch Azure Cloud Shell
The Azure Cloud Shell is a free Bash shell that you can run directly within the Azure portal. It has the Azure CLI preinstalled and configured to use with your account. Click the Cloud Shell button on the menu in the upper-right of the Azure portal.
The button launches an interactive shell that you can use to run the steps in this topic:
Use RBAC to assign the MSI access to another resource
After you've enabled MSI on an Azure resource, such as an Azure VM:
If you're using the Azure CLI in a local console, first sign in to Azure using az login. Use an account that is associated with the Azure subscription under which you would like to deploy the VM:
In this example, we are giving an Azure VM access to a storage account. First we use az resource list to get the service principal for the VM named "myVM", which was created when we enabled MSI on the VM:
spID=$(az resource list -n myVM --query [*].identity.principalId --out tsv)
Once we have the service principal ID, we use az role assignment create to give the VM "Reader" access to a storage account called "myStorageAcct":
az role assignment create --assignee $spID --role 'Reader' --scope /subscriptions/<mySubscriptionID>/resourceGroups/<myResourceGroup>/providers/Microsoft.Storage/storageAccounts/myStorageAcct
If the MSI for the resource does not show up in the list of available identities, verify that the MSI has been enabled correctly. In our case, we can go back to the Azure VM in the Azure portal and:
- Look at the "Configuration" page and ensure MSI enabled = "Yes."
- Look at the "Extensions" page and ensure the MSI extension deployed successfully.
If either is incorrect, you may need to redeploy the MSI on your resource again, or troubleshoot the deployment failure.
- For an overview of MSI, see Managed Service Identity overview.
- To enable MSI on an Azure VM, see Configure an Azure VM Managed Service Identity (MSI) using Azure CLI.
Use the following comments section to provide feedback and help us refine and shape our content.