Assign a Managed Service Identity (MSI) access to a resource using Azure CLI

Managed Service Identity (MSI) is a preview feature of Azure Active Directory. Make sure you review the known issues before you begin. For more information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.

Once you've configured an Azure resource with an MSI, you can give the MSI access to another resource, just like any security principal. This example shows you how to give an Azure virtual machine's MSI access to an Azure storage account, using Azure CLI.

Prerequisites

If you're unfamiliar with MSI, check out the Managed Service Identity overview.

If you don't already have an Azure account, sign up for a free account before continuing.

To run the CLI script examples, you have three options:

  • Use Azure Cloud Shell from the Azure portal (see next section).
  • Use the embedded Azure Cloud Shell via the "Try It" button, located in the top right corner of each code block.
  • Install the latest version of CLI 2.0 (2.0.13 or later) if you prefer to use a local CLI console.

Launch Azure Cloud Shell

The Azure Cloud Shell is a free Bash shell that you can run directly within the Azure portal. It has the Azure CLI preinstalled and configured to use with your account. Click the Cloud Shell button on the menu in the upper-right of the Azure portal.

Cloud Shell

The button launches an interactive shell that you can use to run the steps in this topic:

Screenshot showing the Cloud Shell window in the portal

Use RBAC to assign the MSI access to another resource

After you've enabled MSI on an Azure resource, such as an Azure VM:

  1. If you're using the Azure CLI in a local console, first sign in to Azure using az login. Use an account that is associated with the Azure subscription under which you would like to deploy the VM:

    az login
    
  2. In this example, we are giving an Azure VM access to a storage account. First we use az resource list to get the service principal for the VM named "myVM", which was created when we enabled MSI on the VM:

    spID=$(az resource list -n myVM --query [*].identity.principalId --out tsv)
    
  3. Once we have the service principal ID, we use az role assignment create to give the VM "Reader" access to a storage account called "myStorageAcct":

    az role assignment create --assignee $spID --role 'Reader' --scope /subscriptions/<mySubscriptionID>/resourceGroups/<myResourceGroup>/providers/Microsoft.Storage/storageAccounts/myStorageAcct
    

Troubleshooting

If the MSI for the resource does not show up in the list of available identities, verify that the MSI has been enabled correctly. In our case, we can go back to the Azure VM in the Azure portal and:

  • Look at the "Configuration" page and ensure MSI enabled = "Yes."
  • Look at the "Extensions" page and ensure the MSI extension deployed successfully.

If either is incorrect, you may need to redeploy the MSI on your resource again, or troubleshoot the deployment failure.

Use the following comments section to provide feedback and help us refine and shape our content.