Azure user-assigned managed service identity not working from within Azure VM

Question

I have a VM in a scale set which has a user-assigned MSI attached to it. This MSI has read access to a specific key vault, set-up in its access policy tab.

From within a VM I need to access the key vault. az CLI is installed on the VM. When trying to log-in I'm getting the following error:

> az login --identity -u /subscriptions/subscriptionId/resourcegroups/group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/name       
No access was configured for the VM, hence no subscriptions were found

When I login interactively with az login and enter the displayed code at https://microsoft.com/devicelogin it works great...

However, the point of using MSI is to have it work without interaction...

Did somebody else have this problem?

Answer 1

Az login --identity is for accessing Azure Resource Manager. This enables you to perform control-plane/management operations over Key Vault. This is the equivalent of getting a token for https://management.azure.com/

Key Vault access policies enable data-plane access to the Vault. For this, you'll need a token for https://vault.azure.net

Check out the following tutorials:

Linux: https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-nonaad

Windows: https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad