0

In the custom script extension of a VM I want to execute this command:

#download azcopy from http://aka.ms/downloadazcopy
c:\azcopy login --identity
C:\azcopy copy https://mystorage.blob.core.windows.net/software C:\Temp --recursive

But for this to work the identity of the VM need to be added as "Storage Blob Data Contributor". In terraform we could do it this way

resource"azurerm_role_assignment""role" {​​​​​​​​
scope= data.azurerm_storage_account.vault.id
role_definition_name="Storage Blob Data Contributor"
principal_id= azurerm_windows_virtual_machine.vm.identity.0.principal_id
}​​​​​​​​

But if we do not use terraform and instead use Azure DevOps and ARM templates, how would you execute it ? Because the VM is not created yet to give identity access. Custom script extension is part of the creation.

Blue Clouds
  • 7,295
  • 4
  • 71
  • 112

1 Answers1

2

You can enable a system-assigned managed identity using an Azure Resource Manager template. Reference here.

Step1

To enable system-assigned managed identity, locate the Microsoft.Compute/virtualMachines resource of interest within the resources section and add the "identity" property at the same level as the "type": "Microsoft.Compute/virtualMachines" property. Use the following syntax:

"identity": {
    "type": "SystemAssigned"
},

Step2

When you're done, the following sections should be added to the resource section of your template and it should resemble the following:

"resources": [
     {
         //other resource provider properties...
         "apiVersion": "2018-06-01",
         "type": "Microsoft.Compute/virtualMachines",
         "name": "[variables('vmName')]",
         "location": "[resourceGroup().location]",
         "identity": {
             "type": "SystemAssigned",
             },
         },

         //The following appears only if you provisioned the optional VM extension (to be deprecated)
         {
         "type": "Microsoft.Compute/virtualMachines/extensions",
         "name": "[concat(variables('vmName'),'/ManagedIdentityExtensionForWindows')]",
         "apiVersion": "2018-06-01",
         "location": "[resourceGroup().location]",
         "dependsOn": [
             "[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
         ],
         "properties": {
             "publisher": "Microsoft.ManagedIdentity",
             "type": "ManagedIdentityExtensionForWindows",
             "typeHandlerVersion": "1.0",
             "autoUpgradeMinorVersion": true,
             "settings": {
                 "port": 50342
             }
         }
     }
 ]

Step3

Grant it a role "Storage Blob Data Contributor" access to the resource group in which it was created.

Under the parameters section add the following:

"builtInRoleType": {
    "type": "string",
    "defaultValue": "StorageBlobDataContributor"
},
"rbacGuid": {
    "type": "string"
}

Under the variables section add the following:

"StorageBlobDataContributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]"

Under the resources section add the following:

{
    "apiVersion": "2017-09-01",
    "type": "Microsoft.Authorization/roleAssignments",
    "name": "[parameters('rbacGuid')]",
    "properties": {
        "roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
        "principalId": "[reference(variables('vmResourceId'), '2017-12-01', 'Full').identity.principalId]",
        "scope": "[resourceGroup().id]"
    },
     "dependsOn": [
        "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]"
    ]
}

Update

To grant the identity with an RBAC role to access a specific storage account. Refer to this answer.

      {
        "apiVersion": "2018-01-01-preview",
        "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments", 
        "name": "[concat(variables('storageAccountName'), '/Microsoft.Authorization/',parameters('rbacGuid'))]",
        "properties": {
            "roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
            "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines',parameters('vmName')), '2017-12-01', 'Full').identity.principalId]"
        },
        "dependsOn": [
            "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]"
        ]
}

enter image description here enter image description here

Nancy
  • 26,865
  • 3
  • 18
  • 34
  • Great! So this VM will have access to all the storage accounts in the subscription? What if we want to restrict to a certain RG or storage account? – Blue Clouds Jan 06 '21 at 04:38