Is AuthenticationSettings mandatory for AKV extension in Azure for VMSS?

Question

https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/key-vault-windows

The above documentation gives an important note:

Important

The 'authenticationSettings' property is required only for VMs with user assigned identities. It specifies identity to use for authentication to Key Vault.

Important

If you specify the 'msiClientId', then the 'msiEndpoint' property is required. Usually the value should be set to http://169.254.169.254/metadata/identity/oauth2/token.

I have an user assigned managed identity assigned to VMSS. And KeyVault access policy to allow this user assigned managed identity.

I have an AKV extension for VMSS. Is authenticationSettings really needed? The documentation seems to suggest that it is needed, but also seems to suggest it is needed only when msiClientId is specified.

score 0 · Answer 1 · answered Dec 16 '21 at 06:52

0

As you are using the user assigned managed identity for VMSS, the AuthenticationSettings is needed to access to Key Vault from VMSS.

The AKV extension should have the AuthenticationSettings with below fields:

msiEndpoint
msiClientId

The msiEndpoint http://169.254.169.254/metadata/identity/oauth2/token is used to generate the access token for the user assigned managed identity to access the Key Vault

answered Dec 16 '21 at 06:52

RamaraoAdapa

2,837
2
5
11

Where can I get the msiClientId? – Yigit Alparslan Mar 21 '23 at 07:00

Is AuthenticationSettings mandatory for AKV extension in Azure for VMSS?

1 Answers1