0

In AWS, you can assign a role to a VM, which then authorizes the instance when it makes queries to the AWS SDK. I am looking for similar functionality in Azure, or something that would enable me to do close to that.

I found this post which suggests that this is not possible in the way AWS does it. Are there any workarounds for this? I really don't want the system administrator to have to login to the instance and give their Azure Active Directory credentials to authorize it.

Jayden Navarro
  • 37
  • 7

1 Answers1

1

Excellent question :). I would suggest to wait a few days, we have something in progress that seems to fit your need. I created this issue for tracking.

The most simple would be to create a Service Principal credentials for these VMs. To do that, execute a post deployment script to install the CLI and "az ad sp create-for-rbac --sdk-auth >~/mycredentials.json". Then, you can start SDK script reading this credential file.

The "create-for-rbac" commands already exists if you want to look at it (--sdk-auth is the new option coming), so you can see that you can specify all scope and permissions needed in this command.

(I own the Azure SDK for Python at MS)

Laurent Mazuel
  • 3,422
  • 13
  • 27
  • Thanks for this information. I am slightly confused on how a post deployment script to install the Azure CLI and run this credential generator on the instance will solve the problem. In order to run this command, the Azure CLI needs to be logged-in, which requires administrator intervention. Is the correct usage actually to have the administrator run this command on their own system (or the Portal Bash Shell) to generate the credential file, and then pass the credentials in as user-data to the instance when it is created? – Jayden Navarro Jul 05 '17 at 16:16
  • Another question I had was about the "--years" parameter, is there a way to set this to infinity? – Jayden Navarro Jul 05 '17 at 16:19
  • Good point, give me a few days to think about this and discuss with the VM team. – Laurent Mazuel Jul 06 '17 at 05:49
  • In regards to usage, is the Azure CLI command meant to be used from the administrator side or the instance VM side? – Jayden Navarro Jul 14 '17 at 18:39