Problem connecting to Azure with a User Assigned Managed identity

Mike Welborn 46 Reputation points
2023-01-05T21:25:37.867+00:00

To set the context, I am just now trying to learn how to use managed identities and am trying to set up a simple scale up/scale down automation task.

I have created
Managed Identity: sql-dev-id
Role assigments
Contributor <database name> SQL Server
Reader <subscription name> Subscription
Reader <resource group name> Resource Group

I have created an Automation Account: DBA-DEV-AutomationAccount
On the Identity blade I have added my user assigned identity sql-dev-id

I created a simple runbook just to connect before I try to do anything else. That code is shown below 

$identity = Get-AzUserAssignedIdentity -ResourceGroupName 'SQL-DEV-RG' -Name 'sql-dev-id'  
Connect-AzAccount -Identity -AccountId $identity.ClientId

This was a sample that I found when going through tutorials

When I run the code, I get the following error
"Failed
Cannot bind argument to parameter 'SubscriptionId' because it is null."

I tried to add the subscriptionid manually 

$identity = Get-AzUserAssignedIdentity -ResourceGroupName 'SQL-DEV-RG' -Name 'sql-dev-id'  
Connect-AzAccount -Identity -AccountId $identity.ClientId -SubscriptionId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

And I get the same error

I have no idea how to correct this error. Any ideas would be greatly appreciated

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,113 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,454 questions
Accepted answer
  1. Peter T 326 Reputation points
    2023-01-24T09:35:15.8233333+00:00

    Hi,

    I suspect Get-AzUserAssignedIdentity is expecting a subscription ID as there is no Azure context set in the script at the time of running the cmdlet.

    I suggest using the Connect-AzAccount cmdlet as follows for connecting:

    Connect-AzAccount -Identity -AccountId <user-assigned-identity-ClientId>

    For the -AccountId parameter you can find the identifier on the overview plane for the managed identity, under Client ID.

    A relevant documentation can be found here.

    Edit:

    Afterwards the Set-AzContext cmdlet can be used to set the subscription explicitly, however if the identity has access to only one subscription, it should default to that one.

    If you don't want to "hard code" the client ID into the script itself, it can be moved to an automation variable and the Get-AutomationVariable -Name <variable-name> internal cmdlet can be used without authentication towards Azure.

    BR,

    Peter

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest