Assign a managed identity access to a resource using Azure CLI
Managed identities for Azure resources is a feature of Azure Active Directory. Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. Make sure you review the availability status of managed identities for your resource and known issues before you begin.
Once you've configured an Azure resource with a managed identity, you can give the managed identity access to another resource, just like any security principal. This example shows you how to give an Azure virtual machine or virtual machine scale set's managed identity access to an Azure storage account using Azure CLI.
If you don't already have an Azure account, sign up for a free account before continuing.
- If you're unfamiliar with managed identities for Azure resources, see What are managed identities for Azure resources?. To learn about system-assigned and user-assigned managed identity types, see Managed identity types.
If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.
If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.
When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.
Use Azure RBAC to assign a managed identity access to another resource
In this example, we are giving an Azure virtual machine access to a storage account. First we use az resource list to get the service principal for the virtual machine named myVM:
spID=$(az resource list -n myVM --query [*].identity.principalId --out tsv)
For an Azure virtual machine scale set, the command is the same except here, you get the service principal for the virtual machine scale set named "DevTestVMSS":
spID=$(az resource list -n DevTestVMSS --query [*].identity.principalId --out tsv)
Once you have the service principal ID, use az role assignment create to give the virtual machine or virtual machine scale set "Reader" access to a storage account called "myStorageAcct":
az role assignment create --assignee $spID --role 'Reader' --scope /subscriptions/<mySubscriptionID>/resourceGroups/<myResourceGroup>/providers/Microsoft.Storage/storageAccounts/myStorageAcct
- Managed identities for Azure resources overview
- To enable managed identity on an Azure virtual machine, see Configure managed identities for Azure resources on an Azure VM using Azure CLI.
- To enable managed identity on an Azure virtual machine scale set, see Configure managed identities for Azure resources on a virtual machine scale set using Azure CLI.