https://docs.microsoft.com/en-us/azure/active-directory/msi-overview
Basically, with MSI you can make API calls to Azure using the VM identity to retrieve the token to be used as the authorization header. DevOps is just getting easier!
I lost count of how many times I was asked on how to authenticate your code to Key Vault without having hard coded credentials or certificate thumbprint. The good news is that now you can!
CI/CD tools like Jenkins, Puppet, Chef, etc which are running in an Azure VM don’t need to use Service Principals exposing secrets in its pipeline anymore!
A-W-E-S-O-M-E
Perhaps the extension will also be available for computers which are Azure AD joined in the future? I hope so!
There are a few tutorials on Microsoft Docs on how to access Azure Resource Manager, Azure storage and a non-Azure AD resource (Key Vault).
In this article, I will provide steps on how to get a token using a Windows VM with MSI to authenticate the code in a PowerShell script I have recently developed to manage Azure VM Scale Sets.
The full code can be found at:
https://github.com/fbinotto/AzureScaleSetManagement
First of all, we have to enable MSI on the VM where we will run the script. As of today (16/09/17), this cannot be done via the Azure portal here in Australia. I used PowerShell but you can also use ARM templates or CLI.
All steps to create a new Windows VM or update an existing Windows VM with MSI can be found in the following links:
https://docs.microsoft.com/en-us/azure/active-directory/msi-qs-configure-powershell-windows-vm
https://docs.microsoft.com/en-us/azure/active-directory/msi-qs-configure-template-windows-vm
https://docs.microsoft.com/en-us/azure/active-directory/msi-qs-configure-cli-windows-vm
I’m updating my existing Windows VM using PowerShell. The commands are as follows:
Login-AzureRmAccount
$vm = Get-AzureRmVM -ResourceGroupName sydprodrg01 -Name sydprodvm01
Update-AzureRmVM -ResourceGroupName sydprodrg01 -VM $vm -IdentityType "SystemAssigned"
$settings = @{ "port" = 50342 }
Set-AzureRmVMExtension -ResourceGroupName sydprodrg01 -Location AustraliaEast -VMName sydprodvm01 -Name "ManagedIdentityExtensionForWindows" -Type "ManagedIdentityExtensionForWindows" -Publisher "Microsoft.ManagedIdentity" -TypeHandlerVersion "1.0" -Settings $settings
Next we assign the contributor role to new Service Principal account created to the VM at the resource group scope where the resources to be managed are:
$SP = Get-AzureRmADServicePrincipal -SearchString 'sydprodvm01' New-AzureRmRoleAssignment -ObjectId $SP.Id.Guid -ResourceGroupName sydprodrg02 -RoleDefinitionName Contributor
Now we RDP to the VM, open PowerShell and run the following command to retrieve the token:
$response = Invoke-WebRequest -Uri http://localhost/50342/oauth2/token -Method GET -Body @resource="https://management.azure.com/"} -Headers @{Metadata="true"}
$content = $response.Content | ConvertFrom-Json
$ArmToken = $content.access_token
With that token in hands now we can retrieve a resource such as a scale set from the resource group we have been granted permissions. For example:
$Uri = "https://management.azure.com/subscriptions/YOUR_SUBSCRIPTION_ID_HERE/providers/Microsoft.Compute/virtualMachineScaleSets?api-version=2017-03-30" $scalesets = Invoke-RestMethod -Method Get -Headers $ArmToken -Uri $Uri
No more excuses to have hard coded credentials and secrets in your code!
No comments:
Post a Comment