Reputation: 43
Errors using Azure Managed Identity to connect to Azure Automation from VS Code
About 8 months ago I built several automation runbooks that successfully run using a System-Assigned Managed Identity. I used this code excerpt from this thread, Accessing Azure AD using a Managed Identity to connect to Azure AD using the Managed Identity. This code works perfectly when executed from the Azure Automation portal.
Connect-azaccount -identity
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$graphToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.microsoft.com").AccessToken
$aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken
Write-Output "Hi I'm $($context.Account.Id)"
Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id | out-null
Write-Output "Success!`n"
Due to the impending deprecation of the AzureAD PowerShell module, I am in the process of converting the scripts to use Microsoft Graph vs AzureAD. I have recently installed the Azure Automation extension in VS Code to edit the Runbooks. When I test a runbook in VSC, it fails because it's not able to get a token. I get this error,
Connect-azaccount -identity
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~
| ManagedIdentityCredential authentication unavailable. Multiple attempts failed to obtain a token from the managed identity endpoint.
Looking at the Managed Identity IAM properties in Azure, I am the Owner and User Access Administrator. There are no Deny Assignments to the identity. How can I allow VSC on my local machine to get a token from the Managed Identity to run the Runbook? Is there a better way? Using Graph, perhaps?
Thank you for your time.
P.S. I reviewed the 2 questions Stack Overflow presented before posting. The first did not correspond to my problem, and the second was regarding User-Assigned Managed Identities, not System-assigned.
Upvotes: 0
Views: 644
Answers (1)
Reputation: 136126
The reason you are getting this error is because a system-assigned managed identity cannot be used locally (same is true for a user-assigned managed identity). It can only be used in Azure.
A system-assigned managed identity is an identity (basically an Entra ID user) assigned to an Azure resource. From this link:
Upvotes: 0
Related Questions
- Azure Automation Runbook: Connect-AzAccount Error using Managed Identity
- How does Azure Instance Metadata Service (IMDS) gets the token from AAD for managed identity?
- Azure Service Principal rotation (Graph API permission to managed identity)
- Azure Managed Identity to access Graph with User.Read.All
- azure automation account pass azure context as paramters failed when using SP but identity works
- Unable to connect-AZAccount in Azure Automation with a Service Principal
- Connect-MgGraph with managed identity in Azure Automation produces an error
- Azure Connect-AzAccount in runbook with managed identity fails
- Azure Runbook Failure with Connect-AzAccount -Identity