Use a Windows VM system-assigned managed identity to access Azure Storage via a SAS credential

Tutorial`:` Use managed identity to access Azure Storage using SAS credential – Azure AD – Microsoft Entra | Microsoft Docs

  • Create a storage account
  • Grant your VM access to a storage account SAS in Resource Manager
  • Get an access token using your VM’s identity, and use it to retrieve the SAS from Resource Manager

Vm is deployed with this script (good to test all ARM templates over and over again)

azure-arm-104/deploy_vm.ps1 at master · spawnmarvel/azure-arm-104 · GitHub

So the VM is ready

We deployed it in a secure extrenal vnet and subnet with its own security group on the subnet.

So this bypasses all rules that was deployed automatic in the NSG for VM, test-292-nsg

So to use RDP we must create a new rule in the securitygroup.

Get my ip:

What Is My IP? Quickly See My IP Address and My IP Location

Add only that ip is sourcre for RDP

Now we are in:

Enabling a system-assigned managed identity is a one-click experience. You can either enable it during the creation of a VM or in the properties of an existing VM.

Successfully registered ‘test-292-vmname’ with Azure Active Directory.

The Blob container in a storage account step is already ready, its is an old storage account.

We will just create a container for this test and name it testmaidentity. We keep all default settings and security.

Upload a local file helloworld.txt to the container

Now for the fun

Grant access

Navigate back to the storage account.

Select Access control (IAM).

Select Add > Add role assignment to open the Add role assignment page.

  • Role Storage Blob Data Reader (later it was given contributor due to change tutorial))
  • Assign access to Managed identity
  • System-assigned Virtual Machine
  • Select our vm

And we see our VM, now add it and review + create

test-292-vmname was added as Storage Blob Data Reader for testit3straccount.

Now lets use Powershell for accessing the container

For the step:

  • Get an access token using your VM’s identity, and use it to retrieve the SAS from Resource Manager

(Be sure to install the Azure Storage cmdlets first, using Install-Module Azure.Storage if not present (it was present on win server 2019))

I meet a few errors:

Invoke-WebRequest : {"error":{"code":"AuthorizationFailed","message":"The client 'xxxxx' with object id 'xxxx' does not have authorization to 
perform action 'Microsoft.Storage/storageAccounts/listServiceSas/action' over scope 

# You need to go to you subscription and grant objectid 'xxx' contributor permissions (easy way) or create a 
# custom role (or figure predefined role) that meets your needs.

# This role was granted after I logged in from my machine after running connect first:
# Connect-AzAccount -TenantId the-tenant-id-number

New-AzRoleAssignment -ObjectId 'xxxx' -Scope '/subscriptions/xxx-findit-under-subscriptions-or-use-ps1-to-get-it' -RoleDefinitionName contributor

New error
Invoke-WebRequest : {"error":{"code":"InvalidValuesForRequestParameters","message":"Values for request parameters are invalid: signedExpiry."}}

# Well that is not strange:


# Set a valid date


Powershell result

Blob(s) uploaded in Azure

Final script

azure-arm-104/upload_file.ps1 at master · spawnmarvel/azure-arm-104 · GitHub