Tutorial`:` Use managed identity to access Azure Storage using SAS credential – Azure AD – Microsoft Entra | Microsoft Docs

Vm is deployed with this script (good to test all ARM templates over and over again)

azure-arm-104/deploy_vm.ps1 at master · spawnmarvel/azure-arm-104 · GitHub

So the VM is ready

We deployed it in a secure extrenal vnet and subnet with its own security group on the subnet.

So this bypasses all rules that was deployed automatic in the NSG for VM, test-292-nsg

So to use RDP we must create a new rule in the securitygroup.

Get my ip:

What Is My IP? Quickly See My IP Address and My IP Location

Add only that ip is sourcre for RDP

Now we are in:

Enabling a system-assigned managed identity is a one-click experience. You can either enable it during the creation of a VM or in the properties of an existing VM.

Successfully registered ‘test-292-vmname’ with Azure Active Directory.

The Blob container in a storage account step is already ready, its is an old storage account.

We will just create a container for this test and name it testmaidentity. We keep all default settings and security.

Upload a local file helloworld.txt to the container

Now for the fun

Grant access

Navigate back to the storage account.

Select Access control (IAM).

Select Add > Add role assignment to open the Add role assignment page.

And we see our VM, now add it and review + create

test-292-vmname was added as Storage Blob Data Reader for testit3straccount.

Now lets use Powershell for accessing the container

For the step:

(Be sure to install the Azure Storage cmdlets first, using Install-Module Azure.Storage if not present (it was present on win server 2019))

I meet a few errors:

Invoke-WebRequest : {"error":{"code":"AuthorizationFailed","message":"The client 'xxxxx' with object id 'xxxx' does not have authorization to 
perform action 'Microsoft.Storage/storageAccounts/listServiceSas/action' over scope 

# You need to go to you subscription and grant objectid 'xxx' contributor permissions (easy way) or create a 
# custom role (or figure predefined role) that meets your needs.

# This role was granted after I logged in from my machine after running connect first:
# Connect-AzAccount -TenantId the-tenant-id-number

New-AzRoleAssignment -ObjectId 'xxxx' -Scope '/subscriptions/xxx-findit-under-subscriptions-or-use-ps1-to-get-it' -RoleDefinitionName contributor

New error
Invoke-WebRequest : {"error":{"code":"InvalidValuesForRequestParameters","message":"Values for request parameters are invalid: signedExpiry."}}

# Well that is not strange:


# Set a valid date


Powershell result

Blob(s) uploaded in Azure

Final script

azure-arm-104/upload_file.ps1 at master · spawnmarvel/azure-arm-104 · GitHub