Support for user-assigned managed identity

Question

Support for user-assigned managed identity

linanqiu opened this issue 3 years ago · 4 comments

Azure supports both system assigned managed identity and user assigned managed identity. In the CLI, they work as such (from azure cli's help)

    Log in using a VM's system assigned identity
        az login --identity


    Log in using a VM's user assigned identity. Client or object ids of the service identity also
    work
        az login --identity -u /subscriptions/<subscriptionId>/resourcegroups/myRG/providers/Microso
        ft.ManagedIdentity/userAssignedIdentities/myID

Currently get_managed_token seems to only support the first. Is user-assigned managed identity supported? If so, how can I access it? If not, happy to put in a PR if you point me in a general direction.

Answer 1 · 2021-08-19T03:03:13.000Z

~~User-assigned identities currently aren't supported, but should be easy to add.~~ PRs are always welcome!

Answer 2 · 2021-08-19T04:59:52.000Z

Actually, you should be able to use a user-assigned identity right now, by setting the client_id, object_id and resource_id in the token_args argument:

get_managed_token("resource", token_args=list(
  object_id="guid",
  client_id="guid",
  mi_res_id="/subscriptions/subid/resourcegroups/resgrp/{...}"
))

Making this more convenient will be a bit tricky, since retrieving the client and object ID's from the resource ID means talking to the Resource Manager endpoint, which requires AzureRMR, which depends on AzureAuth.... I'm not sure if it's worth the trouble.

Answer 3 · 2021-08-31T07:33:05.000Z

Correction: supply only one of object_id, client_id and mi_res_id. I'll update the docs to mention this

Answer 4 · 2021-09-09T02:09:23.000Z

Thank you so much this is perfect.