-
Notifications
You must be signed in to change notification settings - Fork 96
ARM MSI Apis
Suwat Ch edited this page Aug 31, 2017
·
13 revisions
A resource can be assigned an identity (Managed Service Identity or MSI) along the same line as an AAD application can create a service principal. This identity can be given RBAC to other resources in the same AAD tenant. The resource can then acquire a bearer token to access other authorized resources.
For Azure WebApps, a resource is a webapp. The MSI can be provisioned for a webapp as follow.
ARMClient.exe put "/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Web/sites/{site}?api-version=2015-02-01" @payload.json
Example payload.json below
{
"location": "{location}",
"properties": { },
"identity": {
"Type": "SystemAssigned"
}
}
Once done, two additional environment variables (MSI_ENDPOINT and MSI_SECRET) will be available to the webapp. Do use https://{scm_uri}/Env.cshtml to verify.