-
Notifications
You must be signed in to change notification settings - Fork 96
ARM MSI Apis
A resource can be assigned an identity (Managed Service Identity or MSI) along the same line as an AAD application can create a service principal. This identity can be given RBAC to other resources in the same AAD tenant. The resource can then acquire a bearer token to access other authorized resources.
For Azure WebApps, a resource is a webapp. The MSI can be provisioned for a webapp as follow.
ARMClient.exe put "/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Web/sites/{site}?api-version=2015-02-01" @payload.json
Example payload.json below
{
"location": "{location}",
"properties": { },
"identity": {
"Type": "SystemAssigned"
}
}
Once done, two additional environment variables (MSI_ENDPOINT and MSI_SECRET) will be available to the webapp. Do use https://{scm_uri}/Env.cshtml to verify. These variables will be used for the webapp to get an MSI token.
It is a typical HTTP GET call to MSI_ENDPOINT. MSI_ENDPOINT will be local endpoint with port acl-ed, meaning the call can only be made within the webapp. A sample code can be found here. Simply compile and copy the resulting GetMSIToken.exe to Kudu Console and run it. The console should displayed the jwt token as well as other metadata.
It is a typical HTTP GET call to MSI_ENDPOINT. MSI_ENDPOINT will be local endpoint with port acl-ed, meaning the call can only be made within the webapp. A sample code can be found here. Simply compile and copy the resulting GetMSIToken.exe to Kudu Console and run it. The console should displayed the jwt token as well as other metadata.