The Managed Identities for Azure Resources feature is a free service with Azure Active Directory. Formerly known as Managed Service Identity, Managed Identities for Azure Resources first appeared in services such as Azure Functions a couple of years ago. Much more recent though Azure Copy (AzCopy) now supports Azure Virtual Machines Managed Identity. This negates the need to get and manage SAS keys or certificates, and even the need for installing and leveraging the AzureRM or AzRM PowerShell modules. This makes copying files from a virtual machine to and from Azure Storage Accounts super easy.

The documentation is pretty generic, so here are the steps to leveraging Azure Virtual Machines Managed Identity with AzCopy.

  • Download AzCopy and put AzCopy.exe into the c:\windows\system32 directory on your Windows host so it is in your system path

Enable Managed Identity for an Azure Virtual Machine

Using the Azure Portal locate the Windows Azure Virtual Machine you want to use AzCopy with and enable System assigned Managed Identity under the Identity option

VM Enable Managed Identity.PNG

Also using the Azure Portal locate the Storage Account you will be copying data to/from and under Access Control (IAM) add the Virtual Machine you will be using to perform the copies with a Role Assignment of Storage Blob Data Contributor (for Write Access; Copy To) or Storage Blob Data Reader (for Read Access; Copy From)

Storage Account VM Role Assignment - Blob Storage Contributor.PNG

Authorize the Azure Virtual Machine

From within the Virtual Machine which you have copied AzCopy.exe to the system32 directory and given permissions to the Storage Account perform the following one-time setup;

azcopy login

Open a web browser, copy and paste the https://microsoft.com/devicelogin URL

azLogin Managed Identity Setup.PNG

Enter the code from the command window into the Code dialog in the login window

azLogin Managed Identity Setup AuthCode.PNG

Sign-in with an Admin account to authorise the VM

azLogin Managed Identity Setup User Login.PNG

Setup is now complete

azLogin Managed Identity Setup Complete.PNG

Using AzCopy to login to Azure with VM Managed Identity

Simply type;

azcopy login --identity

The VM is now authenticated to Azure using AzCopy

Login Using Managed Identity with AzCopy.PNG

Copy a file to the Storage Account we gave the VM permissions to;

azcopy cp sourcefile destination

e.g

azcopy cp F:\SOFTWARE\Backups\MIM\09-07-2019-08-25.zip https://mystorageaccount.blob.core.windows.net/Configs/09-07-2019-08-25.zip

AzCopy file to Azure Storage Account using Managed Identity.PNG

In a Script

With the setup all done for the VM and the permissions on the storage account we can now use these command in a script;

azcopy login --identity
azcopy cp sourceFilePath destinationfile

Summary

Using AzCopy in conjunction with Managed Identity we can seamlessly copy files to and from Azure Storage without worrying about storing credentials or managing certificates.

Category:
Identity and Access Management
Tags:
, ,

Leave a Reply