The Managed Identities for Azure Resources feature is a free service with Azure Active Directory. Formerly known as Managed Service Identity, Managed Identities for Azure Resources first appeared in services such as Azure Functions a couple of years ago. Much more recent though Azure Copy (AzCopy) now supports Azure Virtual Machines Managed Identity. This negates the need to get and manage SAS keys or certificates, and even the need for installing and leveraging the AzureRM or AzRM PowerShell modules. This makes copying files from a virtual machine to and from Azure Storage Accounts super easy.
The documentation is pretty generic, so here are the steps to leveraging Azure Virtual Machines Managed Identity with AzCopy.
- Download AzCopy and put AzCopy.exe into the c:\windows\system32 directory on your Windows host so it is in your system path
Enable Managed Identity for an Azure Virtual Machine
Using the Azure Portal locate the Windows Azure Virtual Machine you want to use AzCopy with and enable System assigned Managed Identity under the Identity option
Also using the Azure Portal locate the Storage Account you will be copying data to/from and under Access Control (IAM) add the Virtual Machine you will be using to perform the copies with a Role Assignment of Storage Blob Data Contributor (for Write Access; Copy To) or Storage Blob Data Reader (for Read Access; Copy From)
Authorize the Azure Virtual Machine
From within the Virtual Machine which you have copied AzCopy.exe to the system32 directory and given permissions to the Storage Account perform the following one-time setup;
azcopy login
Open a web browser, copy and paste the https://microsoft.com/devicelogin URL
Enter the code from the command window into the Code dialog in the login window
Sign-in with an Admin account to authorise the VM
Setup is now complete
Using AzCopy to login to Azure with VM Managed Identity
Simply type;
azcopy login --identity
The VM is now authenticated to Azure using AzCopy
Copy a file to the Storage Account we gave the VM permissions to;
azcopy cp sourcefile destination
e.g
azcopy cp F:\SOFTWARE\Backups\MIM\09-07-2019-08-25.zip https://mystorageaccount.blob.core.windows.net/Configs/09-07-2019-08-25.zip
In a Script
With the setup all done for the VM and the permissions on the storage account we can now use these command in a script;
azcopy login --identity azcopy cp sourceFilePath destinationfile
Summary
Using AzCopy in conjunction with Managed Identity we can seamlessly copy files to and from Azure Storage without worrying about storing credentials or managing certificates.