| title | description | services | documentationcenter | author | manager | tags | ms.assetid | ms.service | ms.workload | ms.tgt_pltfrm | ms.devlang | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Use MSI in Azure Cloud Shell | Microsoft Docs |
Authenticate code with MSI in Azure Cloud Shell |
azure |
jluk |
timlt |
azure-resource-manager |
azure |
infrastructure-services |
vm-linux |
na |
article |
04/14/2018 |
juluk |
Azure Cloud Shell supports authorization with Managed Service Identities (MSI). Utilize this to retrieve access tokens to securely communicate with Azure services.
A common challenge when building cloud applications is how to securely manage the credentials that need to be in your code for authenticating to cloud services. In Cloud Shell you may need to authenticate retrieval from Key Vault for a credential that a script may need.
Managed Service Identity (MSI) makes solving this problem simpler by giving Azure services an automatically managed identity in Azure Active Directory (Azure AD). You can use this identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without having any credentials in your code.
Execute the following commands to set your MSI access token as an environment variable, access_token.
response=$(curl http://localhost:50342/oauth2/token --data "resource=https://management.azure.com/" -H Metadata:true -s)
access_token=$(echo $response | python -c 'import sys, json; print (json.load(sys.stdin)["access_token"])')
echo The MSI access token is $access_token
The local MSI subsystem caches tokens. Therefore, you can call it as often as you like, and an on-the-wire call to Azure AD results only if:
- a cache miss occurs due to no token in the cache
- the token is expired
If you cache the token in your code, you should be prepared to handle scenarios where the resource indicates that the token is expired.
To handle token errors, visit the MSI page about curling MSI access tokens.